12. Cross-Account DR, Backup and Recovery

Copy N2WS snapshots between AWS accounts. Ransomware protection via snapshot vaults. Configuring and managing cross-account backup and recovery; cost considerations.

Available only in Advanced and Enterprise Editions, N2WS’ cross-account functionality allows you to automatically copy snapshots between AWS accounts as part of the DR module.

With cross-region AWS disaster recovery, you can copy snapshots between regions as well as between accounts and any combination of both. In addition, you can recover resources (e.g. EC2 instances) to a different AWS account even if you did not copy the snapshots to that account. This AWS cross-account access functionality is important for security reasons.

The ability to copy snapshots between regions can prove crucial if your AWS credentials have been compromised and there is a risk of deletion of your production data as well as your snapshot data. N2WS utilizes the snapshot share option in AWS to enable copying them across accounts. Cross-account functionality is currently supported only for EC2 instances, EBS volumes and RDS instances, including Aurora.

Cross-account functionality is enabled for encrypted EBS volumes and instances with encrypted EBS volumes and RDS databases.

Users will need to share the encrypted key used for the encryption of the volumes or RDS instance to the other account as N2WS will not do it.

In addition, N2WS expects to find a key in the target account with the same alias as the original key (or just uses the default key).

For information on sharing encryption keys between different accounts, see https://support.n2ws.com/portal/kb/articles/cpm-supports-custom-encryption-keys-for-dr

If a matching encryption key is not found with an alias or with custom tags, the behavior of the backup depends on the Encryption Key Detection setting in the Security section of the General Settings menu:

Use Default Key – If the encryption key is not matched, the default encryption key is used.

Strict – DR encryption key must match, either with an alias or a custom tag.

Use Default and Alert – Use the default key and send an alert.

N2WS can support a DR scheme where a special AWS account is used only for snapshot data. This account’s credentials are not shared with anyone and used only to copy snapshots to. The IAM credentials used in N2WS can have limited permissions that do not allow snapshot deletion.

N2WS will tag outdated snapshots instead of actually deleting them, allowing an authorized user to delete them separately using the EC2 console or a script. Also, you may choose to keep the snapshots only in the vault account and not in their original account. This will allow you to save storage costs and utilize the cross-recovery capability to recover resources from the vault account back to the original one.

Configuring Cross-Account Backup

Once you have created a DR Account with the Account Type DR, you can configure cross-account DR from the DR screen of a policy:


Figure 12‑1

Cross-account fields will be available only if your N2WS is licensed for cross-account functionality. See the pricing and registration page in our website to see which N2WS editions include cross-account backup & recovery.

Once you set the Cross-Account DR field to Enabled, other fields become visible:

  • To Account – Which account to copy the snapshots to. This account needs to have been defined as a DR Account in the Accounts screen.
  • DR Account Target Regions – Which region or regions you want to copy the snapshots of the policy to. To include all of the Target Regions selected for backup, click Original in the list. Select additional regions as needed.
  • Keep Original Snapshots – Whether to copy the snapshots to the selected target regions AND add these regions to the list of target cross-account cross-region DR.

Cross-Account DR and Clean-Up

N2WS performs clean-up on backup policies and deletes backups and snapshots that are out of the retention window, according to the policy’s definition. By default, N2WS will clean up snapshots copied to other accounts as well. However, if you do not wish for N2WS to clean up, because you want to provide IAM credentials that are limited and cannot delete data, you have that option.

If you defined the DR Account with Allow Deleting Snapshots set as False, N2WS will not try to delete snapshots in the DR Account. It will rather flag a snapshot for subsequent deletion by adding a tag to the snapshot called cpm_deleted. The tag value will contain the time when the snapshot was flagged for deletion by N2WS.

When using this option, occasionally make sure that these snapshots are actually deleted. You can either run a script on a schedule, with proper permissions, or make it delete all snapshots with the tag cpm_deleted. Or, using the EC2 console, filter snapshots by the tag name and delete them.

Cross-Account with Cross-Region

If you configure the backup policy to copy snapshots across accounts as well as across regions, be aware of how the increased number of copies might affect your AWS costs.

Cross-Account Recovery

If you have cross-account functionality enabled in your N2WS license, and even if you actually configured N2WS to copy snapshots between accounts, you can recover across accounts. This is already mentioned in the recovery section (see section 10). You need to choose which account to recover the resource (EC2 instance, EBS volume or RDS database) to.

Note: Only account type DR Account may be the target of a cross-account recovery.

When copying snapshots between accounts and not keeping the original snapshots, you will also have the option to restore the instance/volume to the original account. N2WS will utilize the AWS share snapshot option to enable recovering resources across accounts.

Note: There is an AWS limitation for restoring encrypted manual RDS snapshots from a DR AWS account. Directly restoring a cross-account DR copy of encrypted RDS snapshots is not supported. As a workaround, you can either restore directly to the DR AWS account, or the snapshot data can be copied back to the original AWS account, and then the restore can work as intended from there.

Share this post →

Share on twitter
Share on linkedin
Share on facebook
Share on email

Win the Ultimate


attendee pack —$415 value!

giveaway graphic

Visit the N2WS booth at AWS re:Invent for a chance to win prizes!