Technology | AWS | Cloud | Cloud Engineering
Club Cloud Stories 
Jacco Kulman 25 Oct, 2021
Share 
Introduction
Backup of data is essential to protect against data corruption and data loss. Xebia provides this as a strong shared platform capability in their Xebia Cloud Foundation, for all workloads to use.
A similar approach is described in this article, so backup can be provided as a shared capability across the AWS workloads.
AWS Backup is an AWS managed backup service that can help you setup an organization-wide policy-based service that simplifies data protection at scale. It provides automated backup scheduling, retention management, centralized data protection, cross-account management and more.
AWS Backup can be used in various configurations. The configuration in this article will allow Platform/Backup administrators to provide pre-configured backup plans to all existing and future workloads/application teams. Backed up data will be stored and managed in a centralized manner.
This backup article is provided in a 3-part series:
Part 1 – Enterprise AWS Backup – What you will get
Part 2 – Enterprise AWS Backup – Getting Started
Part 3 – Enterprise AWS Backup – Verifying & Troubleshooting
Getting Started
This solution requires the following:
– AWS Organization with all features enabled.
– A management account and member account(s) present.
– A new/chosen AWS Backup account for centralized organizational-wide backup vault.
– A chosen region for the centralized organizational-wide backup vault, which is different from the workload regions.
Other services, such as AWS Control Tower, AWS Identity Center (SSO), etc. may be enabled, but are not required for this solution.
To take organizational wide backups, complete the following steps:
1. Turn on cross-account management
2. Turn on service opt-in for Backup
3. Setting up encryption
4. Create backup vaults
5. Create a backup role
6. Create a backup policy
Turn on cross-account management
- Log into the management account
- Navigate to https://console.aws.amazon.com/backup
- Choose the region of your workloads.
- Click on settings in the left navigation pane and scroll down to Cross-account management section
- Turn on Backup policies. This will enable you to have an enterprise-wide backup policy configured with pre-defined backup plans, data storage destination vaults and retention lifecycle rules.
- Turn on Cross-account monitoring. This will enable you to monitor backup activities across your accounts in a centralized manner.
- Turn on Cross-account backup. This will enable you to copy backup data from member accounts to the centralized backup account.
This is what it will look like after the changes: 
Turn on service opt-in for Backup
- Log into the management account
- Navigate to https://console.aws.amazon.com/backup
- Choose the region of your workloads.
- Click on settings in the left navigation pane and scroll down to Service opt-in section
- Ensure Resource Type is Enabled for the resource types you want to enable backup for.
These settings will be inherited in the member accounts of the organization.
Resource types not enabled are excluded from the backup plans.
Example below on 3 enabled resource types: 
Setting up encryption
Data stored in the backup vaults must be encrypted. For the encryption, it is recommended to use a Customer Master Key, which is owned and managed by the Customer and not AWS.
Keys are single-region & single-account, but for this scenario we will use a multi-region key which has a primary key in one region and a replica key in another region. The primary key and all replica keys share the same key material.
Both the primary and replica keys are stored and managed from the backup account. The primary key will be stored in the region of the centralized organization-wide vault, and the replicas will be stored in the workload regions and shared with the member accounts. This will enable member accounts local backup vault to use the region-local key while centralizing all key management to the backup account.
Create the primary multi-region key:
- Log into the backup account
- Navigate to https://console.aws.amazon.com/kms
- Choose the region of choice for your central organization-wide backup vault. This should differ from your workloads’ region.
- Click on Customer managed keys in the left navigation pane and Create key
- Choose a Symmetric key, with usage Encrypt and decrypt, KMS as key material origin, Multi-Region as Regionality.
- Name the Alias \<prefix>/cmk/backup-primary-key
- Choose the key administrators and deselect the option to Allow key administrators to delete this key
- Select AWSServiceRoleForBackup as key user, so this role may use this key in cryptographic operations
If the role is missing, it can be created using CloudShell:
aws iam create-service-linked-role --aws-service-name backup.amazonaws.com
Create a replica of this key in each region your workloads operate in:
- Log into the backup account
- Navigate to https://console.aws.amazon.com/kms
- Choose the region of the primary key, click on the primary key in the list view
- Navigate to Regionality tab and Create new replica keys
- Select all the workload regions
- Name the alias \<prefix>/cmk/backup-replica-key
- Select the same key administrators as when you created the primary key
- Select the same key users as when you created the primary key
- Add the AWS workload accounts within the organization, operating in the region you are creating the replica key in. This will enable the member accounts to use this key for cryptographic operations.
