In this article, I am going to show you how to copy and restore DynamoDB tables using AWS Backup - cross-account backup between 2 AWS accounts.
In order for the cross-account to work, you have to add your 2 accounts (Source Account A and Target Account B) to the same Organization in the Organization Service.
DynamoDB
DynamoDB is a key-value, non-relational database that uses a simple key-value method to store data. A key-value database stores data as a collection of key-value pairs in which a key serves as a unique identifier, which is called the Primary Key. Also known as Partition Key / Hash Key.
DynamoDB is fully integrated with AWS Backups. You can use the DynamoDB console, API, and AWS Command Line Interface (AWS CLI) to enable automatic backups and restore for your DynamoDB tables.
AWS Backup
As per AWS, "AWS Backup is a fully-managed service that makes it easy to centralize and automate data protection across AWS services, in the cloud, and on premises. Using this service, you can configure backup policies and monitor activity for your AWS resources in one place. It allows you to automate and consolidate backup tasks that were previously performed service-by-service, and removes the need to create custom scripts and manual processes."
You can use AWS Backup to manage your backups across all AWS accounts. AWS Backup supports backing up and restoring Amazon DynamoDB tables.
Cross-account backups are useful for security reasons. If your original data backup from the Source account got deleted by mistake, you can always copy and sync the backup from its destination account and then do a restore. A common use case would be to copy your data from Production environment to the Development, and Testing environments.
Objectives:
- 2 accounts (Source Account A and Target Account B) should be in the same Organization.
- Turn on AWS Backup features in the Source Account A and Target Account B
- Create backup vaults in the Source Account A and Target Account B
- In Source Account A, Create the DynamoDB table and Create a backup in the AWS Backup backup vault.
- From the Source Account A, Initiate and copy the backup to the backup vault in the Target account B.
- In the Target account B, restore the DynamoDb table using the backup from the target account backup vault.
- Test the set-up
- Cleanup
Pre-requisites:
- Access to Amazon Management Console with an AWS IAM user Account (not root account).
- Cloud9 IDE with AWS CLI.
Resources Used:
1. Creating backups of DynamoDB tables with AWS Backup {https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/CreateBackupAWS.html}
2. Creating backup copies across AWS accounts {https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html}
Let's get started
Please visit my GitHub Repository for DynamoDB articles on various topics being updated on constant basis.
Steps for implementation to this project:
-
2 accounts (Source Account A and Target Account B) should be in the same Organization.
Follow the link {https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html} to create an Organization and configure it with a Management account (Source Account A) and a Member account (Target Account B).
Turn on AWS Backup features in the Source Account A and Target account B
In the Source Account A and the Target Account B:
On AWS Backup console / Settings / Under Advanced features for Amazon DynamoDB backups / Advanced features - Enabled
Under Cross-account management / Cross-account backup / Turn On Enable
Source Account A - Advance Features Enabled
Source Account A - Cross-account backup Enabled
Target Account B - Advance Features Enabled
Target Account B - Cross-account backup Enabled
Create backup vaults in the Source Account A and Target Account B
Source Account A - Create Backup vault
- On AWS Backup console / Backup vaults / Create Backup vault (other than Default)
Backup vault name: AccountA-Backupvault
Encryption key: From drop-down - select (default) aws backup
Create backup vault
- From the Backup vaults / Choose - AccountA-Backupvault
- Access Policy / Add permissions / Allow access to a Backup vault from organization.
- Next page - Add permissions: Allow access to a Backup vault from organization / Access Policy Details / should see - "Allow" backup:CopyIntoBackupVault
- Save policy
Target Account B - Create Backup vault
- On AWS Backup console / Backup vaults / Create Backup vault (other than Default)
Backup vault name: AccountB-Backupvault
Encryption key: From drop-down - select (default) aws backup
Create backup vault
- From the Backup vaults / Choose - AccountB-Backupvault
- Access Policy / Add permissions / Allow access to a Backup vault from organization.
- Next page - Add permissions: Allow access to a Backup vault from organization / Access Policy Details / should see - "Allow" backup:CopyIntoBackupVault
- Save policy
- Copy the Amazon Resource Name (ARN) of the backup vaults of Source Account A and Target Account B and save it on a notepad.
