Cross-Account and Cross-Region Backups with AWS Backup (and Friends)

Summary

Reading Time: 30 minutes A Foreword on Centralized Backups Using AWS BackupThe First CopyArchitecture DiagramHandling EncryptionVaults in the Destination AccountVaults in the Source AccountWiring up EventBridgeDestination Account SetupSource Account SetupBreak For Testing: Verify CopyingTriggering the Regional Copy Using LambdaModuleTie EventBridge to LambdaNext Steps In today’s edition of “don’t trust LLMs”, we learn that despite what AI tells you, AWS Backup doesn’t support Cross-Account and Cross-Region backups. It supports Cross-Account copying and Cross-Region copying, but apparently not together. As part of Masset’s Data Protection and Disaster Recovery policies, we determined that having backups separated by both region and OU account was a good idea. This follows fairly closely to AWS’s recommended best practice of using a separate, centralized account for an immutable history of backups and log. In the case of logging, this is a no-brainer. Most services require just a few simple tweaks to copy logs to a centralized location. However, the story is a bit different for backups. AWS Backup’s lack of support for the combination of differing regions and account is unfortunate. It’s a relatively new (in terms of AWS lifecycles) service offering, so I’m willing to give it a bit of leeway… But having to choose between region or account means we can only mitigate one risk at a time. It all feels so simple; wit’s just a few lines of Terraform code. But the first time it runs you’ll get a failure notification in your #alerts Slack channel and you’ll see something akin this beautiful error hidden on the copy job for your backup. It’s obviously not telling the full truth. AWS clearly states in their documentation that cross-region is allowed. Unfortunately, that little superscript #3 bears a lot of weight: 3. RDS, Aurora, DocumentDB, and Neptune do not support a single copy action that performs both cross-Region AND cross-account backup. You can choose one or the other....