Managing Amazon Backup resources across multiple Amazon Web Services accounts - Amazon Backup
Creating a management account in OrganizationsEnabling cross-account management Delegated administratorCreating a backup policyMonitoring activities in multiple Amazon Web Services accountsResource opt-in rulesDefining policies, policy syntax, and policy inheritance
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing Amazon Backup resources across multiple Amazon Web Services accounts

Note

Before you manage resources across multiple Amazon Web Services accounts in Amazon Backup, your accounts must belong to the same organization in the Amazon Organizations service.

You can use the cross-account management feature in Amazon Backup to manage and monitor your backup, restore, and copy jobs across Amazon Web Services accounts that you configure with Amazon Organizations. Amazon Organizations is a service that offers policy-based management for multiple Amazon Web Services accounts from a single management account. It enables you to standardize the way you implement backup policies, minimizing manual errors and effort simultaneously. From a central view, you can easily identify resources in all accounts that meet the criteria that you are interested in.

If you set up Amazon Organizations, you can configure Amazon Backup to monitor activities in all of your accounts in one place. You can also create a backup policy and apply it to selected accounts that are part of your organization and view the aggregate backup job activities directly from the Amazon Backup console. This functionality enables backup administrators to effectively monitor backup job status in hundreds of accounts across their entire enterprise from a single management account. Amazon Organizations quotas apply.

For example, you define a backup policy A that takes daily backups of specific resources and keeps them for 7 days. You choose to apply backup policy A to the whole organization. (This means that each account in the organization gets that backup policy, which creates a corresponding backup plan that is visible in that account.) Then, you create an OU named Finance, and you decide to keep its backups for only 30 days. In this case, you define a backup policy B, which overrides the lifecycle value, and attach it to that Finance OU. This means that all the accounts under the Finance OU get a new effective backup plan that takes daily backups of all specified resources and keeps them for 30 days.

In this example, backup policy A and backup policy B were merged into a single backup policy, which defines the protection strategy for all accounts under the OU named Finance. All the other accounts in the organization remain protected by backup policy A. Merging is done only for backup policies that share the same backup plan name. You can also have policy A and policy B coexist in that account without any merging. You can use advanced merging operators in the JSON view of the console only. For details about merging policies, see Defining policies, policy syntax, and policy inheritance in the Amazon Organizations User Guide. For additional references and use cases, see the blog Managing backups at scale in your Amazon Organizations using Amazon Backup and the video tutorial Managing backups at scale in your Amazon Organizations using Amazon Backup.

Please see Feature availability by Amazon Region to see where the cross-account management feature is available.

To use cross-account management, you must follow these steps:

  1. Create a management account in Amazon Organizations and add accounts under the management account.

  2. Enable the cross-account management feature in Amazon Backup.

  3. Create a backup policy to apply to all Amazon Web Services accounts under your management account.

    Note

    For backup plans that are managed by Organizations, the resource opt-in settings in the management account override the settings in a member account, even if one or more delegated administrator accounts are configured. Delegated administrator accounts are member accounts with enhanced features and cannot override settings like a management account can.

  4. Manage backup, restore, and copy jobs in all your Amazon Web Services accounts.

Creating a management account in Organizations

First, you must create your organization and configure it with Amazon member accounts in Amazon Organizations.

To create a management account in Amazon Organizations and add accounts

Enabling cross-account management

Before you can use cross-account management in Amazon Backup, you have to enable the feature (that is, opt in to it). After the feature is enabled, you can create backup policies that allow you to automate simultaneous management of multiple accounts.

To enable cross-account management

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup/. You must sign in using the credentials of your management account.

  2. In the left navigation pane, choose Settings to open the cross-account management page.

  3. In the Backup policies section, choose Enable.

    This gives you access to all the accounts and allows you to create policies that automate management of multiple accounts in your organization simultaneously.

  4. In the Cross-account monitoring section, choose Enable.

    This enables you to monitor the backup, copy, and restore activities of all accounts in your organization from your management account.

Delegated administrator

Delegated administration provides a convenient way for assigned users in a registered member account to perform most Amazon Backup administrative tasks. You can choose to delegate administration of Amazon Backup to a member account in Amazon Organizations, thereby extending the ability to manage Amazon Backup from outside the management account and across the entire organization.

