Available only in Advanced and Enterprise Editions, N2WS’ cross-account functionality allows you to automatically copy snapshots between AWS accounts as part of the DR module. With cross-region DR, you can copy snapshots between regions as well as between accounts and any combination of both. In addition, you can recover resources (e.g. EC2 instances) to a different AWS account even if you did not copy the snapshots to that account. This cross-account functionality is important for security reasons.
The ability to copy snapshots between regions can prove crucial if your AWS credentials have been compromised and there is a risk of deletion of your production data as well as your snapshot data. N2WS utilizes the snapshot share option in AWS to enable copying them across accounts. Cross-account functionality is currently supported only for EC2 instances, EBS volumes and RDS instances (excluding Aurora).
Cross-account functionality is enabled for encrypted EBS volumes and instances with encrypted EBS volumes and RDS databases.
Users will need to share the encrypted key used for the encryption of the volumes or RDS instance to the other account as N2WS will not do it.
In addition, N2WS expects to find a key in the target account with the same alias as the original key (or just uses the default key).
For information on sharing encryption keys between different accounts, see https://support.n2ws.com/portal/kb/articles/cpm-supports-custom-encryption-keys-for-dr
If a matching encryption key is not found with an alias or with custom tags, the behavior of the backup depends on the Encryption Key Detection setting in the Security section of the General Settings menu:
Use Default Key – If the encryption key is not matched, the default encryption key is used.
Strict – DR encryption key must match, either with an alias or a custom tag.
Use Default and Alert – Use the default key and send an alert.
N2WS can support a DR scheme where a special AWS account is used only for snapshot data. This account’s credentials are not shared with anyone and used only to copy snapshots to. The IAM credentials used in N2WS can have limited permissions that do not allow snapshot deletion.
N2WS will tag outdated snapshots instead of actually deleting them, allowing an authorized user to delete them separately using the EC2 console or a script. Also, you may choose to keep the snapshots only in the vault account and not in their original account. This will allow you to save storage costs and utilize the cross-recovery capability to recover resources from the vault account back to the original one.
Once you have created a DR Account with the Account Type DR, you can configure cross-account DR from the DR screen of a policy:
Cross-account fields will be available only if your N2WS is licensed for cross-account functionality. See the pricing and registration page in our website to see which N2WS editions include cross-account backup & recovery.
Once you set the Cross-Account DR field to Enabled, the other fields will become visible:
- To Account – Which account to copy the snapshots to. This account needs to have been defined as a DR Account in the Accounts screen.
- Keep Original Snapshots – Whether to keep the snapshots both in the original and the DR Accounts or to delete the original snapshots once they are copied to the DR Account. This can save cost by not paying to store all snapshots twice.
N2WS performs clean-up on backup policies and deletes backups and snapshots that are out of the retention window, according to the policy’s definition. By default, N2WS will clean up snapshots copied to other accounts as well. However, if you do not wish for N2WS to clean up, because you want to provide IAM credentials that are limited and cannot delete data, you have that option. If you defined the DR Account with Allow Deleting Snapshots set as False, N2WS will not try to delete snapshots in the DR Account. It will rather flag a snapshot for subsequent deletion by adding a tag to the snapshot called cpm_deleted. The tag value will contain the time when the snapshot was flagged for deletion by N2WS.
When using this option, occasionally make sure that these snapshots are actually deleted. You can either run a script on a schedule, with proper permissions, or make it delete all snapshots with the tag cpm_deleted. Or, using the EC2 console, filter snapshots by the tag name and delete them.
If you configure the backup policy to copy snapshots across accounts as well as across regions, N2WS will combine: it will copy to the other account and to other regions. So, you can potentially copy snapshots to regions and accounts. It is important to know exactly what you are doing and not let the cost of these actions to be too high.
If you have cross-account functionality enabled in your N2WS license, and even if you actually configured N2WS to copy snapshots between accounts, you can recover across accounts. This is already mentioned in the recovery chapter (see chapter 9). You need to choose which account to recover the resource (EC2 instance, EBS volume or RDS database) to.
Note: Only account type DR Account may be the target of a cross-account recovery.
When copying snapshots between accounts and not keeping the original snapshots, you will also have the option to restore the instance/volume to the original account. N2WS will utilize the AWS share snapshot option to enable recovering resources across accounts.
Note: There is an AWS limitation for restoring encrypted manual RDS snapshots from a DR AWS account. Directly restoring a cross-account DR copy of encrypted RDS snapshots is not supported. As a workaround, you can either restore directly to the DR AWS account, or the snapshot data can be copied back to the original AWS account, and then the restore can work as intended from there.