DEV Community

Revathi Joshi for AWS Community Builders

Posted on

How to use AWS Backup cross-account backup to copy and restore DynamoDB tables between AWS accounts

In this article, I am going to show you how to copy and restore DynamoDB tables using AWS Backup - cross-account backup between 2 AWS accounts.

In order for the cross-account to work, you have to add your 2 accounts (Source Account A and Target Account B) to the same Organization in the Organization Service.

DynamoDB

DynamoDB is a key-value, non-relational database that uses a simple key-value method to store data. A key-value database stores data as a collection of key-value pairs in which a key serves as a unique identifier, which is called the Primary Key. Also known as Partition Key / Hash Key.

DynamoDB is fully integrated with AWS Backups. You can use the DynamoDB console, API, and AWS Command Line Interface (AWS CLI) to enable automatic backups and restore for your DynamoDB tables.

AWS Backup

As per AWS, "AWS Backup is a fully-managed service that makes it easy to centralize and automate data protection across AWS services, in the cloud, and on premises. Using this service, you can configure backup policies and monitor activity for your AWS resources in one place. It allows you to automate and consolidate backup tasks that were previously performed service-by-service, and removes the need to create custom scripts and manual processes."

You can use AWS Backup to manage your backups across all AWS accounts. AWS Backup supports backing up and restoring Amazon DynamoDB tables.

Cross-account backups are useful for security reasons. If your original data backup from the Source account got deleted by mistake, you can always copy and sync the backup from its destination account and then do a restore. A common use case would be to copy your data from Production environment to the Development, and Testing environments.

Objectives:

  • 2 accounts (Source Account A and Target Account B) should be in the same Organization.
  • Turn on AWS Backup features in the Source Account A and Target Account B
  • Create backup vaults in the Source Account A and Target Account B
  • In Source Account A, Create the DynamoDB table and Create a backup in the AWS Backup backup vault.
  • From the Source Account A, Initiate and copy the backup to the backup vault in the Target account B.
  • In the Target account B, restore the DynamoDb table using the backup from the target account backup vault.
  • Test the set-up
  • Cleanup

Pre-requisites:

  • Access to Amazon Management Console with an AWS IAM user Account (not root account).
  • Cloud9 IDE with AWS CLI.

Resources Used:

1. Creating backups of DynamoDB tables with AWS Backup {https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/CreateBackupAWS.html}
2. Creating backup copies across AWS accounts {https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html}

Let's get started

Please visit my GitHub Repository for DynamoDB articles on various topics being updated on constant basis.

Steps for implementation to this project:

In the Source Account A and the Target Account B:

  • On AWS Backup console / Settings / Under Advanced features for Amazon DynamoDB backups / Advanced features - Enabled

  • Under Cross-account management / Cross-account backup / Turn On Enable

Source Account A - Advance Features Enabled

Image description

Source Account A - Cross-account backup Enabled

Image description

Target Account B - Advance Features Enabled

Image description

Target Account B - Cross-account backup Enabled

Image description

Create backup vaults in the Source Account A and Target Account B

Source Account A - Create Backup vault

  • On AWS Backup console / Backup vaults / Create Backup vault (other than Default)

Backup vault name: AccountA-Backupvault
Encryption key: From drop-down - select (default) aws backup
Create backup vault

Image description

  • From the Backup vaults / Choose - AccountA-Backupvault
  • Access Policy / Add permissions / Allow access to a Backup vault from organization.
  • Next page - Add permissions: Allow access to a Backup vault from organization / Access Policy Details / should see - "Allow" backup:CopyIntoBackupVault
  • Save policy

Image description

Target Account B - Create Backup vault

  • On AWS Backup console / Backup vaults / Create Backup vault (other than Default)

Backup vault name: AccountB-Backupvault
Encryption key: From drop-down - select (default) aws backup
Create backup vault

Image description

  • From the Backup vaults / Choose - AccountB-Backupvault
  • Access Policy / Add permissions / Allow access to a Backup vault from organization.
  • Next page - Add permissions: Allow access to a Backup vault from organization / Access Policy Details / should see - "Allow" backup:CopyIntoBackupVault
  • Save policy

Image description

  • Copy the Amazon Resource Name (ARN) of the backup vaults of Source Account A and Target Account B and save it on a notepad.

