- 11 – Cross-Account DR, Backup and Recovery
Available only in Advanced and Enterprise Editions, CPM’s cross-account functionality allows you to automatically copy snapshots between AWS accounts as part of the DR module. With cross-region DR, you can copy snapshots between regions as well as between accounts and any combination of both. In addition, you can recover resources (e.g. EC2 instances) to a different AWS account even if you did not copy the snapshots to that account. This cross-account functionality is important for security reasons.
The ability to copy snapshots between regions can prove crucial if your AWS credentials have been compromised and there is a risk of deletion of your production data as well as your snapshot data. CPM utilizes the snapshot share option in AWS to enable copying them across accounts. Cross-account functionality is currently supported only for EC2 instances, EBS volumes and RDS instances (excluding Aurora).
Cross-account functionality is enabled for encrypted EBS volumes and instances with encrypted EBS volumes and RDS databases. Users will need to share the encrypted key used for the encryption of the volumes or RDS instance to the other account as CPM will not do it. In addition, CPM expects to find a key in the target account with the same alias as the original key (or just uses the default key).
CPM can support a DR scheme where a special AWS account is used only for snapshot data. This account’s credentials are not shared with anyone and used only to copy snapshots to. The IAM credentials used in CPM can have limited permissions that do not allow snapshot deletion.
CPM will tag outdated snapshots instead of actually deleting them, allowing an authorized user to delete them separately using the EC2 console or a script. Also, you may choose to keep the snapshots only in the vault account and not in their original account. This will allow you to save storage costs and utilize the cross-recovery capability to recover resources from the vault account back to the original one.
You configure cross-account DR from the DR screen of the policy:
Cross-account fields will be available only if your CPM is licensed for cross-account functionality. See the pricing and registration page in our website to see which CPM editions include cross-account backup & recovery.
Once you set the Cross-Account DR field to Enabled, the other fields will become visible:
- To Account – Which account to copy the snapshots to. This account needs to be defined as a DR account in the Accounts screen.
- Keep Original Snapshots – Whether to keep the snapshots both in the original and the DR accounts or to delete the original snapshots once they are copied to the DR account. This can save cost by not paying to store all snapshots twice.
CPM performs clean-up on backup policies and deletes backups and snapshots that are out of the retention window, according to the policy’s definition. By default, CPM will clean up snapshots copied to other accounts as well. However, if you do not wish for CPM to clean up, because you want to provide IAM credentials that are limited and cannot delete data, you have that option. If you defined the DR account with Allow Deleting Snapshots set as False, CPM will not try to delete snapshots in the DR account. It will rather flag a snapshot for subsequent deletion by adding a tag to the snapshot called cpm_deleted. The tag value will contain the time when the snapshot was flagged for deletion by CPM.
When using this option, occasionally make sure that these snapshots are actually deleted. You can either run a script on a schedule, with proper permissions, or make it delete all snapshots with the tag cpm_deleted. Or, using the EC2 console, filter snapshots by the tag name and delete them.
If you configure the backup policy to copy snapshots across accounts as well as across regions, CPM will combine: it will copy to the other account and to other regions. So, you can potentially copy snapshots to regions and accounts. It is important to know exactly what you are doing and not let the cost of these actions to be too high.
If you have cross-account functionality enabled in your CPM license, and even if you actually configured CPM to copy snapshots between accounts, you can recover across accounts. This is already mentioned in the recovery chapter (see chapter 9). You need to choose which account to recover the resource (EC2 instance, EBS volume or RDS database) to. When copying snapshots between accounts and not keeping the original snapshots, you will also have the option to restore the instance/volume to the original account. CPM will utilize the AWS share snapshot option to enable recovering resources across accounts.
Note: There is an AWS limitation for restoring encrypted manual RDS snapshots from a DR AWS account. Directly restoring a cross-account DR copy of encrypted RDS snapshots is not supported. As a workaround, you can either restore directly to the DR AWS account, or the snapshot data can be copied back to the original AWS account, and then the restore can work as intended from there.
Note: Currently, copying snapshots between accounts is not incremental by nature. Unlike creating regular snapshots or copying snapshots between regions, copying snapshots between accounts will copy the entire volume every time. This can have a considerable effect on cost. Be sure to configure the backup policies according to business needs.