A management account, by default, is the account used to edit and manage policies. Using the delegated administrator feature, you can delegate these management functions to member accounts you designate. In turn, those accounts can manage policies, in addition to the management account.

After a member account has been successfully registered for delegated administration, it is a delegated administrator account. Note that accounts, not users, are designated as delegated administrators.

Enabling delegated administrator accounts allows the option of managing backup policies, it minimizes the number of users with access to the management account, and it permits cross-account monitoring of jobs.

Below is a table showing the functions of the management account, accounts delegated as Backup administrators, and accounts that are members within the Amazon Organization.

Note

Delegated administrator accounts are member accounts with enhanced features but cannot override service opt-in settings of other member accounts like a management account can.

PRIVILEGES MANAGEMENT ACCOUNT DELEGATED ADMINISTRATOR MEMBER ACCOUNT
Register/deregister delegated administrator accounts Yes No No
Manage backup policies across accounts in Amazon Organizations Yes Yes No
Monitor cross-account jobs Yes Yes No

Prerequisites

Before you can delegate backup administration, you must first register at least one member account in your Amazon organization as a delegated administrator. Before you can register an account as a delegated administrator, you must first configure the following:

  • Amazon Organizations must be enabled and configured with at least one member account in addition to your default management account.

  • In the Amazon Backup console, ensure backup policies, cross-account monitoring, and cross-account backup features are turned on. These are below the Delegated administrators pane in the Amazon Backup console.

    • Cross-account monitoring allows you to monitor backup activity across all the accounts in your organization from the management account, as well as from delegated administrator accounts.

    • Optional: Cross-account backup, which allows accounts in your organization to copy backups to other accounts (for Backup-supported cross-account resources).

    • Enable service access with Amazon Backup.

There are two steps involved in setting up delegated administration. The first step is to delegate cross-account jobs monitoring. The second step is to delegate backup policy management.

Register a member account as a delegated administrator account

This is the first section: Using the Amazon Backup console to register a delegated administrator account to monitor cross- account jobs. To delegate Amazon Backup policies, you will use the Organizations console in the next section.

To register a member account using the Amazon Backup Console:

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup/. You must sign in using the credentials of your management account.

  2. Under My Account in the left-hand navigation of the console, choose Settings.

  3. In the Delegated administrator pane, click Register delegated administrator or Add delegated administrator.

  4. On the Register delegated administrator page, select the account you want to register, and then choose Register account.

This designated account will now be registered as a delegated administrator, with administrative privileges to monitor jobs across accounts within the organization and can view and edit policies (policy delegation). This member account cannot register or deregister other delegated administrator accounts. You can use the console to register up to 5 accounts as delegated administrators.

To register a member account using programmatically:

Use the CLI command register-delegated-administrator. You can specify the following parameters in your CLI request:

  • service-principal

  • account-id

Below is an example of a CLI request to register a member account programmatically:

aws organizations register-delegated-administrator \
--account-id 012345678912 \
--service-principal "backup.amazonaws.com"

Deregister a member account

Use the following procedure to remove administrative access from Amazon Backup by deregistering a member account in your Amazon organization that had previously been designated as a delegated administrator.

To deregister a member account using the Console

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup/. You must sign in using the credentials of your management account.

  2. Under My Account in the left-hand navigation of the console, choose Settings.

  3. In the Delegated administrator section, click Deregister account.

  4. Choose the account(s) you want to deregister.

  5. In the Deregister account dialog box, review the security implications, and then type confirm to complete the deregistration.

  6. Choose Deregister account.

To deregister a member account using programmatically:

Use the CLI command deregister-delegated-administrator to deregister a delegated administrator account. You can specify the following parameters in your API request:

  • service-principal

  • account-id

Below is an example of a CLI request to deregister a member account programmatically:

aws organizations deregister-delegated-administrator \
--account-id 012345678912 \
--service-principal "backup.amazonaws.com"

Delegate Amazon Backup policies through Amazon Organizations

Within the Amazon Organizations console, you can delegate administration of multiple policies, including Backup policies.

From the management account logged into the Amazon Organizations console, you can create, view, or delete a resource-based delegation policy for your organization. For steps to delegate policies, see Create a resource-based delegation policy in the Amazon Organizations User Guide.