These are required when you copy the DynamoDB table backup between the source account and the target account.

In Source Account A, Create the DynamoDB table and Create a backup in the AWS Backup backup vault

Source Account A - Create a DynamoDB table



aws dynamodb create-table \
    --table-name Famous-Movies \
    --attribute-definitions \
        AttributeName=Title,AttributeType=S \
    --key-schema \
        AttributeName=Title,KeyType=HASH \
    --provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5
aws dynamodb wait table-exists --table-name Famous-Movies


Enter fullscreen mode Exit fullscreen mode


aws dynamodb describe-table --table-name Famous-Movies | grep TableStatus


Enter fullscreen mode Exit fullscreen mode

Image description

Image description

Source Account A - Create a backup in the AWS Backup backup vault

On the AWS Backup Dashboard page / Choose Create on-demand backup / Under Create on-demand backup / Under Settings

Resource type: select DynamoDB
Table name: select DynamoDB Table that you just now created - Famous-Movies
Retention period: Always
Backupvault dropdown list: select the backup vault that you created in the Source Account A - AccountABackupvault.
Create on-demand backup

Status Backup in progress for table/Famous-Movies.
Depending on the size of the resource, this might take several hours. For status updates, refresh the page.
Status Completed

Image description

From the Source Account A, Initiate and copy the backup to the backup vault in the Target account B.

  • On the AWS Backup Dashboard page / Backup vaults / Choose AccountA-Backupvault
  • Under AccountA-Backupvault / Recovery points / select the Recovery point ID of the backup you want to copy
  • Under Actions drop-down / select copy
  • Under Copy 1fe84698-b652-4c84-a784-52a9ed042761 - DynamoDB / Copy configuration / Copy to destination / Enter the AWS Region of the target account - US-East (N.Virginia)
  • Choose Copy to another account's vault - turns "blue" when selected
  • External vault ARN - enter the ARN of the backup vault of Target Account B
  • Allow Backup vault access - Allow access to the account 664233888553 to copy backups to your Backup vault "AccountA-Backupvault" ------> Allow
  • Allow Backup vault access? Allow the account "664233888553" to copy data back into your account by adding permissions to your Backup vault "AccountA-Backupvault" access policy. Permissions can be edited on the Backup vault detail page ------> Allow
  • Backup recovery has been enabled in your vault "AccountA-Backupvault" Changes to your Backup vault's access policy can be made on your vault's detail page - Checked **Copy
  • Status - Copy in progress for 1fe84698-b652-4c84-a784-52a9ed042761 Depending on the size of the resource, this process may take several hours

Status
Completed

Image description

In the Target account B, restore the DynamoDb table using the backup from the target account backup vault.

Target Account B

  • On the AWS Backup console / select Backup vaults - AccountB-backupvault
  • Under AccountB-Backupvault / under Recovery points / select Recovery point ID
  • Actions drop-down - select Restore
  • Under Restore backup / Settings / New table name - Enter the new name of the target DynamoDB table that you want to restore - Famous-Movies-New
  • Click Restore
  • Under Restore in progress for 3bbce81d-50e6-4845-9d5f-1c1ed81c61af This may take several hours. For status updates and to view the resource, go to the DynamoDB console

Status
Completed

Image description

Test the set-up

On the DynamoDB Console / Tables / Name

Image description

New DynamoDB table is restored and created - Famous-Movies-New

Cleanup

Source Account A

  • Delete DynamoDB table - Famous-Movies
  • Under AWS Backups / Settings - Disable Advanced features for DynamoDB Backups
  • Disable cross-account backup
  • Under Recovery Points / delete Recovery point ID
  • Delete Backup vault - AccountA-Backupvault

Target Account B

  • Delete DynamoDB table - Famous-Movies-New
  • Under AWS Backups / Settings - Disable Advanced features for DynamoDB Backups
  • Disable cross-account backup
  • Under Recovery Points / delete Recovery point ID
  • Delete Backup vault - AccountB-Backupvault

What we have done so far

Successfully demonstrated how to create, copy and restore DynamoDB tables between 2 AWS accounts in an Organization using AWS Backup cross-account backup.

Top comments (0)