- Newest
- Most votes
- Most comments
Creating a centralized cross-account backup strategy for your organization is possible, but there are some important considerations and steps to follow:
-
Backup Policy Creation: You're correct that backup policies should be created in the organization's management account, not in ACCOUNT_B. Even though ACCOUNT_B is a delegated administrator for AWS Backup, it doesn't have the permissions to create organization-level backup policies. This is by design to maintain centralized control over organizational policies.
-
Specifying Vault in Another Account: When creating a backup policy, you can't directly specify a vault in another account using just the vault name. Instead, you'll need to set up cross-account backup copying. In your backup policy, you'll define the initial backup to a vault in ACCOUNT_A, then set up a copy action to move the backup to a vault in ACCOUNT_B.
-
Delegated Administrator Permissions: While you've delegated AWS Backup administration to ACCOUNT_B, this doesn't grant permissions to create organization-level policies. To manage backups across accounts, ACCOUNT_B can use the delegated administrator capabilities to monitor backups, manage restore jobs, and perform other operational tasks, but policy creation remains with the management account.
-
Vault Location: Unfortunately, it's not possible to have backup vaults only in ACCOUNT_B without any presence in ACCOUNT_A when using AWS Backup's built-in cross-account functionality. The standard process involves creating an initial backup in the source account (ACCOUNT_A) and then copying it to the destination account (ACCOUNT_B).
To achieve your desired setup:
- Create a backup policy in the organization's management account that targets resources with the specified tag (e.g., 'backup: true') in ACCOUNT_A.
- In this policy, define the initial backup to a vault in ACCOUNT_A.
- Add a copy action in the policy to copy the backup to a vault in ACCOUNT_B.
- Ensure the necessary permissions are set up to allow cross-account copying.
While this approach doesn't completely eliminate the presence of backup artifacts in ACCOUNT_A, it does centralize the long-term storage and management of backups in ACCOUNT_B. You may need to periodically clean up the initial backups in ACCOUNT_A if you want to minimize their presence there.
For more granular control or a fully centralized approach without any backup presence in ACCOUNT_A, you might need to consider custom solutions or third-party tools that can directly backup resources across accounts without using AWS Backup's built-in cross-account functionality.
Sources
Managing AWS Backup resources across multiple AWS accounts - AWS Backup
AWS Backup and AWS Organizations bring cross-account backup feature
Creating backup copies across AWS accounts - AWS Backup
To create a centralized cross-account backup strategy in AWS, follow these steps:
Backup Policy: Backup policies must be created in the organization's management account. Even though ACCOUNT_B is a delegated admin for AWS Backup, it cannot create organization-level policies.
Cross-Account Backup: In ACCOUNT_A (where resources are tagged for backup), create backups and set up copy actions to move these backups to a vault in ACCOUNT_B.
Permissions: Ensure cross-account permissions are configured properly, allowing backups to be copied from ACCOUNT_A to ACCOUNT_B.
Vault Location: A vault must first exist in ACCOUNT_A, and then the backups can be copied to ACCOUNT_B. There’s no way to avoid having the initial backup in ACCOUNT_A, but you can centralize long-term storage in ACCOUNT_B.
This setup centralizes backup management while still requiring backups to start in the source account.
Relevant content
- asked 9 months ago
- Accepted Answerasked 4 months ago
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago