By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restoring a cross-account s3 backup

0

Hi, I have a cross account aws backup for s3 and dynamodb. The resources are backed up in one account N Virginia and copied to a vault in another AWS account N California. When restoring, I restore to a new dynamodb table (it doesn’t allow restoring to existing dynamodb table even if it’s empty) and an existing s3 bucket. Both complete successfully but while the dynamodb table has the data, the s3 bucket stays empty.
I chose to encrypt the data on the target with both SSE-S3 and SSE-KMS, no difference in results. Any idea what could be the issue? If it was permissions or kms keys issue i assume that the backup or restore operations would have failed rather than succeed with an empty target bucket?

Thanks Oren

Topics
Storage
Tags
AWS Backup
Language
English
Oren
asked 9 months ago345 views
2 Answers
0

I believe that SSE-S3 cannot be used for encryption of S3 objects in the case of cross-accounting.
SSE-S3 will probably not be able to restore because you cannot edit permissions on the key with a cross account.
For SSE-KMS it is probably possible.
Perhaps, but I have a feeling that the problem is around the permissions of the KMS key.
S3 itself supports cross-account backup as described in the following document.
https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#features-by-resource

profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
  • Oren
    9 months ago

    Thanks. The backup job runs on the same account as the s3 objects and copies to a vault in a separate account. Both backup and restore jobs complete successfully - isn’t it supposed to fail if there was a key or access issue? They succeed but no objects after restore.

    1. is there a way for me to see content in a restoration point (before restore operation) to know if backup actually included the objects and restore fails?
    2. does it matter if the target restore bucket has sse-s3 or sse-kms? I can understand how the source may need sse-kms with cmk, but dors the target matter?
    3. do we have any other tools for troubleshooting these cases because I’m getting no errors so don’t have a direction for investigation… Thanks!
  • Riku_Kobayashi EXPERT
    9 months ago

    I see that it is possible to restore on an object-by-object basis by specifying an object key, etc. If I restore in that way, will the object be created? https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-s3.html
    Also, check that bucket ACLs, versioning, etc. are enabled on the target S3 bucket.

0

Thanks. Very hard to troubleshoot aws backup without detailed logs, and in this case was showing as successful but objects were not in the restored buckey. It started working, I am not sure what the original issue was but in terms of encryption keys - looks like it is working when source is SSE-S3. I assume based on documentation that aws managed keys in kms are not supported, as you cannot edit their key policy. And it should be possible with customer managed keys, by allowing the target account to access the key. As AWS backup is doing the configuration and managing the backup, is it not able to decrypt data on source account and then re-encrypt on target account with aws managed keys (of source and target accounts respectively)? This is assuming the end user is happy with the encryption in transit solution as data is transferred between the accounts.

Oren
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content