These are required when you copy the DynamoDB table backup between the source account and the target account.
In Source Account A, Create the DynamoDB table and Create a backup in the AWS Backup backup vault
Source Account A - Create a DynamoDB table
aws dynamodb create-table \
--table-name Famous-Movies \
--attribute-definitions \
AttributeName=Title,AttributeType=S \
--key-schema \
AttributeName=Title,KeyType=HASH \
--provisioned-throughput \
ReadCapacityUnits=10,WriteCapacityUnits=5
aws dynamodb wait table-exists --table-name Famous-Movies
aws dynamodb describe-table --table-name Famous-Movies | grep TableStatus
Source Account A - Create a backup in the AWS Backup backup vault
On the AWS Backup Dashboard page / Choose Create on-demand backup / Under Create on-demand backup / Under Settings
Resource type: select DynamoDB
Table name: select DynamoDB Table that you just now created - Famous-Movies
Retention period: Always
Backupvault dropdown list: select the backup vault that you created in the Source Account A - AccountABackupvault.
Create on-demand backup
Status Backup in progress for table/Famous-Movies.
Depending on the size of the resource, this might take several hours. For status updates, refresh the page.
Status Completed
From the Source Account A, Initiate and copy the backup to the backup vault in the Target account B.
- On the AWS Backup Dashboard page / Backup vaults / Choose AccountA-Backupvault
- Under AccountA-Backupvault / Recovery points / select the Recovery point ID of the backup you want to copy
- Under Actions drop-down / select copy
- Under Copy 1fe84698-b652-4c84-a784-52a9ed042761 - DynamoDB / Copy configuration / Copy to destination / Enter the AWS Region of the target account - US-East (N.Virginia)
- Choose Copy to another account's vault - turns "blue" when selected
- External vault ARN - enter the ARN of the backup vault of Target Account B
- Allow Backup vault access - Allow access to the account 664233888553 to copy backups to your Backup vault "AccountA-Backupvault" ------> Allow
- Allow Backup vault access? Allow the account "664233888553" to copy data back into your account by adding permissions to your Backup vault "AccountA-Backupvault" access policy. Permissions can be edited on the Backup vault detail page ------> Allow
- Backup recovery has been enabled in your vault "AccountA-Backupvault" Changes to your Backup vault's access policy can be made on your vault's detail page - Checked **Copy
- Status - Copy in progress for 1fe84698-b652-4c84-a784-52a9ed042761 Depending on the size of the resource, this process may take several hours
Status
Completed
In the Target account B, restore the DynamoDb table using the backup from the target account backup vault.
Target Account B
- On the AWS Backup console / select Backup vaults - AccountB-backupvault
- Under AccountB-Backupvault / under Recovery points / select Recovery point ID
- Actions drop-down - select Restore
- Under Restore backup / Settings / New table name - Enter the new name of the target DynamoDB table that you want to restore - Famous-Movies-New
- Click Restore
- Under Restore in progress for 3bbce81d-50e6-4845-9d5f-1c1ed81c61af This may take several hours. For status updates and to view the resource, go to the DynamoDB console
Status
Completed
Test the set-up
On the DynamoDB Console / Tables / Name
New DynamoDB table is restored and created - Famous-Movies-New
Cleanup
Source Account A
- Delete DynamoDB table - Famous-Movies
- Under AWS Backups / Settings - Disable Advanced features for DynamoDB Backups
- Disable cross-account backup
- Under Recovery Points / delete Recovery point ID
- Delete Backup vault - AccountA-Backupvault
Target Account B
- Delete DynamoDB table - Famous-Movies-New
- Under AWS Backups / Settings - Disable Advanced features for DynamoDB Backups
- Disable cross-account backup
- Under Recovery Points / delete Recovery point ID
- Delete Backup vault - AccountB-Backupvault
What we have done so far
Successfully demonstrated how to create, copy and restore DynamoDB tables between 2 AWS accounts in an Organization using AWS Backup cross-account backup.
Top comments (0)