AWS RDS disaster recovery using cross-account

Question

We are running AWS RDS PostgreSQL, with daily automatic snapshots, encrypted by AWS managed KMS key. My objective is to minimize risks and data loss, in case when main AWS account (running RDS) got compromised or RDS deleted/damaged in some way.

What we've implemented so far: RDS snapshots are shared with different (backup) account, periodically copied to backup account and re-encrypted with the KMS key from the backup account, to make copies local, and independent from the main AWS account.

I'm wondering if there are better ways to minimize recovery time objective and recovery point objective in case of a disaster event?

Answer 1

I wrote two scripts implementing flow at the diagram drawn above ^^^, the idea is to run them daily:

src_acc_take_share_rds_snapshot.py in src account:

• list available RDS snapshots according to provided regexp
• recrypt them with KMS key, shared from dst account
• share recrypted RDS snapshots with the dst account
• remove old decrypted snapshots

dst_acc_copy_shared_rds_snapshot_to_local.py in dst account

• list RDS snapshots, shared in src account with dst account
• copy RDS snapshots from src account to dst account
• remove old decrypted snapshots
• fire an SNS message if desired snapshot count != actual

and put them at GitHub https://github.com/mvasilenko/dr-rds-share-snapshot

Answer 2

This AWS blog post seems to weigh the options well.

Automated backups are limited to a single AWS Region while manual snapshots and Read Replicas are supported across multiple Regions.

Having cross region Read replica would give you the best RPO and RTO as you can promote replica to be an independent instance which should improve your RPO / RTO

Alternatively, if you choose to use Amazon Aurora Backtrack it seems to offer a similar option to having a read replica but I do not have a personal experience with this feature so can't say how effective it is in improving RTO and RPO.