Managing Amazon Backup resources across multiple Amazon Web Services accounts
Note
Before you manage resources across multiple Amazon Web Services accounts in Amazon Backup, your accounts must belong to the same organization in the Amazon Organizations service.
You can use the cross-account management feature in Amazon Backup to manage and monitor your backup, restore, and copy jobs across Amazon Web Services accounts that you configure with Amazon Organizations. Amazon Organizations is a service that offers policy-based management for multiple Amazon Web Services accounts from a single management account. It enables you to standardize the way you implement backup policies, minimizing manual errors and effort simultaneously. From a central view, you can easily identify resources in all accounts that meet the criteria that you are interested in.
If you set up Amazon Organizations, you can configure Amazon Backup to monitor activities in all of your accounts in one place. You can also create a backup policy and apply it to selected accounts that are part of your organization and view the aggregate backup job activities directly from the Amazon Backup console. This functionality enables backup administrators to effectively monitor backup job status in hundreds of accounts across their entire enterprise from a single management account. Amazon Organizations quotas apply.
For example, you define a backup policy A that takes daily backups of specific resources and keeps them for 7 days. You choose to apply backup policy A to the whole organization. (This means that each account in the organization gets that backup policy, which creates a corresponding backup plan that is visible in that account.) Then, you create an OU named Finance, and you decide to keep its backups for only 30 days. In this case, you define a backup policy B, which overrides the lifecycle value, and attach it to that Finance OU. This means that all the accounts under the Finance OU get a new effective backup plan that takes daily backups of all specified resources and keeps them for 30 days.
In this example, backup policy A and backup policy B were merged into a single backup
policy, which defines the protection strategy for all accounts under the OU named Finance.
All the other accounts in the organization remain protected by backup policy A. Merging is
done only for backup policies that share the same backup plan name. You can also have policy
A and policy B coexist in that account without any merging. You can use advanced merging
operators in the JSON view of the console only. For details about merging policies, see
Defining policies, policy syntax, and policy
inheritance in the
Amazon Organizations User Guide. For additional references and use cases, see
the blog Managing backups at scale in your Amazon Organizations using Amazon Backup
Please see Feature availability by Amazon Region to see where the cross-account management feature is available.
To use cross-account management, you must follow these steps:
-
Create a management account in Amazon Organizations and add accounts under the management account.
-
Enable the cross-account management feature in Amazon Backup.
-
Create a backup policy to apply to all Amazon Web Services accounts under your management account.
Note
For backup plans that are managed by Organizations, the resource opt-in settings in the management account override the settings in a member account, even if one or more delegated administrator accounts are configured. Delegated administrator accounts are member accounts with enhanced features and cannot override settings like a management account can.
-
Manage backup, restore, and copy jobs in all your Amazon Web Services accounts.
Contents
Creating a management account in Organizations
First, you must create your organization and configure it with Amazon member accounts in Amazon Organizations.
To create a management account in Amazon Organizations and add accounts
-
For instructions, see Tutorial: Creating and configuring an organization in the Amazon Organizations User Guide.
Enabling cross-account management
Before you can use cross-account management in Amazon Backup, the management account must enable the feature (that is, opt in to it). After the management account enables cross-account management, you can create backup policies that manage resources in multiple accounts.
To enable cross-account management
-
Open the Amazon Backup console at https://console.amazonaws.cn/backup/
. You must sign in using the credentials of your management account. -
In the left navigation pane, choose Settings to open the cross-account management page.
-
In the Backup policies section, choose Enable.
This gives you access to all the accounts and allows you to create policies that automate management of multiple accounts in your organization simultaneously.
-
In the Cross-account monitoring section, choose Enable.
This enables you to monitor the backup, copy, and restore activities of all accounts in your organization from your management account.
Delegated administrator
Delegated administration provides a convenient way for assigned users in a registered member account to perform most Amazon Backup administrative tasks. You can choose to delegate administration of Amazon Backup to a member account in Amazon Organizations, thereby extending the ability to manage Amazon Backup from outside the management account and across the entire organization.
A management account, by default, is the account used to edit and manage policies. Using the delegated administrator feature, you can delegate these management functions to member accounts you designate. In turn, those accounts can manage policies, in addition to the management account.
After a member account has been successfully registered for delegated administration, it is a delegated administrator account. Note that accounts, not users, are designated as delegated administrators.
Enabling delegated administrator accounts allows the option of managing backup policies, it minimizes the number of users with access to the management account, and it permits cross-account monitoring of jobs.
Below is a table showing the functions of the management account, accounts delegated as Backup administrators, and accounts that are members within the Amazon Organization.
Note
Delegated administrator accounts are member accounts with enhanced features but cannot override service opt-in settings of other member accounts like a management account can.
| PRIVILEGES | MANAGEMENT ACCOUNT | DELEGATED ADMINISTRATOR | MEMBER ACCOUNT |
|---|---|---|---|
| Register/deregister delegated administrator accounts | Yes | No | No |
| Enable cross-account management | Yes | No | No |
| Manage backup policies across accounts in Amazon Organizations | Yes | Yes | No |
| Monitor cross-account jobs | Yes | Yes | No |
Prerequisites
Before you can delegate backup administration, you must first register at least one member account in your Amazon organization as a delegated administrator. Before you can register an account as a delegated administrator, you must first configure the following:
Amazon Organizations must be enabled and configured with at least one member account in addition to your default management account.