Creating a backup policy

After you enable cross-account management, create a cross-account backup policy from your management account.

Warning

When you create a policy with JSON, duplicate key names will be rejected. The name of each key must be unique if multiple plans, rules, or selections are included in a single policy.

Create a backup policy through the Amazon Backup console

  1. In the left navigation pane, choose Backup policies. On the Backup policies page, choose Create backup policies.

  2. In the Details section, enter a backup policy name and provide a description.

  3. In the Backup plans details section, choose the visual editor tab and do the following:

    1. For Backup plan name, enter a name.

    2. For Regions, choose a Region from the list.

  4. In the Backup rule configuration section, choose Add backup rule.

    The maximum number of rules per backup plan is 10. If a plan contains more than 10 rules, the backup plan will be ignored and no backups will be created from it.

    1. For Rule name, enter a name for the rule. The rule name is case sensitive and can contain only alphanumeric characters or hyphens.

    2. For Schedule, choose a backup frequency in the Frequency list, and choose one of the Backup window options. We recommend that you choose Use backup window defaults—recommended.

  5. For Lifecycle, choose the lifecycle settings you want.

  6. For Backup vault name, enter a name. This is the backup vault where recovery points created by your backups will be stored.

    Make sure that the backup vault exists in all your accounts. Amazon Backup doesn't check for this.

  7. (optional) Choose a destination Region from the list if you want your backups to be copied to another Amazon Web Services Region, and add tags. You can choose tags for the recovery points that are created, regardless of the cross-Region copy settings. You can also add more rules.

  8. In the Resource assignment section, provide the name of the Amazon Identity and Access Management (IAM) role. To use the Amazon Backup service role, provide service-role/AWSBackupDefaultServiceRole.

    Amazon Backup assumes this role in each account to gain the permissions to perform backup and copy jobs, including encryption key permissions when applicable. Amazon Backup also uses this role to perform lifecycle deletions.

    Note

    Amazon Backup doesn't validate that the role exists or if the role can be assumed.

    For backup plans created by cross-account management, Amazon Backup will use the opt-in settings from the management account and overrides the settings specific accounts.

    For each account that you want to add backup policies to, you must create the vaults and IAM roles yourself.

  9. Add tags to select the resources you want to back up. The maximum number of tags allowed is 30.

    Amazon Organizations policy allows specifying 30 tags maximum if a backup plan is created via Organizations policy. Additional tags can be included by utilizing multiple resource assignments or engaging multiple backups plans.

    If the number of tags exceeds 30 in the same backup selection, either through modifying the existing selection or using @@append, the backup plan will become invalid and will be removed from the local account.

  10. In the Advanced settings section, choose Windows VSS if the resource you're backing up is running Microsoft Windows on an Amazon EC2 instance. This enables you to take application-consistent Windows VSS backups.

    Note

    Amazon Backup currently supports application-consistent backups of resources running on Amazon EC2 only. Not all instance types or applications are supported for Windows VSS backups. For more information, see Creating Windows VSS backups.

  11. Choose Add backup plan to add it to the policy, and then choose Create backup policy.

    Creating a backup policy doesn't protect your resources until you attach it to the accounts. You can choose your policy name and see the details.

    The following is an example Amazon Organizations policy that creates a backup plan. If you enable Windows VSS backup, you must add permissions that allow you to take application-consistent backups as shown in the advanced_backup_settings section of the policy.

    {
  "plans": {
    "PiiBackupPlan": {
      "regions": {
        "@@append":[
          "us-east-1",
          "eu-north-1"
        ]
      },
      "rules": {
        "Hourly": {
          "schedule_expression": {
            "@@assign": "cron(0 0/1 ? * * *)"
          },
          "start_backup_window_minutes": {
            "@@assign": "60"
          },
          "complete_backup_window_minutes": {
            "@@assign": "604800"
          },
          "target_backup_vault_name": {
            "@@assign": "FortKnox"
          },
          "recovery_point_tags": {
            "owner": {
              "tag_key": {
                "@@assign": "Owner"
              },
              "tag_value": {
                "@@assign": "Backup"
              }
            }
          },
          "lifecycle": {
            "delete_after_days": {
              "@@assign": "365"
            },
            "move_to_cold_storage_after_days": {
              "@@assign": "180"
            }
          },
          "copy_actions": {
            "arn:aws:backup:eu-north-1:$account:backup-vault:myTargetBackupVault" : {
            "target_backup_vault_arn" : {
            "@@assign" : "arn:aws:backup:eu-north-1:$account:backup-vault:myTargetBackupVault"  },
              "lifecycle": {
                "delete_after_days": {
                  "@@assign": "365"
                },
                "move_to_cold_storage_after_days": {
                  "@@assign": "180"
                }
              }
            }
          }
        }
      },
      "selections": {
        "tags": {
          "SelectionDataType": {
            "iam_role_arn": {
              "@@assign": "arn:aws:iam::$account:role/MyIamRole"
            },
            "tag_key": {
              "@@assign": "dataType"
            },
            "tag_value": {
              "@@assign": [
                "PII",
                "RED"
              ]
            }
          }
        }
      },
      "backup_plan_tags": {
        "stage": {
          "tag_key": {
            "@@assign": "Stage"
          },
          "tag_value": {
            "@@assign": "Beta"
          }
        }
      }
    }
  }
}

  12. In the Targets section, choose the organizational unit or account that you want to attach the policy to, and choose Attach. The policy can also be added to individual organizational units or accounts.

    Note

    Make sure to validate your policy and that you include all required fields in the policy. If parts of the policy are not valid, Amazon Backup ignores those parts, but the valid parts of the policy will work as expected. Currently, Amazon Backup does not validate Amazon Organizations policies for correctness.

    If you apply one policy to the management account and a different policy to a member account, and they conflict (for example, having different backup retention periods), both policies will run without issues (that is, the policies will independently run for each account). For example, if the management account policy backs up an Amazon EBS volume once a day, and the local policy backs up an EBS volume once a week, both policies will run.

    If required fields are missing in the effective policy that will be applied to an account (probably due to merging between different policies), Amazon Backup doesn't apply the policy to the account at all. If some settings are not valid, Amazon Backup adjusts them.

    Regardless of the opt-in settings in a member account in a backup plan that is created from a backup policy, Amazon Backup will use the opt-in settings specified in the management account of the organization.

    When you attach a policy to an organizational unit, every account that joins this organizational unit gets this policy automatically, and every account that is removed from the organizational unit loses this policy. The corresponding backup plans are deleted automatically from that account.

Monitoring activities in multiple Amazon Web Services accounts

To monitor backup, copy, and restore jobs across accounts, you must enable cross-account monitoring. This lets you monitor backup activities in all accounts from your organizations management account. After you opt in, all the jobs across your organization that were created after the opt-in are visible. When you opt out, Amazon Backup keeps the jobs in the aggregated view for 30 days (from reaching a terminus state). Created jobs after the opt-out are not visible and do not show any newly created backup jobs. For opt-in instructions, see Enabling cross-account management.

To monitor multiple accounts

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup/. You must sign in using the credentials of your management account.

  2. In the left navigation pane, choose Settings to open the cross-account management page.

  3. In the Cross-account monitoring section, choose Enable.

    This enables you to monitor the backup and restore activities of all accounts in your organization from your management account.

  4. In the left navigation pane, choose Cross-account monitoring.

  5. On the Cross-account monitoring page, choose the Backup jobs, Restore jobs, or Copy jobs tab to see all the jobs created in all your accounts. You can see each of these jobs by Amazon Web Services account ID, and you can see all the jobs in a particular account.

  6. In the search box, you can filter the jobs by Account ID, Status, or Job ID.

    For example, you can choose the Backup jobs tab and see all backup jobs created in all your accounts. You can filter the list by Account ID and see all the backup jobs created in that account.

Resource opt-in rules

If a member account's backup plan was created by an Organizations-level backup policy, the Amazon Backup opt-in settings for the Organizations management account will override the opt-in settings in that member account, but only for that backup plan.

If the member account also has local-level backup plans created by users, those backup plans will follow the opt-in settings in the member account, without reference to the Organizations management account's opt-in settings.

Defining policies, policy syntax, and policy inheritance

The following topics are documented in the Amazon Organizations User Guide.