In today’s cloud-centric landscape, businesses are increasingly adopting multi-account, multi-region AWS (Amazon Web Services) architectures for their applications. While this approach offers numerous benefits, it also introduces complex challenges when it comes to managing backups for Amazon RDS (Relational Database Service) instances across multiple accounts and regions. In this blog post, we will delve into these challenges and explore effective solutions for securing your RDS data.
The Necessity of RDS Backups
Before diving into the intricacies of cross-account and cross-region RDS backups, let’s remind ourselves why RDS backups are essential. These backups are instrumental in ensuring the availability, recoverability, and integrity of your database system. They play a pivotal role in various critical scenarios, including data recovery, high availability, disaster recovery, and point-in-time recovery.
In this blog post, we’ll employ the AWS Backup service to handle RDS backups, as it offers robust support for various AWS services, with similar procedures applicable to other services.
Challenges
Let’s first address the key challenges you may encounter:
Challenge 1: Encryption
In AWS, AWS Key Management Service (KMS) keys are used for encrypting services such as RDS. There are two types of keys: AWS-managed and user-managed. The KMS key used to encrypt your RDS determines the encryption of the resulting snapshot.
Solutions
To tackle these challenges, we’ll discuss solutions tailored to each scenario.
Scenario 1: RDS Encrypted with Custom KMS Keys
If you’re using custom KMS keys, you’ll need to grant access to other accounts to use your KMS key. Achieve this by updating the policy of the custom KMS key.
{
"Version": "2012-10-17",
"Id": "rds backup cutom kms key",
"Statement": [
{
"Sid": "Allow access from Backup account to copy backups",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "<your destination account id>"
}
}
},
// Additional permissions here
]
}
Scenario 2: RDS Encrypted with AWS-Managed KMS Key
When your RDS is encrypted with an AWS-managed KMS key, you lack the permission to update its policies, hindering access for other accounts. To address this, change the KMS key of the snapshot to a custom-managed KMS key. Here’s how
Create a copy of the original snapshot within the same account and region. This new snapshot will be encrypted using the AWS Backup vault’s KMS key, which can be custom-managed.
Execution
We’ve decided to utilize the AWS Backup service for RDS backup and sharing across accounts. AWS Backup requires a backup vault to store RDS snapshots, which, in turn, necessitates a KMS key. For cross-account backup strategies, creating a custom-managed KMS key becomes crucial, allowing access from other accounts.
AWS Backup also supports the copying of snapshots to different destinations, such as regions or AWS accounts. To accomplish this, you’ll need the Amazon Resource Name (ARN) of the backup vault. For destination backup vaults, employing AWS custom-managed KMS keys is recommended, ensuring seamless snapshot sharing with the source destination.
Two Possible Scenarios: AWS Managed KMS Key vs. Custom Managed KMS Key
Consider two AWS accounts for this setup: one as the source account with the active RDS instance and the other as the destination account for storing snapshots. For optimal results, store snapshots in different AWS regions—let’s use ap-south-1 (Mumbai) as the source AWS region and ap-south-2 (Hyderabad) as the destination region.
Scenario 1: Using AWS Managed KMS Key
When your RDS is encrypted with an AWS-managed KMS key, you lack permission to update policies or grant access to other accounts. To address this, create the RDS backup in the ap-south-1 region, encrypted with an AWS-managed KMS key. Next, create an additional snapshot in the same region, using the KMS key associated with the backup vault. This enables you to share the snapshot with another account.
The second snapshot is automatically created when using AWS backup services. These services allow snapshots to be copied to a different destination. In scenarios involving backup vaults for storage, the destination backup vault must grant permission to the source account for access.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your-source-account-id>:root"
},
"Action": "backup:CopyIntoBackupVault",
"Resource": "*"
}
]
}
To automate this process, use Amazon EventBridge. Trigger it when a new snapshot is successfully created in the intermediate backup vault. This trigger, in turn, activates a Lambda function, copying the second snapshot from ap-south-1 to ap-south-2.
Scenario 2: RDS Encrypted with Custom-Managed KMS Key
In this scenario, you only need to update the KMS policy to allow the destination account to use the KMS key for decryption. Since the source account’s snapshot is already encrypted with a custom-managed KMS key, AWS backup services can seamlessly copy it to the destination account. Make sure to update permissions on the destination backup vault accordingly.
Conclusion
Mastering cross-account and cross-region RDS backups in AWS is crucial for data security and business continuity. Despite challenges, solutions like custom KMS keys, AWS Backup, and automation ensure a resilient and efficient backup strategy. Embrace these techniques to safeguard your data and thrive in the cloud-centric landscape.
Blog Pundits: Bhupender rawat and Sandeep Rawat
OpsTree is an End-to-End DevOps Solution Provider.
Connect with Us