Enterprise AWS Backup – Part 3

Introduction

Backup of data is essential to protect against data corruption and data loss. Xebia provides this as a strong shared platform capability in their Xebia Cloud Foundation, for all workloads to use.

A similar approach is described in this article, so backup can be provided as a shared capability across the AWS workloads.

AWS Backup is an AWS managed backup service that can help you setup an organization-wide policy-based service that simplifies data protection at scale. It provides automated backup scheduling, retention management, centralized data protection, cross-account management and more.

AWS Backup can be used in various configurations. The configuration in this article will allow Platform/Backup administrators to provide pre-configured backup plans to all existing and future workloads/application teams. Backed up data will be stored and managed in a centralized manner.

This backup article is provided in a 3-part series:
Part 1 – Enterprise AWS Backup – What you will get
Part 2 – Enterprise AWS Backup – Getting Started
Part 3 – Enterprise AWS Backup – Verifying & Troubleshooting

Verifying Backup

To verify the backup:

1. Log into the workload account
2. Add a backup tag to a data source which has been enabled as a resource type
3. Wait for the frequency of the tag to pass (and add up to 12 hours after deployment for the policy to take effect)
4. Verify the local vault contains a copy of the backup data
5. Log into the backup account
6. Choose the region of the primary key
7. Verify the central vault contains a copy of the backup data (if replicate backup is chosen)
8. Log into the management account
9. Choose the region of the workload
10. Navigate to https://console.aws.amazon.com/backup
11. Verify cross-account monitoring is reporting correctly. Backup Jobs will list local and replicated backups. Copy jobs will list only replicated backups being copied from workload region local vault to backup region central vault.

Restoring Backup

AWS Backup cannot restore backups across accounts. If you need to restore from the organizational vault in the backup account to a data store in the workload account, you must first copy the backup from the organizational vault to the workload vault and restore from there.

Troubleshooting Backup

To troubleshoot the backup:

1. Log into the workload account
2. Choose the region of the workload
3. Navigate to https://console.aws.amazon.com/cloudtrail
4. Check Event history. Filter on Event Source = backup.amazonaws.com
5. Look for Event names in this order:
   BackupJobStarted -> BackupJobCompleted (for local backup vault)
   CopyJobStarted -> CopyJobCompleted (for replicated backup vault)
   RecoveryPointCreated (for backup added to vault)
6. Log into the backup account
7. Choose the region of the primary key
8. Navigate to https://console.aws.amazon.com/cloudtrail
9. Check Event history. Filter on Event Source = backup.amazonaws.com
10. Look for Event names in this order:
    RecoveryPointCreated (for backup added to organizational vault)

Optional: Use Backup Account for Administration

You may wish to enable monitoring and management of backups from the backup account, so that backup administrators can do all their work from within this account. This responsibility can be delegated from the management account to the backup account:

1. Log into the management account
2. Navigate to https://console.aws.amazon.com/backup
3. Choose the region of your workloads.
4. Click on settings in the left navigation pane and scroll down to Delegated administrator section
5. Click on Register delegated administrator and select Backup account. This will enable the backup account to perform the same actions as the management account.

Previous Part 2 – Enterprise AWS Backup – Getting Started