Data loss, whether due to accidental deletion, cyberattacks, or system failures, can be catastrophic for any organization.
Imagine waking up one day and realizing that your backups have mysteriously vanished. ๐ฑ Maybe someone accidentally deleted them (oops), or worse, a cyberattack wiped them out. Not cool, right?
Enter the AWS Central Backup Account โ the superhero ๐ฆธโโ๏ธ of backups! With this setup, all backups from your AWS Organization are automatically copied to a dedicated AWS account, ensuring an extra layer of protection. No more heart attacks over lost data! ๐พโจ
๐ Why You Need This in Your Life
โ๏ธ ๐ Ultimate Backup Resilience โ Even if a backup is deleted in a member account, a copy is safe in the Central Backup Account. Crisis averted!
โ๏ธ ๐ง Compliance Made Easy โ Need to meet regulations like GDPR or DORA? Centralized backups make audits a breeze!
โ๏ธ ๐ Automate Everything โ AWS Backup Plans take care of everything, so you can relax while your backups work for you.
โ๏ธ ๐ Backup Security โ Protect your backups with Customer Managed KMS Keys and Backup Vault policy!
โ๏ธ ๐ข Automated Alerts & Monitoring โ Get instant notifications if something goes wrong, so you can fix it before your boss finds out! ๐
๐ค The Problem This Solves
๐จ Backups can be lost! Accidental deletions, cyberattacks, or Murphyโs Law can strike at any time. With this setup, you always have a spare copy.
๐จ Manually copying backups is painful! We automate everything so you never have to worry about forgetting to copy your backups.
๐จ Visibility on backup failures is crucial! AWS EventBridge + Lambda + SNS work together to notify you immediately when something goes wrong.
๐จ AWS Managed Keys donโt work for cross-account backups! (at least now where I wrote this blog in February 2025) Thatโs why we use Customer Managed KMS Keys to securely share encrypted backups across accounts.
๐ Centralized Backup Solution Architecture
The diagram illustrates a multi-account AWS backup strategy, ensuring backups are automatically copied from application accounts to a dedicated central backup account for enhanced security and disaster recovery.
๐ Components in the Architecture
๐ Application Account (Source Account)
- Hosts e.g: Amazon RDS and Amazon EBS volumes that need to be backed up.
- Uses AWS Managed Keys or Customer Managed Keys (KMS) to encrypt the snapshots of these resources.
- Implements an AWS Backup Plan to schedule automatic snapshots.
๐ Backup Vaults
- Temporary Backup Vault: Stores the initial backup before copying it to the Primary Backup Vault.
- Primary Backup Vault: Stores the final backup within the application account, encrypted with a Customer Managed Key (CMK) to enable cross-account copy operations.
๐ AWS Backup Copy Jobs
- Copy Job 1: Copies the backup from the Temporary Backup Vault to the Primary Backup Vault in the same AWS account.
- Copy Job 2 (Cross-account copy job) triggered from Lambda: Copies the backup from the Primary Backup Vault to the Central Backup Account.
๐ AWS Lambda & Amazon EventBridge
EventBridge triggers Lambda functions after each copy job is complete.
Initiating the cross-account copy job once the backup reaches the Primary Backup Vault.
Lambda delete backups from the Temporary Backup Vault after the cross-account copy is successfully complete.
Sending notifications to alert admins of backup failures.
๐ Parameter Store
Stores backup tag settings used by Lambda functions.
๐ Central Backup Account
A dedicated AWS account used for long-term storage of backups.
Contains a Backup Vault, where cross-account copies from the application accounts are stored.
Uses a Customer Managed Key (CMK) to encrypt the backups securely.
๐ Prerequisites
โ
An AWS Organization with multiple accounts.
โ
Enable cross-account monitoring in AWS Backup from management account. The steps are described here.
โ
A dedicated AWS Backup Account for centralized backup that already have delegated permission for backup. You can find how to setup here.
โ
Ensure and enable the supported resources for cross-account backup. Check here
๐ Step-by-Step Deployment
๐ค Deployment in central backup account
Step 1: Create a backup vault in Central Backup Account to store backup copy of member account
๐ Go to AWS Backup โ Create a Backup Vault for member account to store the copy of the backup.
๐ Update the Backup Vault Policy โ Allow the role in the member account to sent the copy into the backup vault.
๐ Create backup policy that will be implemented across the AWS Organization โ The example can be found here.
๐จ๐ผโ๐ซ Deployment in member account
Step 1: Set Up a Customer Managed KMS Key ๐
๐ Go to AWS KMS โ Create a Customer Managed Key (CMK).
๐ Update the Key Policy to allow access from the Central Backup Account. โ Please refer to this link
Step 2: Configure AWS Backup in Each Member Account ๐๏ธ
๐ Create a Temporary Backup Vault and Primary Backup Vault.
๐ Set up an AWS Backup Plan Rule to back up tagged resources into the Temporary Backup Vault.
๐ Configure the Backup Plan Rule to copy backups to the Primary Backup Vault.
Step 3: Deploy a Lambda Function and EventBridge to Handle Backup Copy Jobs ๐ค
๐ Create an EventBridge Rule for successful copy job from Temporary Vault to Primary Vault.
๐ Create an AWS Lambda function triggered by EventBridge. โ The function run a copy job from Primary Backup Vault to Central Backup Vault in central backup Account.
๐ If the event is a successful copy from Temporary to Primary Vault, Lambda copies it to the Central Backup Account.
Step 4: Set Up EventBridge to Watch for Backup Jobs Failures ๐
๐ Create an EventBridge Rule for failed backup, copy, or restore jobs (so you know when somethingโs broken).
๐ Create an SNS Topic and subscribe your email (or Slack, or any your preference endpoint that supported in SNS)
๐ Add SNS as Eventbridge Target to sent the notification.
๐ Get real-time alerts before disaster strikes!
๐ฏ Conclusion โ Your Backups Just Got Smarter!
By implementing this Centralized AWS Backup Solution, youโve just leveled up your cloud game. No more โoops, my backup is goneโ moments, no more compliance headaches, and no more manual backup drudgery.
๐ Automation? Check.
๐ Security? Check.
๐ข Notifications? Check.
So what are you waiting for? Get started today! ๐ Your future self will thank you!
โผ๏ธ Things to consider
๐ The time where AWS Backup runs the backup job. In AWS Backup, RDS backups aren't allowed within an hour before the RDS maintenance window or the RDS automated backup window. Therefore, be sure that your backup plans for RDS databases are scheduled more than an hour apart from the RDS maintenance window and the RDS automated backup window.