Create a centralized cross account backup strategy

0

I have an organization with many accounts. Some of these accounts (e.g ACCOUNT_A) contains resources that I would like to backup, those resources should be identified for the backup trough specific tags (eg: backup: true). The backup, vaults should be centralized in a ACCOUNT_B (that means I wouldn't see any vault or backup rule in the ACCOUNT_A) that is not the Management account of the organization.

As far as I know, the outcome that I would like to reach is doable using Backup policies. In the Organization Mgmt account, I opted in the "Backup policies" and in AWS Backup I enabled "Backup policies", "Cross account monitoring" and "Cross Account Backup", as last thing I made ACCOUNT_B as a delegated administrator for AWS Backup.

With all this stuff configured, this should be enough (or at least, I thought it was) to enter into the ACCOUNT_B and create a Backup policy there. Unluckily, I receive a permission denied message when I tried this. Differently, I am able to create a backup policy directly into the org management account. Anyway I don't like this option, because as I said, I would encapsulate all the stuff about backup into the ACCOUNT_B. Apart from this there are any other issues that I don't understand:

  • If I can specify in the policy (on the account A) only the vault name (and not the ARN) how could I specify a vault that is in another account?
  • Why I can't create a backup policy in the AWS backup of ACCOUNT_B if I delegated AWS Backup administration to this account? Should I delegate also specific actions of the organizations to the backup account? What actions?
  • IT is possible to have backup vaults only into the ACCOUNT_B or I need to have a primary backup in the ACCOUNT_A and only a copy on the ACCOUNT_B. I read this guide from AWS doc, but this approach don't use the backup policy and explicitly talk about COPY of the backup in a central account.
asked a month ago75 views
2 Answers
1

Creating a centralized cross-account backup strategy for your organization is possible, but there are some important considerations and steps to follow:

  1. Backup Policy Creation: You're correct that backup policies should be created in the organization's management account, not in ACCOUNT_B. Even though ACCOUNT_B is a delegated administrator for AWS Backup, it doesn't have the permissions to create organization-level backup policies. This is by design to maintain centralized control over organizational policies.

  2. Specifying Vault in Another Account: When creating a backup policy, you can't directly specify a vault in another account using just the vault name. Instead, you'll need to set up cross-account backup copying. In your backup policy, you'll define the initial backup to a vault in ACCOUNT_A, then set up a copy action to move the backup to a vault in ACCOUNT_B.

  3. Delegated Administrator Permissions: While you've delegated AWS Backup administration to ACCOUNT_B, this doesn't grant permissions to create organization-level policies. To manage backups across accounts, ACCOUNT_B can use the delegated administrator capabilities to monitor backups, manage restore jobs, and perform other operational tasks, but policy creation remains with the management account.

  4. Vault Location: Unfortunately, it's not possible to have backup vaults only in ACCOUNT_B without any presence in ACCOUNT_A when using AWS Backup's built-in cross-account functionality. The standard process involves creating an initial backup in the source account (ACCOUNT_A) and then copying it to the destination account (ACCOUNT_B).

To achieve your desired setup:

  1. Create a backup policy in the organization's management account that targets resources with the specified tag (e.g., 'backup: true') in ACCOUNT_A.
  2. In this policy, define the initial backup to a vault in ACCOUNT_A.
  3. Add a copy action in the policy to copy the backup to a vault in ACCOUNT_B.
  4. Ensure the necessary permissions are set up to allow cross-account copying.

While this approach doesn't completely eliminate the presence of backup artifacts in ACCOUNT_A, it does centralize the long-term storage and management of backups in ACCOUNT_B. You may need to periodically clean up the initial backups in ACCOUNT_A if you want to minimize their presence there.

For more granular control or a fully centralized approach without any backup presence in ACCOUNT_A, you might need to consider custom solutions or third-party tools that can directly backup resources across accounts without using AWS Backup's built-in cross-account functionality.
Sources
Managing AWS Backup resources across multiple AWS accounts - AWS Backup
AWS Backup and AWS Organizations bring cross-account backup feature
Creating backup copies across AWS accounts - AWS Backup

profile picture
answered a month ago
0

To create a centralized cross-account backup strategy in AWS, follow these steps:

Backup Policy: Backup policies must be created in the organization's management account. Even though ACCOUNT_B is a delegated admin for AWS Backup, it cannot create organization-level policies.

Cross-Account Backup: In ACCOUNT_A (where resources are tagged for backup), create backups and set up copy actions to move these backups to a vault in ACCOUNT_B.

Permissions: Ensure cross-account permissions are configured properly, allowing backups to be copied from ACCOUNT_A to ACCOUNT_B.

Vault Location: A vault must first exist in ACCOUNT_A, and then the backups can be copied to ACCOUNT_B. There’s no way to avoid having the initial backup in ACCOUNT_A, but you can centralize long-term storage in ACCOUNT_B.

This setup centralizes backup management while still requiring backups to start in the source account.

profile picture
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions