# Creating backup copies across Amazon Web Services accounts
Using Amazon Backup, you can back up to multiple Amazon Web Services accounts on demand or automatically as part of a scheduled backup plan. Use a cross-account backup if you want to securely copy your backups to one or more Amazon Web Services accounts in your organization for operational or security reasons. If your original backup is inadvertently deleted, you can copy the backup from its destination account to its source account, and then start the restore. Before you can do this, you must have two accounts that belong to the same organization in the Amazon Organizations service. For more information, see [ Tutorial: Creating and configuring an organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_tutorials_basic.html) in the *Organizations User Guide*.
In your destination account, you must create a backup vault. Then, you assign an encryption key to encrypt backups in the destination account, and a resource-based access policy to allow Amazon Backup to access the resources you would like to copy. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. You can then create a backup plan and choose a destination account that is part of your organizational unit in Amazon Organizations.
When you copy a backup to cross-account for the first time, Amazon Backup copies the backup in full. In general, if a service supports incremental backups, subsequent copies of that backup to the same destination account and vault are incremental. Amazon Backup re-encrypts your copy using the encryption key of your destination vault.
**Note**
For resources [fully managed by Amazon Backup](whatisbackup.md#full-management), you can use either a customer managed key or the Amazon Backup managed key (`aws/backup`) for the destination vault. For all other resource types, a customer managed key is required because Amazon managed key policies are immutable and cannot be shared cross-account. For more information, see [Encryption for a backup copy to a different account or Amazon Web Services Region](encryption.md#copy-encryption).
**Requirements**
+ Before you manage resources across multiple Amazon Web Services accounts in Amazon Backup, your accounts must belong to the same organization in the Amazon Organizations service.
+ Most resources supported by Amazon Backup support cross-account backup. For specifics, see [Feature availability by resource](backup-feature-availability.md#features-by-resource).
+ Most Amazon Regions support cross-account backup. For specifics, see [Feature availability by Amazon Web Services Region](backup-feature-availability.md#features-by-region).
+ Amazon Backup does not support cross-account copies for storage in cold tiers.
## Setting up cross-account backup
**What do you need to create cross-account backups?**
+ **A source account**
The source account is the account where your production Amazon resources and primary backups reside.
The source account user initiates the cross-account backup operation. The source account user or role must have appropriate API permissions to initiate the operation. Appropriate permissions might be the Amazon managed policy `AWSBackupFullAccess`, which enables full access to Amazon Backup operations, or a customer managed policy that allows actions such as `ec2:ModifySnapshotAttribute`. For more information about policy types, see [Amazon Backup Managed Policies](https://docs.amazonaws.cn/aws-backup/latest/devguide/security-iam-awsmanpol.html).
For cross-account copy jobs, the IAM role in the source account must also have the following identity-based permissions:
+ `backup:CopyFromBackupVault` – Authorizes copying the source recovery point.
+ `backup:CopyIntoBackupVault` – Authorizes writing into the destination vault. Because this is a cross-account call, this permission must be present in both the identity-based policy (attached to the IAM role) and the resource-based policy (on the destination backup vault).
The Amazon managed policy `AWSBackupServiceRolePolicyForBackup` includes both of these permissions. If you use a custom IAM role, you must add these permissions explicitly. The following is an example identity-based policy:
```
{
"Statement": [
{
"Sid": "BackupVaultCopyPermissions",
"Effect": "Allow",
"Action": "backup:CopyFromBackupVault",
"Resource": "*"
},
{
"Sid": "BackupVaultPermissions",
"Effect": "Allow",
"Action": "backup:CopyIntoBackupVault",
"Resource": "arn:aws:backup:*:*:backup-vault:*"
}
]
}
```
+ **A destination account**
The destination account is the account where you would like to keep a copy of your backup. You can choose more than one destination account. The destination account must be in the same organization as the source account in Amazon Organizations.
You must “Allow” the access policy `backup:CopyIntoBackupVault` for your destination backup vault. The absence of this policy will deny attempts to copy into the destination account.
+ **A management account in Amazon Organizations**
The management account is the primary account in your organization, as defined by Amazon Organizations, that you use to opt-in to cross-account backup across your Amazon Web Services accounts. Before your organization can start with cross-account backups, you must enable cross-account backup in the Amazon Backup console or through the [UpdateGlobalSettings](https://docs.amazonaws.cn/aws-backup/latest/devguide/API_UpdateGlobalSettings.html) API.
For information about security, see [Security considerations for cross-account backup](#security-considerations-cab).
To use cross-account backup, you must enable the cross-account backup feature. Then, you must "Allow" the access policy `backup:CopyIntoBackupVault` into your destination backup vault.
Amazon EC2 offers [EC2 Allowed AMIs](https://docs.amazonaws.cn//AWSEC2/latest/UserGuide/ec2-allowed-amis.html). If this setting is enabled in your account, add your source account ID to your allowlist. Otherwise, the copy operation will fail with an error message, such as "Source AMI not found in Region".
**Enable cross-account backup**
1. Log in using your Amazon Organizations management account credentials. Cross-account backup can only be enabled or disabled using these credentials.
1. Open the Amazon Backup console at [https://console.amazonaws.cn/backup](https://console.amazonaws.cn/backup).
1. In **My account**, choose **Settings**.
1. For **Cross-account backup**, choose **Enable**.
1. In **Backup vaults**, choose your destination vault.
For cross-account copy, the source vault and the destination vault are in different accounts. Switch to the account which owns the destination account, as necessary.
1. In the **Access policy** section, "Allow" `backup:CopyIntoBackupVault`. For an example, choose **Add permissions** and then **Allow access to a Backup vault from organization**. Any cross-account action other than `backup:CopyIntoBackupVault` will be rejected.
1. Now, any account in your organization can share the contents of their backup vault with any other account in your organization. For more information, see [Configuring backup vault access for cross-account copies](#share-vault-cab). To limit which accounts can receive the contents of other accounts' backup vaults, see [Configuring your account as a destination account](#designate-destination-accounts-cab).
## Scheduling cross-account backup
You can use a scheduled backup plan to copy backups across Amazon Web Services accounts.
**To copy a backup using a scheduled backup plan**
1. Open the Amazon Backup console at [https://console.amazonaws.cn/backup](https://console.amazonaws.cn/backup).
1. In **My account**, choose **Backup plans**, and then choose **Create Backup plan**.
1. On the **Create Backup plan** page, choose **Build a new plan**.
1. For **Backup plan name**, enter a name for your backup plan.
1. In the **Backup rule configuration** section, add a backup rule that defines a backup schedule, backup window, and lifecycle rules. You can add more backup rules later.
For **Rule name**, enter a name for your rule.
1. In the **Schedule** section under **Frequency**, choose how often you want the backup to be taken.
1. For **Backup window**, choose **Use backup window defaults** (recommended). You can customize the backup window.
1. For **Backup vault**, choose a vault from the list. Recovery points for this backup will be saved in this vault. You can create a new backup vault.
1. In the **Generate copy - optional** section, enter the following values:
**Destination Region**
Choose the destination Amazon Web Services Region for your backup copy. Your backup will be copied to this Region. You can add a new copy rule per copy to a new destination.
**Copy to another account's vault**
Toggle to choose this option. The option turns blue when selected. The **External vault ARN** option will appear.
**External vault ARN**
Enter the Amazon Resource Name (ARN) of the destination account. The ARN is a string that contains the account ID and its Amazon Web Services Region. Amazon Backup will copy the backup to the destination account's vault. The **Destination region** list automatically updates to the Region in the external vault ARN.
For **Allow Backup vault access**, choose **Allow**. Then choose **Allow** in the wizard that opens.
Amazon Backup needs permissions to access the external account to copy backup to the specified value. The wizard shows the following example policy that provides this access.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountCopyIntoBackupVault",
"Effect": "Allow",
"Action": "backup:CopyIntoBackupVault",
"Resource": "*",
"Principal": {
"AWS": "arn:aws-cn:iam::123456789012:root"
}
}
]
}
```
**Transition to cold storage**
Choose when to transition the backup copy to cold storage and when to expire (delete) the copy. Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. This value cannot be changed after a copy has transitioned to cold storage.
To see the list of resources that you can transition to cold storage, see the "Lifecycle to cold storage" section of the [Feature availability by resource](backup-feature-availability.md#features-by-resource) table. The cold storage expression is ignored for other resources.
**Expire** specifies the number of days after creation that the copy is deleted. This value must be greater than 90 days beyond the **Transition to cold storage** value.
When backups expire and are marked for deletion as part of your lifecycle policy, Amazon Backup deletes the backups at a randomly chosen point over the following 8 hours. This window helps ensure consistent performance.
1. Choose **Tags added to recovery points** to add tags to your recovery points.
1. For **Advanced backup settings**, choose **Windows VSS** to enable application-aware snapshots for the selected third-party software running on EC2.
1. Choose **Create plan**.
## Performing on-demand cross-account backup
You can copy a backup to a different Amazon Web Services account on demand.
**To copy a backup on-demand**
1. Open the Amazon Backup console at [https://console.amazonaws.cn/backup](https://console.amazonaws.cn/backup).
1. For **My account**, choose **Backup vault** to see all your backup vaults listed. You can filter by the backup vault name or tag.
1. Choose the **Recovery point ID** of the backup you want to copy.
1. Choose **Copy**.
1. Expand **Backup details** to see information about the recovery point you are copying.
1. In the **Copy configuration** section, choose an option from the **Destination region** list.
1. Choose **Copy to another account's vault**. The option turns blue when selected.
1. Enter the Amazon Resource Name (ARN) of the destination account. The ARN is a string that contains the account ID and its Amazon Web Services Region. Amazon Backup will copy the backup to the destination account's vault. The **Destination region** list automatically updates to the Region in the external vault ARN.
1. For **Allow Backup vault access**, choose **Allow**. Then choose **Allow** in the wizard that opens.
To create the copy, Amazon Backup needs permissions to access the source account. The wizard shows an example policy that provides this access. This policy is shown following.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountCopyIntoBackupVault",
"Effect": "Allow",
"Action": "backup:CopyIntoBackupVault",
"Resource": "*",
"Principal": {
"AWS": "arn:aws-cn:iam::123456789012:root"
}
}
]
}
```
------
1. For **Transition to cold storage**, choose when to transition the backup copy to cold storage and when to expire (delete) the copy. Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. This value cannot be changed after a copy has transitioned to cold storage.
To see the list of resources that you can transition to cold storage, see the "Lifecycle to cold storage" section of the [Feature availability by resource](backup-feature-availability.md#features-by-resource) table. The cold storage expression is ignored for other resources.
**Expire** specifies the number of days after creation that the copy is deleted. This value must be greater than 90 days beyond the **Transition to cold storage** value.
1. For **IAM role**, specify the IAM role (such as the default role) that has the permissions to make your backup available for copying. The act of copying is performed by your destination account's service linked role.
1. Choose **Copy**. Depending on the size of the resource you are copying, this process could take several hours to complete. When the copy job completes, you will see the copy in the **Copy jobs** tab in the **Jobs** menu.
## Encryption keys and cross-account copies
See [Encryption for a backup copy to a different account or Amazon Web Services Region](encryption.md#copy-encryption) for details on how encryption works for copy job.
For additional help troubleshooting cross-account copy failures, please see the [Amazon Knowledge Center](https://repost.aws/knowledge-center/backup-troubleshoot-cross-account-copy).
## Restoring a backup from one Amazon Web Services account to another
Amazon Backup does not support recovering resources from one Amazon Web Services account to another. However, you can copy a backup from one account to a different account and then restore it in that account. For example, you can't restore a backup from account A to account B, but you can copy a backup from account A to account B, and then restore it in account B.
Before restoring a backup from one account to another, ensure that the destination account has the service-linked role (SLR) for the resource type you are restoring. If the destination account has never used that Amazon service before, the SLR may not exist. You can create the SLR by using the service in the destination account, which automatically creates it. Once the SLR requirement is addressed, restoring a backup from one account to another is a two-step process:
**To restore a backup from one account to another**
1. Copy the backup from the source Amazon Web Services account to the account you want to restore to. For instructions, see [Setting up cross-account backup](https://docs.amazonaws.cn/aws-backup/latest/devguide/create-cross-account-backup.html#prereq-cab).
1. Use the appropriate instructions for your resource to restore the backup.
## Configuring backup vault access for cross-account copies
Amazon Backup allows you to configure your backup vault to grant access to other Amazon Web Services accounts, allowing them to copy recovery points to your vault for cross-account backup. This access configuration uses resource-based policies to permit specific accounts to perform backup operations.
**Note**
This is different from Amazon Backup vault sharing for Logically Air Gapped (LAG) vaults, which uses Amazon Resource Access Manager (RAM) to share vault resources directly.
You can grant vault access to one or multiple accounts, or your entire organization in Amazon Organizations. You can configure a destination backup vault with access for a source Amazon Account, user, or IAM role.
**To configure vault access for a destination Backup vault**
1. Choose **Amazon Backup**, and then choose **Backup vaults**.
1. Choose the name of the backup vault that you want to configure access for.
1. In the **Access policy** pane, choose the **Add permissions** dropdown.
1. Choose **Allow account level access to a Backup vault**. Or, you can choose to allow organization-level or role-level access.
1. Enter the **AccountID** of the account you'd like to grant access to this destination backup vault.
1. Choose **Save policy**.
You can use IAM policies to configure vault access.
**Configure destination backup vault access for an Amazon Web Services account or IAM role**
The following policy configures vault access for account number `4444555566666` and the IAM role `SomeRole` in account number `111122223333`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws-cn:iam::444455556666:root",
"arn:aws-cn:iam::111122223333:role/SomeRole"
]
},
"Action":"backup:CopyIntoBackupVault",
"Resource":"*"
}
]
}
```
------
**Share a destination backup vault an organizational unit in Amazon Organizations**
The following policy shares a backup vault with organizational units using their `PrincipalOrgPaths`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":"*",
"Action":"backup:CopyIntoBackupVault",
"Resource":"*",
"Condition":{
"ForAnyValue:StringLike":{
"aws:PrincipalOrgPaths":[
"o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/",
"o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/ou-jkl0-awsddddd/*"
]
}
}
}
]
}
```
------
**Share a destination backup vault with an organization in Amazon Organizations**
The following policy shares a backup vault with the organization with `PrincipalOrgID` "o-a1b2c3d4e5".
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":"*",
"Action":"backup:CopyIntoBackupVault",
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:PrincipalOrgID":[
"o-a1b2c3d4e5"
]
}
}
}
]
}
```
------
## Configuring your account as a destination account
When you first enable cross-account backups using your Amazon Organizations management account, any user of a member account can configure their account to be a destination account. We recommend setting one or more of the following service control policies (SCPs) in Amazon Organizations to limit your destination accounts. To learn more about attaching service control policies to Amazon Organizations nodes, see [Attaching and detaching service control policies](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_scps_attach.html).
**Limit destination accounts using tags**
When attached to an Amazon Organizations root, OU, or individual account, this policy limits copies destinations from that root, OU, or account to only those accounts with backup vaults you’ve tagged `DestinationBackupVault`. The permission `"backup:CopyIntoBackupVault"` controls how a backup vault behaves and, in this case, which destination backup vaults are valid. Use this policy, along with the corresponding tag applied to approved destination vaults, to control the destinations of cross-account copies to only approved accounts and backup vaults.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Deny",
"Action":"backup:CopyIntoBackupVault",
"Resource":"*",
"Condition":{
"Null":{
"aws:ResourceTag/DestinationBackupVault":"true"
}
}
}
]
}
```
------
**Limit destination accounts using account numbers and vault names**
When attached to an Amazon Organizations root, OU, or individual account, this policy limits copies originating from that root, OU, or account to only two destination accounts. The permission `"backup:CopyFromBackupVault"` controls how a recovery point in the backup vault behaves, and, in this case, the destinations where you can copy that recovery point to. The source vault will only permit copies to the first destination account (112233445566) if one or more destination backup vault names begin with `cab-`. The source vault will only permit copies to the second destination account (123456789012) if the destination is the single backup vault named `fort-knox`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyCopyFromBackupVault",
"Effect": "Deny",
"Action": "backup:CopyFromBackupVault",
"Resource": "arn:aws-cn:ec2:*:*:snapshot/*",
"Condition": {
"ForAllValues:ArnNotLike": {
"backup:CopyTargets": [
"arn:aws-cn:backup:*:112233445566:backup-vault:cab-*",
"arn:aws-cn:backup:us-east-1:123456789012:backup-vault:fort-knox"
]
}
}
}
]
}
```
------
**Limit destination accounts using organizational units in Amazon Organizations**
When attached to an Amazon Organizations root or OU that contains your source account, or when attached to your source account, the following policy limits the destination accounts to those accounts within the two specified OUs.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Deny",
"Action":"backup:CopyFromBackupVault",
"Resource":"*",
"Condition":{
"ForAllValues:StringNotLike":{
"backup:CopyTargetOrgPaths":[
"o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/",
"o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/ou-jkl0-awsddddd/*"
]
}
}
}
]
}
```
------
## Security considerations for cross-account backup
Be aware of the following when using performing cross-account backups in Amazon Backup:
+ The destination vault cannot be the default vault. This is because the default vault is encrypted with a key that cannot be shared with other accounts.
+ Cross-account backups might still run for up to 15 minutes after you disable cross-account backup. This is due to eventual consistency, and might result in some cross-account jobs starting or completing even after you disable cross-account backup.
+ If the destination account leaves the organization at a later date, that account will retain the backups. To avoid potential data leakage, place a deny permission on the `organizations:LeaveOrganization` permission in a service control policy (SCP) attached to the destination account. For detailed information about SCPs, see [Removing a member account from your organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_accounts_remove.html) in the *Organizations User Guide*.
+ If you delete a copy job role during a cross-account copy, Amazon Backup can't unshare snapshots from the source account when the copy job completes. In this case, the backup job finishes, but the copy job status shows as Failed to unshare snapshot.