Reliable and consistent backup of cloud data is important to have a secure data archive and restore in the event of data loss. Traditionally, backup administrators used manual backup procedures that were difficult to scale and lowered productivity, with data distributed across multiple cloud resources. Cloud backup, along with the automation of infrastructure provisioning, are prompting organizations to improve their data protection and backup strategy.
Customers are implementing infrastructure as code (IaC) as an essential part of their digital transformation to improve productivity and govern infrastructure operations across multi-account environments. Implementing backup policies as code can help you scale your enterprise data protection strategy, reduce overhead, and easily manage organization-wide policies at scale across your cloud environment. AWS Backup offers a cost-effective, fully managed, policy-based managed service that simplifies data protection at scale. AWS Backup leverages AWS Organizations to centrally automate backup policies to implement, configure, manage, and govern backup activity across supported AWS resources.
In previous blog posts, our colleague Cher covered how AWS Backup can simplify centralized backup management with Cross-Region copy and secure data recovery with cross-account, cross-Region backup by implementing backup policies using the AWS Backup console. In this blog post, we demonstrate how you can save time using AWS CloudFormation automation to centrally automate and scale the process of implementing AWS Backup policies, backup vaults, and cross-Region, cross-account replication across your multi-account AWS environment. Using this solution, you can easily manage AWS Backup with automation and implement a data protection strategy that mitigates the risk of data loss.
The architecture uses AWS Control Tower and consists of four AWS Organizations accounts: a management account, two member accounts, and a centralized backup account that belong to their respective organizational units. AWS Organizations helps to centrally manage, govern, automate, and scale AWS resources across accounts in an organization. The solution uses AWS CloudFormation stacks and StackSets to deploy resources such as backup vaults, vault access policies, AWS Key Management Service (AWS KMS) customer managed keys (CMK), and IAM roles.
AWS Backup policies define how you back up your resources using backup plans. Backup policies are written in plaintext files and structured according to the JSON rules. You can attach a backup policy to any elements of your organization’s hierarchy such as AWS accounts or organizational unit (OU). The backup policy specifies the final backup plan settings that apply to an AWS account within the organization. To facilitate the inheritance of effective backup policy in our solution, we attach the backup policies to the Root OU using an AWS Lambda function. We also leverage tags to add AWS resources in each member account to the backup policies.
A successful deployment of this solution can help you perform automated backups using centralized backup policies across your organization. You can conduct on-demand restore operation across your member accounts.
The following diagram illustrates the AWS Backup automation solution discussed in this blog:
The workflow and architecture of the solution works as follows:
In the management account (the environment hosting your AWS Organizations):
The source code for this blog can be downloaded from this GitHub repository.
The following prerequisites are required to deploy the solution.
Complete the following steps to implement this solution:
If this is your first time using the AWS Backup service, you must opt in to use AWS Backup and cross-account management features using the AWS Management Console or CLI.
You can refer to the existing AWS Backup blog on cross account, cross-Region backup for additional help with using the AWS Management Console for service opt-in.
aws organizations enable-policy-type --root-id r-<examplerootid>
--policy-type BACKUP_POLICY
aws organizations enable-aws-service-access --service-principal
backup.amazonaws.com
aws backup update-global-settings --global-settings
isCrossAccountBackupEnabled=true
In this step, you deploy cross-account IAM roles, backup vaults, a KMS key to encrypt backup vaults, and a vault access policy to all member accounts using AWS CloudFormation StackSets. Complete the following steps to create the backup resources, and implement secure vault access policy in each of your member accounts. If you want to read more about CloudFormation StackSets, see the blog post on using AWS CloudFormation StackSets for multiple accounts in an AWS Organization.
aws-backup-member-account.yaml template.Backup-Member-Accounts. Under the Parameters section, enter values for the following parameters:
AWSControlTowerStackSetRoleAWSControlTowerExecutionFor more information, see the documentation on creating a stack set.
This step is the same as step 2 in the preceding section, but here you will deploy resources to the centralized backup account and include additional parameter values in the StackSet. Complete the following steps to create the backup resources that you will use for cross-account and cross-Region data replication.
aws-backup-central-backup-account.yaml.In the previous steps, you implemented automation to set up backup vaults, KMS keys, IAM roles, and vault access policies. Now, you create custom backup policies applicable to your organization and set up the management account to automate the deployment of the policies. The management account attaches the backup policies to specified AWS accounts or organizational units using an AWS Lambda function hosted in Amazon S3.
Important Note: When you upload a Lambda function’s deployment package from an Amazon S3 bucket, the bucket must be in the same Region as the function. If the OrgPolicyCustomResourceManager.zip file is stored in an S3 bucket that is in a different Region as the Lambda function, you may get the following error:
Error occurred while GetObject. S3 Error Code: PermanentRedirect. S3 Error Message: The bucket is in this region: <aws-region>. Please use this region to retry the request.
To prevent this error, ensure you create a deployment artifact bucket for each Region where you deploy the Lambda code. If you want to read more about this note, see the documentation on Troubleshooting AWS Lambda deployments.
The following code snippet shows a section of a tag-based backup policy with TAG_KEY_2 and TAG_VALUE_2 used as tag identifiers to automatically assign resources to a backup plan. The snippet leverages the BACKUP_ROLE to initiate the backup. To read more about the syntax, see the documentation on AWS Backup Policy syntax and examples for additional information.
"selections": {
"tags": {
"OrgDailyBackupSelection": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/BACKUP_ROLE",
},
"tag_key": {
"@@assign": "TAG_KEY_2"
},
"tag_value": {
"@@assign": [
"TAG_VALUE_2"
]
},
},
},
},To deploy the backup policy automation:
aws-backup-org-policy.yaml to include your custom backup windows, copy actions, central account backup vault ARN, backup plan tag value (backup_plan_tags), recovery point tag value (recovery_point_tags), lifecycle policies, etc. For more information, see the sample backup policies in the official documentation.You have successfully implemented AWS Backup with automated backup policies and cross-account, cross-Region copy.
All the AWS Backup policies and the jobs associated with those policies can be monitored using the cross-account monitoring capabilities in the management account. For detailed instructions on how to view and manage AWS Backup jobs, see the documentation on monitoring activities in multiple AWS accounts.
To avoid incurring future charges, delete the resources. First, Delete the stack instances, then delete the StackSets from the AWS CloudFormation console.
In this blog post, we showed you how to implement backup policies as code to help you scale your data protection strategy, reduce overhead, and manage organization-wide backup policies. We demonstrated how to apply your backup policies from a central management account to effectively back up and manage resources across your member accounts.
eliable and consistent backup of cloud data is important to have a secure data archive and restore in the event of data loss.
Backing up data is an essential part of most data management strategies, and backup requirements are often driven through organization or regulatory requirements. With secure and reliable backups, you can be ready in the event event of unexpected data loss to restore your data. The solution covered in this post allows you to automate and easily manage your backup plans at scale, across your cloud workloads. Through automation, you can avoid manual and time-consuming backup procedures that can lower your organizational efficiency and make managing backups more difficult.
To get started on AWS or to learn more about building a well-architected AWS environment, visit the getting started with AWS Backup page for guidance.
Thank you for reading this blog. If you have any feedback or questions, please leave them in the comments section.