-
In the Amazon Backup console, ensure backup policies, cross-account monitoring, and cross-account backup features are turned on. These are below the Delegated administrators pane in the Amazon Backup console.
-
Cross-account monitoring allows you to monitor backup activity across all the accounts in your organization from the management account, as well as from delegated administrator accounts.
-
Optional: Cross-account backup, which allows accounts in your organization to copy backups to other accounts (for Backup-supported cross-account resources).
-
Enable service access with Amazon Backup.
-
There are two steps involved in setting up delegated administration. The first step is to delegate cross-account jobs monitoring. The second step is to delegate backup policy management.
Register a member account as a delegated administrator account
This is the first section: Using the Amazon Backup console to register a delegated administrator account to monitor cross- account jobs. To delegate Amazon Backup policies, you will use the Organizations console in the next section.
To register a member account using the Amazon Backup Console:
-
Open the Amazon Backup console at https://console.amazonaws.cn/backup/
. You must sign in using the credentials of your management account. Under My Account in the left-hand navigation of the console, choose Settings.
In the Delegated administrator pane, click Register delegated administrator or Add delegated administrator.
On the Register delegated administrator page, select the account you want to register, and then choose Register account.
This designated account will now be registered as a delegated administrator, with administrative privileges to monitor jobs across accounts within the organization and can view and edit policies (policy delegation). This member account cannot register or deregister other delegated administrator accounts. You can use the console to register up to 5 accounts as delegated administrators.
Ensure that the delegated administrator has the permissions granted by .
To register a member account using programmatically:
Use the CLI command register-delegated-administrator. You can specify the following
parameters in your CLI request:
service-principalaccount-id
Below is an example of a CLI request to register a member account programmatically:
aws organizations register-delegated-administrator \ --account-id 012345678912 \ --service-principal "backup.amazonaws.com"
Deregister a member account
Use the following procedure to remove administrative access from Amazon Backup by deregistering a member account in your Amazon organization that had previously been designated as a delegated administrator.
To deregister a member account using the Console
-
Open the Amazon Backup console at https://console.amazonaws.cn/backup/
. You must sign in using the credentials of your management account. Under My Account in the left-hand navigation of the console, choose Settings.
In the Delegated administrator section, click Deregister account.
Choose the account(s) you want to deregister.
In the Deregister account dialog box, review the security implications, and then type
confirmto complete the deregistration.Choose
Deregister account.
To deregister a member account using programmatically:
Use the CLI command deregister-delegated-administrator to deregister a delegated administrator
account. You can specify the following parameters in your API request:
service-principalaccount-id
Below is an example of a CLI request to deregister a member account programmatically:
aws organizations deregister-delegated-administrator \ --account-id 012345678912 \ --service-principal "backup.amazonaws.com"
Delegate Amazon Backup policies through Amazon Organizations
Within the Amazon Organizations console, you can delegate administration of multiple policies, including Backup policies.
From the management account logged into the
Amazon Organizations console
Backup policies
You can combine backup plans with the scalability of policies in Amazon Organizations to create backup policies to simplify management across your organization.
See the Amazon Organizations User Guide for information on how to enable backup policies for your organization so you can:
See Amazon Backup quotas for Amazon Backup-specific quotas on elements contained in a policy.
Monitoring activities in multiple Amazon Web Services accounts
To monitor backup, copy, and restore jobs across accounts, you must enable cross-account monitoring. This lets you monitor backup activities in all accounts from your organizations management account. After you opt in, all the jobs across your organization that were created after the opt-in are visible. When you opt out, Amazon Backup keeps the jobs in the aggregated view for 30 days (from reaching a terminus state). Created jobs after the opt-out are not visible and do not show any newly created backup jobs. For opt-in instructions, see Enabling cross-account management.
To monitor multiple accounts
-
Open the Amazon Backup console at https://console.amazonaws.cn/backup/
. You must sign in using the credentials of your management account. -
In the left navigation pane, choose Settings to open the cross-account management page.
-
In the Cross-account monitoring section, choose Enable.
This enables you to monitor the backup and restore activities of all accounts in your organization from your management account.
-
In the left navigation pane, choose Cross-account monitoring.
-
On the Cross-account monitoring page, choose the Backup jobs, Restore jobs, or Copy jobs tab to see all the jobs created in all your accounts. You can see each of these jobs by Amazon Web Services account ID, and you can see all the jobs in a particular account.
-
In the search box, you can filter the jobs by Account ID, Status, or Job ID.
For example, you can choose the Backup jobs tab and see all backup jobs created in all your accounts. You can filter the list by Account ID and see all the backup jobs created in that account.
Resource opt-in rules
If a member account's backup plan was created by an Organizations-level backup policy, the Amazon Backup opt-in settings for the Organizations management account will override the opt-in settings in that member account, but only for that backup plan.
If the member account also has local-level backup plans created by users, those backup plans will follow the opt-in settings in the member account, without reference to the Organizations management account's opt-in settings.
Defining policies, policy syntax, and policy inheritance
The following topics are documented in the Amazon Organizations User Guide.
-
Backup policies – See Backup policies.
-
Policy syntax – See Backup policy syntax and examples.
-
Inheritance for management policy types – See Inheritance for management policy types.