9. You can confirm successful deployment by checking stack instances deployed.
NOTES :-
AWS Backup does not validate whether the role exists or the role can be assumed in the member account. Be sure to validate the appropriate IAM role in each account you add to backup policies, crossaccountbackuprole in this case.
Role stackset can also be deployed from Delegated Backup administrative account or any other account by registering account as delegated CloudFormation administrator. (we are using organizational management account here)
Step 5:- Create backup vaults
For demonstration, we will create distinct backup vaults in the source and destination Regions for each account that you want protected by AWS Backup.
- Deploy below AWS CloudFormation StackSet from Organization Management account or Delegated administrative account (for cloudformation if you have one). We will be using Organizational management account here. ( template below — BackupVaultStackSet.yaml )
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
This template creates the Backup vault in each member account.
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: AWS Backup Configuration
Parameters:
- crossregionbackupvault
ParameterLabels:
crossregionbackupvault:
default: Backup vault name (Case sensitive. Must contain from 2 to 50 alphanumeric and '-_' characters.)
Parameters:
crossregionbackupvault:
AllowedPattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ConstraintDescription: Backup vault name is case sensitive. Must contain from 2 to 50 alphanumeric and '-_' characters.
Type: String
Resources:
mycrossregionbackupvault:
Type: AWS::Backup::BackupVault
Properties:
BackupVaultName:
Ref: crossregionbackupvault
Outputs:
mycrossregionbackupvault:
Value:
Ref: crossregionbackupvault
2. Choose Service managed permissions to allow automatic deployment of this backup vault to any new accounts that are added to the target OUs in future.
3. Upload — BackupVaultStackSet.yaml file above and click Next.
4. Provide a StackSet name. Enter custombackupvault in AWS Backup Configuration.(or any other name of your choice) Choose Next.
5. Optionally choose Tags and click Next
6. Deploy to organization or specific organizational units (OUs), we will be deploying to Organization here.
7. Select Deployment regions for vault & other deployment options and click Next.
8. Review and submit.
9. You can confirm successful deployment by checking stack instances — detailed status.
NOTES:
If you want to deploy vault to specific OU (Prod, Non-prod etc then repeat the steps above with appropriate backup vault names & specific OU IDs in deployment)
The Backup vault name is case-sensitive and AWS Backup does not validate whether the desired backup vault exists. Be sure to validate that you have the appropriate backup vault created in each member account and Region that you want protected.
Step 6:- Create backup policies
- Log in to the AWS Backup console in Delegated Backup Administrative Account, choose Backup policies and choose Create backup policies.
2. Give a policy name and description
3. In the Configure Backup plan section, under Backup plan details, provide plan Name, Backup plan regions ( where plan needs to be deployed)
4. Add a Backup rule — enter rule name, backup vault and backup frequency of your choice and lifecycle.
5. For cross region copy— Add region/s where you want to have a copy & destination vault name. Expand Advanced settings, and you can choose to transition to cold storage if needed. You can add additional copies to different regions/vaults as needed.
6. In the Assign resources section, provide the following:
a) Enter a descriptive name in Resource assignment name. Enter crossaccountbackuprole in IAM role.
b) Enter backup in Resource Tag values.
c) Choose Create Policy.
7. Attach backup policies to targets — Backup policies can be attached to individual accounts or an OU. Applying a backup policy to an OU protects resources across member accounts under the selected OU.
While still in the AWS Backup console, choose Backup Policies and select policy. In the Targets section, choose Attach and select account or OU. Confirm Attach.
8. Confirm Backup plan is deployed on target account or OU .
NOTE — Backup policies can not be modified or deleted from child accounts. Only Backup delegated administrative account can change it.
9. Within the Delegated Backup administrator account, you can now monitor backup, copy, and restore jobs across your AWS accounts under Cross-account monitoring in AWS Backup console.
10. Confirm backups run successfully and cross region copies were generated.
11. Confirm cross region copies were generated.
NOTE-
If you are making copies of backups in a vault residing in a different account then remember to update vault policy and grant source account access to destination vault. Also it is recommended to have customer managed keys in KMS and granting permissions for KMS keys to accounts needed. AWS managed keys cant be shared.
When you copy a backup to a new AWS Region for the first time, AWS Backup copies the backup in full. In general, if a service supports incremental backups, subsequent copies of that backup in the same AWS Region will be incremental. AWS Backup will re-encrypt your copy using the customer managed key of your destination vault.
An exception is Amazon EBS, which states, “changing the encryption status of a snapshot during a copy operation results in a full (not incremental) copy.”
References :-
Conclusion
Hopefully this detailed write up helps others to implement delegated backup administrator setup, controlling centralized backups with recommended best security practices and clarifies some of the unknown questions with delegated backup administrator setup for AWS organizations. Good luck !