Reading Time: 30 minutes
In today’s edition of “don’t trust LLMs”, we learn that despite what AI tells you, AWS Backup doesn’t support Cross-Account and Cross-Region backups. It supports Cross-Account copying and Cross-Region copying, but apparently not together.
As part of Masset’s Data Protection and Disaster Recovery policies, we determined that having backups separated by both region and OU account was a good idea. This follows fairly closely to AWS’s recommended best practice of using a separate, centralized account for an immutable history of backups and log. In the case of logging, this is a no-brainer. Most services require just a few simple tweaks to copy logs to a centralized location.
However, the story is a bit different for backups. AWS Backup’s lack of support for the combination of differing regions and account is unfortunate. It’s a relatively new (in terms of AWS lifecycles) service offering, so I’m willing to give it a bit of leeway… But having to choose between region or account means we can only mitigate one risk at a time.
It all feels so simple; wit’s just a few lines of Terraform code. But the first time it runs you’ll get a failure notification in your #alerts Slack channel and you’ll see something akin this beautiful error hidden on the copy job for your backup.
It’s obviously not telling the full truth. AWS clearly states in their documentation that cross-region is allowed. Unfortunately, that little superscript #3 bears a lot of weight:
3. RDS, Aurora, DocumentDB, and Neptune do not support a single copy action that performs both cross-Region AND cross-account backup. You can choose one or the other. You can also use a AWS Lambda script to listen for the completion of your first copy, perform your second copy, then delete the first copy… See Cross-Region copy considerations with specific resources for further information.
Our risk profile demands both.
Cross-Region: Being in a separate region doesn’t protect you if someone gets unauthorized access to your environment account. We want a WORM account for backups and logs. Cross-Account: Being in a separate account doesn’t protect if you’re running your application in us-west-2 and the Yellowstone Caldera decides to finally erupt. Now you have data in a different account that also ceases to exist. To allow the few remaining remnants of society to pick up the pieces and restore your application to its full glory, moments before the eruption , you also need your backups in a different region (preferably very far away from Wyoming).
So, what’s dev to do? Honestly, for the vast majority of organizations, having any backup is probably sufficient. So you might be best just to copy to a different account and call it good. Or copy it to a region in the same account. Either way, you’re probably fine according to whatever your Risk profile and matrix specifies. Talk to your compliance officer for more details.
... continue reading