Reputation: 416
AWS backup account
We all know about what happened to Cold Spaces getting hacked and their AWS account essentially erased. I'm trying to put together recommendation on set of tools, best practices on archiving my entire production AWS account into a backup only where only I would have access to. The backup account will be purely for DR purposes storing EBS snapshots, AMI's, RDS etc.
Thoughts?
Upvotes: 1
Views: 728
Answers (2)
Reputation: 2296
I think you would be able to setup A VPC and then use VPC peering to see the other account and access S3 in that account.
To prevent something like coldspaces, make sure you use MFA authentication (no excuse for not using it, the google authentication app for your phone is free and safer than just having a single password as protection.
Also dont use the account owner but setup a separate IAM role with just the permissions you need (and enable MFA on this account as well).
Only issues is that VPC peering doesnt work across regions which would be nicer than having the DR in a different AZ in the same region.
Upvotes: 0
Reputation: 361
Separating the production account from the backup account for DR purposes is an excellent idea. Setting up a "cross-account" backup solution can be based on the EBS snapshot sharing feature that is currently not available for RDS. If you want to implement such a solution, please consider the following:
- Will the snapshots be stored in both the source and DR accounts? If they are, it will cost you twice.
- How do you protect the credentials of the DR account? You should make sure the credentials used to copy snapshots across accounts are not permitted to delete snapshots.
- Consider the way older snapshots get deleted at some point. You may want to deal with snapshot deletion separately using different credentials.
- Make sure your snapshots can be easily recovered back from the DR account to the original account
- Think of ways to automate this cross-account process and make it simple and error free
The company I work for recently released a product called “Cloud Protection Manager (CPM) v1.8.0” in the AWS Marketplace which supports cross-account backup and recovery in AWS and a process where a special account is used for DR only.
Upvotes: 1
Related Questions
- AWS Elastic Beanstalk (AWS EB) Backup - best practice
- How to Backup IAM User in AWS
- AWS service for backup Web and Database server. Launch a new environment from the disaster recovery backups
- AWS RDS Automated Backups
- Creating a Backup of AWS account configurations
- backing up s3 buckets best practice
- backup aws ec2 data to a totally separate aws account
- AWS Account-to-Account Backup Solution for EC2 and RDS?
- S3 Incremental Backups
- Backup on S3 using EC2