Streamlining Cross-Account RDS Snapshot Copies with AWS Backup

In today’s multi-account AWS environments, securing your data with efficient backup strategies is crucial. One vital aspect of this is setting up cross-account RDS snapshot copies. This guide will walk you through the process of configuring cross-account RDS snapshot copies using AWS Backup.

Prerequisites

Before we dive into the setup, ensure you have the following prerequisites in place:

1. AWS Accounts: Two AWS accounts (source and destination) with the necessary permissions.
2. AWS CLI: Ensure you have the AWS Command Line Interface (CLI) installed and configured.
3. IAM Roles and Policies: Proper IAM roles and policies are set up for AWS Backup and KMS.
4. Both source and destination accounts must belong to the same organization in the AWS Organizations service.
5. Enable cross-account backup in the AWS management account.

Step-by-Step Setup Guide

Step 1: Create CMK Keys in Both Accounts

Firstly, we need to create Customer Master Keys (CMKs) in both the source and destination accounts. These keys will be used to encrypt your vaults. Navigate to the KMS console and create relevant CMKs.

Step 2: Create Backup Vaults

Next, create backup vaults in both the source and destination accounts to store the snapshots. Use the CMKs created in the previous step to set up encryption for the vaults in both accounts. Make sure to copy the destination account vault ARN, as it will be needed during the setup of the backup plan in the source account.

Step 3: Grant Access to the Destination Backup Vault

To allow the source account to copy backups into the destination vault, you need to edit the vault access policy in the destination account.

1. In the destination account, navigate to the AWS Backup console and select the backup vault created earlier.
2. Edit the vault access policy to include the following JSON policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow account to copy into backup vault",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<source_account_id>:root"
            },
            "Action": "backup:CopyIntoBackupVault",
            "Resource": "*"
        }
    ]
}

Replace <source_account_id> with the actual source account ID.

Step 4: Configure the Backup Plan in the Source Account

Now, it’s time to configure a backup plan in the source account to set the backup frequency and specify the copy configuration.

1. In the source account, go to the AWS Backup console.
2. Create a new backup plan and define the necessary backup rules.
3. In the copy configuration section:

• Select “Cross Account”.
• Choose the destination region.
• Paste the ARN of the destination backup vault created in Step 2.

Conclusion

By following these steps, you’ve set up a robust cross-account RDS snapshot copy mechanism. This ensures your critical data is backed up securely across different accounts, providing an additional layer of redundancy and security.

This configuration not only enhances your disaster recovery strategy but also helps in meeting compliance requirements. With AWS Backup, managing cross-account backups becomes a seamless and efficient process.