Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Backup RDS/S3 Cross account configuration (Terraform)

0

I'm trying to configure a AWS Backup cross account copy job for RDS/S3 setup on 2 accounts within the same AWS organization and I'm encountering some issues.

What I have already done and details regarding the setup:

  • Currently correctly configured regular backup jobs and restore jobs (Working)
  • Enabled AWS Backup for cross-account in settings on both the source/destination accounts
  • Source account is the maintainer/manager account and destination account is the default account within the same organization
  • Added vault policies for all 4 options (AWS principal: source/destination accounts + Actions: CopyIntoBackupVault/CopyFromBackupVault on "*" resource) [Snipet bellow]
  • Shared KMS keys to both accounts using them in AWS principal and adding the "kms:*" action to both [Snipet bellow]
  • S3 versioning is enabled for the bucket I'm trying to backup (So cross-account backup can work correctly)

Bellow are some code snipets for different accounts that I'm running:

  • KMS key permissions for both keys on both accounts/vaults (Don't mind the formating, I created a module for the IAM management, the policy is valid when I look in the IAM dashboard):
{
      sid        = "Enable IAM Administrator Users Permissions",
      effect     = "Allow",
      principals = [
        {
          type        = "AWS"
          identifiers = [
            "arn:aws:iam::${local.account_id}:root",
            "arn:aws:iam::${var.source_account_id}:root"
          ]
        }
      ],
      actions = [
        "kms:*",
      ],
      resources = [
        "*"
      ]
    }
  • Vault policy on all vaults that I want cross-account backups:
policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Sid       = "AllowBackupCopyIntoSourceAccount"
        Effect    = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${var.source_account_id}:root"
        }
        Action   = [
          "backup:CopyIntoBackupVault"
        ]
        Resource = "*"
      },
      {
        Sid       = "AllowBackupCopyIntoDestinationAccount"
        Effect    = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${local.account_id}:root"
        }
        Action   = [
          "backup:CopyIntoBackupVault"
        ]
        Resource = "*"
      },
      {
        Sid       = "AllowBackupCopyFromSourceAccount"
        Effect    = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${var.source_account_id}:root"
        }
        Action   = [
          "backup:CopyFromBackupVault"
        ]
        Resource = "*"
      },
      {
        Sid       = "AllowBackupCopyFromDestinationAccount"
        Effect    = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${local.account_id}:root"
        }
        Action   = [
          "backup:CopyFromBackupVault"
        ]
        Resource = "*"
      }
    ]
  })

I'm currently running out of ideas what might cause this issue as everything should be set up as required by various tutorials on this topic. The error I'm getting on both copy jobs are:

"Access Denied trying to call AWS Backup service"

If anyone finds a fault/bug I missed I would appreciate it greatly, also if there are any specific actions I must enable on the role attachment/policy for the source account backup plan that would help. I'm trying to avoid the Service Linked Roles since they usually give too much permission than required.

Topics
Management & GovernanceSecurity, Identity, & ComplianceStorage
Tags
AWS OrganizationsIAM PoliciesAWS Backup
Language
English
asked 9 months ago237 views
1 Answer
0

To configure AWS Backup for cross-account copy jobs for RDS and S3 within the same AWS organization, you've taken several important steps, but there are a few additional considerations and potential issues to address:

  1. Ensure that both accounts are part of the same AWS Organization and that AWS Backup's cross-account feature is enabled for the organization.

  2. For RDS backups, be aware that cross-account and cross-region copying cannot be done simultaneously. You can do one or the other, but not both in a single operation.

  3. The KMS key policy you've provided looks correct, allowing both accounts to use the key. However, make sure the key is actually shared with the destination account through the AWS KMS console or API.

  4. Your vault policy looks good, allowing both CopyIntoBackupVault and CopyFromBackupVault actions for both accounts.

  5. In addition to the vault and KMS policies, ensure that the IAM role used by AWS Backup in the source account has the necessary permissions to perform cross-account operations. This role should have permissions to access the source resources (RDS/S3) and to perform backup operations.

  6. For the destination account, make sure there's an IAM role that allows AWS Backup to copy backups into the destination vault.

  7. For RDS specifically, if you're using customer-managed KMS keys to encrypt the database, you need to share this key with the destination account as well.

  8. Check that the backup plan in the source account is correctly configured to copy backups to the destination account's vault.

  9. Verify that the resource-based policies on the S3 buckets (if applicable) allow access from the AWS Backup service.

  10. If you're still encountering "Access Denied" errors, you may need to temporarily enable more verbose logging or CloudTrail to identify exactly which service or action is being denied.

  11. Consider using AWS Backup's built-in cross-account copy feature instead of setting up separate copy jobs, as this can simplify the process and permissions management.

If you've verified all these points and are still encountering issues, you may need to reach out to AWS Support for further assistance, as there could be account-specific configurations or limitations at play.
Sources
Creating backup copies across AWS accounts - AWS Backup
AWS BackUp Cross Account | AWS re:Post
Using AWS Backup to backup cross-account to multiple regions | AWS re:Post

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content