Introduction
At copebit, we place great emphasis on ensuring the safety of our clients’ data. As data is often of utmost importance to companies, we understand the need for a professional and scalable backup solution to prevent data loss, ensure business continuity, fulfill compliance requirements, and to save cost.
- Data loss prevention: Data loss can happen due to various reasons, such as hardware failure, natural disasters, human error, or cyberattacks. Having a backup solution in place ensures that important data is not lost and can be easily restored if required.
- Business continuity: Data loss can disrupt business operations, causing financial losses and a negative impact on the company’s reputation. A backup solution can help ensure that business operations can continue uninterrupted even in the event of a data loss.
- Compliance requirements: Many industries have specific data retention and backup requirements that companies must comply with. Failing to comply with these requirements can result in significant financial and legal penalties.
- Cost-effectiveness: Investing in a backup solution is a cost-effective way to safeguard valuable company data, compared to the costs associated with data recovery or business downtime.
copebit proposes to its clients a solution that works across regions and even across accounts. Having a cross-account and cross-region backup on Amazon Web Services (AWS) provides additional benefits, including:
- Improved disaster recovery: In the event of a disaster or data loss, having backups stored in multiple AWS regions and accounts provides an additional layer of redundancy and ensures that data can be quickly restored, minimizing downtime and data loss.
- Enhanced security: Cross-account backup allows companies to store their backup data in a separate account, reducing the risk of accidental or malicious data deletion, and providing an additional layer of security. Cross-region backup further enhances security by ensuring that data is replicated and stored in multiple regions, protecting it against regional outages.
In general, a good backup solution is a critical part of any company’s data management strategy and can help ensure business continuity, compliance, and cost-effectiveness.
Having a cross-account and cross-region backup on AWS provides improved disaster recovery and enhanced security, making it a beneficial solution for companies looking to protect their valuable data. We at copebit have this solution engineered and in place for multiple clients.
AWS Backup
AWS Backup is a fully managed backup service provided by AWS that allows you to centralize and automate the backup of data across AWS services and on-premises. It is designed to make it easy for you to protect your data and meet your business and regulatory backup compliance requirements. With AWS Backup, you can create backup plans, schedule backup jobs, and monitor the completion and status of your backups.
AWS Backup provides a centralized console for managing backups across multiple AWS services, including Amazon EBS, EC2, RDS, DynamoDB, EFS, Storage Gateway, FSx, and S3. You can also use AWS Backup to backup on-premises resources using the AWS Backup Gateway, which provides a virtual on-premises appliance that you can use to back up data to AWS. A complete list of the supported services by AWS Backup can be found here: How AWS Backup works with supported AWS services
AWS Backup provides several features that enable you to create, manage, and monitor your backups, including backup plans, backup vaults, backup jobs, and backup events. You can use AWS Backup to schedule backups, copy backups across regions, and restore data from backups. AWS Backup also integrates with AWS CloudTrail to provide audit and compliance reports for your backup operations.
Using AWS Backup offers a significant benefit of consolidating your backups into one or more specialized accounts. With AWS Backup, you can not only backup to another account, but also duplicate the backups in a region that differs from your existing workload region. This guarantees that your backups are easily accessible and available for deployment in another region if your current workload region experiences an outage. As a result, your backups are always highly accessible and available, minimizing the risk of data loss due to unforeseen circumstances.
Cross-account and cross-region backups cannot be supported simultaneously by certain AWS services such as RDS and Aurora. To work around this limitation, one can generate a cross-region backup and set up a backup copy towards the central backup account to be initiated upon successful completion of the backup process.
The following architecture overview shows the involved AWS services of the cross-account and cross-region backup:
Creating a Cross-Account Cross-Region Backup System
Prepare cross-account backup
To enable cross-account backup, follow these steps:
- Sign in to the AWS Organizations management account and go to the AWS Backup console.
- Click on ‘Settings’ and enable the ‘Cross-account backup’ feature, as illustrated below.
In the KMS Console of the central backup account, create a new customer-managed key as shown in the screenshot below. A CMK is necessary as AWS managed keys can’t be shared with other accounts.
Then create a backup vault in the AWS Backup console of the central backup account. The backup vault should be located in a different location than the workload. In this example, we use Ireland (eu-west-1) as the backup location as the workload is provisioned in Frankfurt (eu-central-1).
After creating the backup vault, add the permissions to allow access to a backup vault from the organization.
Finally, the backup vault should contain an access policy which allows your organization ID and should use the CMK from the central backup account.
Expert advice:
To improve the security, access to the backup vault should be permitted on an account level. It makes sense if you implement the backup solution with Infrastructure as Code (IaC) using CloudFormation, Terraform, or something similar. Talk to copebit if you need support here.
Configure cross-account backup
Once the prerequisites are met, the next step is to set up the cross-account backup. To accomplish this, follow these steps:
- Sign in to the workload account and go to the AWS Backup console.
- Create a CMK as already done in the central backup account.
- Create a backup vault which uses the newly created CMK.
- Create a backup plan that includes one or more backup rules.
- Each backup rule should specify the destination location of the backup vault from the central backup account. Also, the ‘external vault ARN’ field should contain the ARN of the central backup account’s vault.
- Click the ‘Assign resources’ button to specify what resources should be included in the backup. The example below specifies the tag ‘backup’ with the value ‘daily-weekly-monthly-12months’.
Now everything is set up. AWS Backup will take a backup according to the backup plan of all resources tagged according to the resource assignments.
Gotcha!
Encrypting data in the cloud is considered a recommended approach. In order for encrypted services such as EBS volumes or RDS instances to be effectively backed up, it is necessary to have CMKs which allow the central backup account to access, decrypt, and then re-encrypt the data with the backup CMK. If you require assistance in this matter, reach out to copebit.
Under ‘Jobs’ in the Backup console, you should see a new entry once the backup was triggered the first time.
With a short delay, the copy job will be triggered which transfers the backup to the central backup account.
Finally, you should be able to see the backed up resources in the central backup account. Navigate to the backup vault section in the AWS Backup web console. All protected resources are listed here.
At this point, you can restore the snapshot in the backup account or copy it back to the workload account, either in the same region or a different one, and resume using it as needed.
Wrap up
In summary, creating a cross-account cross-region backup system in AWS requires a few steps to be followed. The first step is to prepare cross-account backup by enabling the ‘Cross-account backup’ feature and creating a customer-managed key and a backup vault with the right permissions in the central backup account.
The next step is to configure cross-account backup by creating a backup plan, assigning resources, and specifying the destination location of the backup vault from the central backup account.
Once everything is set up, AWS Backup will automatically take a backup of all resources tagged according to the resource assignments.
Finally, users can restore the snapshot in the backup account or copy it back to the workload account, either in the same region or a different one, and resume using it as needed.
copebit has implemented this cross-account and cross-region backup solution in Terraform and CloudFormation. If you would like to get access to these solutions, reach out to info@copebit.ch.
References
How AWS Backup works with supported AWS services:
https://docs.aws.amazon.com/aws-backup/latest/devguide/working-with-supported-services.html
Copying a backup:
https://docs.aws.amazon.com/aws-backup/latest/devguide/recov-point-create-a-copy.html
Creating backup copies across AWS accounts:
https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html
Ruben is a Senior DevSecOps Engineer (AWS certified) with focus on kubernetes and automation.