AWS Backup Demo: Cross-Account & Cross-Region Backup

Step-by-Step Tutorial: AWS Backup Demo - Cross-Account & Cross-Region Backup

Prerequisites:

1. Management Account in AWS Organization: Ensure you have a management account set up in the AWS organization.
2. Enable Cross-Account Opt-In: Enable the cross-account opt-in feature in the management account to allow cross-account backups.
3. Source Account: Identify the account where your production resources are located and need to be protected.
4. Destination Account: Identify the account where the backups will be copied to. This can be in the same region or a different region.
5. Service Control Policies (SCP): Use SCPs to restrict which accounts can be used as destination accounts in your organization.
6. Customer Managed Keys: Use customer-managed Customer Master Keys (CMK) to encrypt your cross-account backups.

Setting Up Cross-Account Backups:

1. Create Backup Vault in Destination Account:

   • Log in to one of the destination accounts within the organization.
   • Navigate to the AWS Backup console and click on "Backup Vaults."
   • Create a backup vault in the desired region (e.g., Sydney).
   • Choose a backup vault name and select a shared KMS key for encryption.
   • Set up a backup vault access policy to allow copying into the vault.
   • Save the policy and note down the backup vault ARN for later use in the backup plan.

2. Create Backup Vault in Source Account:

   • Log in to the source account and navigate to the AWS Backup console.
   • Create a backup vault in a different region (e.g., Canada Central) using the same process as in the destination account.
   • Set up a backup vault access policy to allow copying into the vault.

3. Create Automated Backup Plan:

   • Under the backup rule configuration, give a rule name and set the frequency of backups.
   • Customize the backup window timing and lifecycle management settings as per your requirements.
   • Configure the backup plan to copy backups to the destination account in the Sydney region using the backup vault ARN from step 1.

4. Assign Resources to Backup Plan:

   • Add the necessary resources (e.g., EC2 instances, EFS volumes) to the backup plan.
   • Use tags to assign resources for backup.

5. Check Backup Status:

   • Browse to the source account's backup vault and verify that backups are completed.
   • Similarly, navigate to the destination account's backup vault to check if the copy jobs were successful.

6. Perform Restores:

   • In the destination account, you can restore backups from the source account.
   • You can also copy backups back to the source account for additional protection.

7. Verify Restore and Copy:

   • Check the source account to ensure that the copied backup from the destination account is available for restore.
   • Perform a full restore or an item-level restore as needed.

8. Conclusion:

   • In this demo, you learned how to enable cross-account backups between regions and accounts.
   • You saw how to create automated backup plans, perform restores, and copy backups between accounts for data protection.

By following these steps, you can set up and manage cross-account and cross-region backups using AWS Backup effectively.