AWS Backup cross account with Organizations

Here are some tips for setting up cross-account AWS Backup:

The backup plans and policies should be created in the source accounts where the resources to backup are located. This allows you to scope the plans to the specific resources in each account. The management account can't directly create plans targeting resources in other accounts. But you can centralize the plan creation using AWS Organizations - create a service control policy that enforces specific backup plans/policies in each account.

When creating the backup plan, the destination vault ARN should point to the backup vault in the central backup account. So in the "Add backup rule" section, paste in the full ARN of the destination backup vault where you want backups sent. The vault name alone won't work across accounts.

Some key pointers:

• Enable backup in each source account
• Create IAM roles allowing cross account access
• Create vault in central backup account
• Create backup plans in each source account, using vault ARN as destination
• This lets you backup to a central vault while keeping the backup plans decentralized and scoped to each account.

*Note: As of today 8/28/23, cross-account backup is not available in Israel (Tel Aviv), China (Beijing), and China (Ningxia) regions. Check this link for the latest as AWS is always adding regions, features, and capabilities (https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#features-by-region). *

To use cross-account management, you must follow these steps:

• In your management account in AWS Organizations, add all the desired accounts under the management account.
• Enable the cross-account management feature in AWS Backup.
• Create a backup policy to apply to all AWS accounts under your management account.
• Manage backup, restore, and copy jobs in all your AWS accounts.

There are a few security considerations to note:

• The destination vault cannot be the default vault. This is because the default vault is encrypted with a key that cannot be shared with other accounts.
• Cross-account backups might still run for up to 15 minutes after you disable cross-account backup. This is due to eventual consistency, and might result in some cross-account jobs starting or completing even after you disable cross-account backup.
• If the destination account leaves the organization at a later date, that account will retain the backups. To avoid potential data leakage, place a deny permission on the organizations:LeaveOrganization permission in a service control policy (SCP) attached to the destination account. For detailed information about SCPs, see Removing a member account from your organization in the Organizations User Guide.
• If you delete a copy job role during a cross-account copy, AWS Backup can't unshare snapshots from the source account when the copy job completes. In this case, the backup job finishes, but the copy job status shows as Failed to unshare snapshot.

AWS has docs on setting this all up here: https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html