DEV Community

Cover image for How to configure cross-account AWS Backup
Arkadiusz Bolewski for AWS Community Builders

Posted on

How to configure cross-account AWS Backup


This blog post will describe how to set up cross-account AWS Backup. Let's imagine situation where you need to store your cloud backups in one central location, like another AWS account? Maybe because of some compliance or other organizational/contractual reasons. This is where cross-account AWS Backup jump on the stage :)


First of all you must have at least two accounts that belong to the same organization in the AWS Organizations service. One for backup source and second for desired target location.

Next you need to enable cross-account backup functionality. By default it's disabled.

Enable cross-account backup

Creating Customer Managed Key for backup encryption

For all services except Amazon EFS, cross-account backup only supports customer managed CMKs. It does not support backup vaults that are encrypted using AWS managed CMKs, including default vaults, because AWS managed CMKs are not intended to be shared between accounts that's why we need to create our own key.

Backup Key

Set up alias, key type and key administrators. For key users we need to pickup IAM Role used by AWS Backup. Last thing is to allow usage of our key with Source account.

Create Service Linked Role for AWS Backup (optional)

You might encounter similar error:
The provided role arn:aws:iam::1234567890:role/aws-service-role/ cannot be assumed by AWS Backup.

This means you are missing service linked role. AWS Backup uses the service linked role named AWSServiceRoleForBackup. This role provides AWS Backup permission to create backups on your behalf across AWS services. If you have used AWS Backup in the past, most probably you already have it but if don't we can create it running below command:

aws iam create-service-linked-role --aws-service-name
Enter fullscreen mode Exit fullscreen mode

We can use new cool feature to do this - AWS CloudShell
Alt Text

Create Backup Vaults

Next step is to create Backups Vaults in source and destination accounts where we will copy our backups. Backup vault is a container where you can organize your backups in.

Note:You must use vaults other than your default vaults to perform cross-account backup.

AWS Backup Vault

Another task to do with Backup Vaults is to set up an access policy. We want to allow access to our Vault from AWS Organizations.

Access Policy

Policy JSON should look like this:
Access Policy details

We need to switch to our source account and repeat these steps with creating KMS key and Backup Vault. We need a place to store our encrypted backups before we copy them to the target account.

Configure Backup Plans

Next step is to configure Backup Plans. Backup plan is a policy (set of rules) that defines when and how you want to back up your AWS resources. You can assign resources to backup plans and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup demands.

You can pick up from pre-defined templates or create your own plan:
Backup Plan

Configure backup rule by defining schedule, backup window, lifecycle policy, target vault:
Backup Rule configuration

And what's most interesting, we can define here our copy to destination with copy to another account's vault switch:

AWS Backup cross account

It's worth to mention that we can have multiple copies.

When we have defined our backup plan and rules now it's time to assign resources that are going to be backed up:
AWS Backup assign resources

We can assign resources by specific Tags which is very useful and by Resource ID:
AWS Backup assign resources

Supported resource types

Unfortunately not all resource types support cross-account and cross-region backup at the same time. One of the example is RDS. You may encounter similar error:
RDS copy error
I couldn't find any confirmation in official docs that this setup is not supported. I hope AWS team responsible for AWS Backup will work on it and in the near future all resource types will support cross-account and cross-region backup ;-)

I've worked with below resource types without any issues:

  • EC2
  • EBS
  • EFS (non-default/automatic EFS backup)

Verify your backup and copy jobs

Final thing is to review if your backups are working as planned. Verify backup jobs and copy jobs in your dashboard and troubleshoot any potential misconfigurations/issues:
AWS Backup Dashboard
Copy Jobs

Next steps

There is always space for improvement :). If you would like to experiment more with AWS Backup you might want to try centralized management and creating Backup Policies across your AWS Organization.

If you have any additional questions or spot any error please feel free to contact me!

P.S. Always test your backups.

Top comments (2)

karthikrnair profile image
Karthik R

excellent article .....It really helped to me overcome the problem while creating cross account back

arkbol profile image
Arkadiusz Bolewski

I'm very happy that you found it useful! :)