If the backup region is Ireland (eu-west-1) and workload regions Frankfurt (eu-central-1) and Paris (eu-west-3), then the primary key will be stored in region Ireland, a replica key in Frankfurt and another replica key in Paris. The replica key in Frankfurt will be shared with member accounts using Frankfurt as a region. The replica key in Paris will be shared with member accounts using Paris as a region.
Create backup vaults
A central backup vault for the organization must be created, and one backup vault must be created in each member account.
The central backup account should be locked down, so it is only accessible by a limited set of people (ideally through a Single Sign On role), and with a limited set of actions (through a Service Control Policy). This will provide protection of critical data in disaster scenarios. This is not described in this article, as it is distinct to the organizational setup.
The central backup vault creation:
- Log into the dedicated backup account
- Navigate to https://console.aws.amazon.com/backup
- Choose the region of the primary key
- Click on Backup vaults in the left navigation pane and Create backup vault
- Name the vault backup-organization-vault and chose the \<prefix>/cmk/backup-primary-key
- In section Access policy for the backup-organization-vault, click on Add permissions drop down and select Allow access to a backup vault from organization. Click Save policy. This will allow workload accounts to copy the backup into the central organizational vault.
In each member account, in each region of the workload, create the backup vault:
- Log into the member account
- Navigate to https://console.aws.amazon.com/backup
- Choose the region of the workload
- You need to create a Backup vault using the key in the backup account. This is not possible in the AWS Console, but can be done using CloudShell:
aws backup create-backup--vault –backup-vault-name backup-vault –-encryption-key-arn <replica key arn in the current region>
Create a backup role
AWS Backup assumes a role while conducting the backup. This role must have sufficient permissions to read the data from the source and copy it to the vault and in reverse for restore. For this AWS provides 2 managed policies AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores.
In each member account, in each region of the workload, create the role:
- Log into the workload account
- Navigate to https://console.aws.amazon.com/iam
- Select Roles and Create role
- Choose AWS Backup for service
- Add the AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores permission policies to the role
- Name the role backup-restore-role
Create a backup policy
A backup policy is a JSON document defining all the parameters of backup, such as plans, retention, time window, etc.
Replace the placeholders in the policy with the following:
| Placeholder | Replace with | Example |
|---|---|---|
| $region | Region code(s) of the regions in which this policy is in effect (workload region) | eu-central-1, eu-west-3 |
| $backup-primary-region | Chosen region code of the backup account (region of the primary key). | eu-west-1 |
| $backup-account | Account code of the backup account | 123456789012 |
There may be other placeholders, but these are for AWS to parse at runtime.
Create the backup policy:
- Log into the management account
- Navigate to https://console.aws.amazon.com/backup
- Choose the region of the backup primary key
- Select Backup Policies and Create backup policy
- Name the policy organization-backup-policy and add a description
- Switch to JSON view and copy/paste the contents of this policy
- Attach the policy to the workload OU/workload accounts/Root
Previous Part 1 – Enterprise AWS Backup – What you will get
Continue to Part 3 – Enterprise AWS Backup – Verifying & Troubleshooting
Backup organization vault policy
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "backup:CopyIntoBackupVault",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": [
"o-XXXXX"
]
}
}
}]
}
Backup policy
{
"plans": {
"Hourly_Plan": {
"regions": {
"@@append": [
"$region",
"$region"
]
},
"rules": {
"Backup_Rule": {
"schedule_expression": {
"@@assign": "cron(0 5/1 ? * * *)"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "1"
}
},
"target_backup_vault_name": {
"@@assign": "backup-vault"
}
}
},
"selections": {
"tags": {
"Backup_Assignment": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/backup-restore-role"
},
"tag_key": {
"@@assign": "BackupPlanHourly"
},
"tag_value": {
"@@assign": [
"True"
]
}
}
}
}
},
"Daily_Plan": {
"regions": {
"@@append": [
"$region",
"$region"
]
},
"rules": {
"Backup_Rule": {
"schedule_expression": {
"@@assign": "cron(0 5 ? * * *)"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "30"
}
},
"target_backup_vault_name": {
"@@assign": "backup-vault"
}
}
},
"selections": {
"tags": {
"Backup_Assignment": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/backup-restore-role"
},
"tag_key": {
"@@assign": "BackupPlanDaily"
},
"tag_value": {
"@@assign": [
"True"
]
}
}
}
}
},
"Weekly_Plan": {
"regions": {
"@@append": [
"$region",
"$region"
]
},
"rules": {
"Backup_Rule": {
"schedule_expression": {
"@@assign": "cron(0 5 ? * 1 *)"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "120"
}
},
"target_backup_vault_name": {
"@@assign": "backup-vault"
}
}
},
"selections": {
"tags": {
"Backup_Assignment": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/backup-restore-role"
},
"tag_key": {
"@@assign": "BackupPlanWeekly"
},
"tag_value": {
"@@assign": [
"True"
]
}
}
}
}
},
"Monthly_Plan": {
"regions": {
"@@append": [
"$region",
"$region"
]
},
"rules": {
"Backup_Rule": {
"schedule_expression": {
"@@assign": "cron(0 5 1 * ? *)"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "365"
}
},
"target_backup_vault_name": {
"@@assign": "backup-vault"
}
}
},
"selections": {
"tags": {
"Backup_Assignment": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/backup-restore-role"
},
"tag_key": {
"@@assign": "BackupPlanMonthly"
},
"tag_value": {
"@@assign": [
"True"
]
}
}
}
}
},
"Critical_Hourly_Plan": {
"regions": {
"@@append": [
"$region",
"$region"
]
},
"rules": {
"Backup_Rule": {
"schedule_expression": {
"@@assign": "cron(0 5/1 ? * * *)"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "1"
}
},
"target_backup_vault_name": {
"@@assign": "backup-vault"
},
"copy_actions": {
"arn:aws:backup:$backup-primary-region:$backup-account:backup-vault:backup-organization-vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:$backup-primary-region:$backup-account:backup-vault:backup-organization-vault"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "1"
}
}
}
}
}
},
"selections": {
"tags": {
"Backup_Assignment": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/backup-restore-role"
},
"tag_key": {
"@@assign": "BackupPlanHourlyReplicate"
},
"tag_value": {
"@@assign": [
"True"
]
}
}
}
}
},
"Critical_Daily_Plan": {
"regions": {
"@@append": [
"$region",
"$region"
]
},
"rules": {
"Backup_Rule": {
"schedule_expression": {
"@@assign": "cron(0 5 ? * * *)"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "30"
}
},
"target_backup_vault_name": {
"@@assign": "backup-vault"
},
"copy_actions": {
"arn:aws:backup:$backup-primary-region:$backup-account:backup-vault:backup-organization-vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:$backup-primary-region:$backup-account:backup-vault:backup-organization-vault"
},
"lifecycle": {
"delete_after_days": {
"@@assign": "30"
}
}
}
}
}
},
"selections": {
"tags": {
"Backup_Assignment": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/backup-restore-role"
},
"tag_key": {
"@@assign": "BackupPlanDailyReplicate"
},
"tag_value": {
"@@assign": [
"True"
]
}
}
}
}
},
"Critical_Weekly_Plan": {
"regions": {
"@@append": [
"$region",
"$region"
]
},
"rules": {
"Backup_Rule": {
"schedule_expression": {
"@@assign": "cron(0 5 ? * 1 *)"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "120"
}
},
"target_backup_vault_name": {
"@@assign": "backup-vault"
},
"copy_actions": {
"arn:aws:backup:$backup-primary-region:$backup-account:backup-vault:backup-organization-vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:$backup-primary-region:$backup-account:backup-vault:backup-organization-vault"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "120"
}
}
}
}
}
},
"selections": {
"tags": {
"Backup_Assignment": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/backup-restore-role"
},
"tag_key": {
"@@assign": "BackupPlanWeeklyReplicate"
},
"tag_value": {
"@@assign": [
"True"
]
}
}
}
}
},
"Critical_Monthly_Plan": {
"regions": {
"@@append": [
"$region",
"$region"
]
},
"rules": {
"Backup_Rule": {
"schedule_expression": {
"@@assign": "cron(0 5 1 * ? *)"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "90"
},
"delete_after_days": {
"@@assign": "365"
}
},
"target_backup_vault_name": {
"@@assign": "backup-vault"
},
"copy_actions": {
"arn:aws:backup:$backup-primary-region:$backup-account:backup-vault:backup-organization-vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:$backup-primary-region:$backup-account:backup-vault:backup-organization-vault"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "90"
},
"delete_after_days": {
"@@assign": "365"
}
}
}
}
}
},
"selections": {
"tags": {
"Backup_Assignment": {
"iam_role_arn": {
"@@assign": "arn:aws:iam::$account:role/backup-restore-role"
},
"tag_key": {
"@@assign": "BackupPlanMonthlyReplicate"
},
"tag_value": {
"@@assign": [
"True"
]
}
}
}
}
}
}
}
