Copying backups
You can use Amazon FSx to manually copy backups within the same Amazon account to another Amazon
Region (cross-Region copies) or within the same Amazon Region (in-Region copies). You can make cross-Region
copies only within the same Amazon partition. You can create user-initiated backup copies using the
Amazon FSx console, Amazon CLI, or API. When you create a user-initiated backup copy, it has the type
USER_INITIATED
.
You can also use Amazon Backup to copy backups across Amazon Regions and across Amazon accounts. Amazon Backup is a fully managed backup management service that provides a central interface for policy-based backup plans. With its cross-account management, you can automatically use backup policies to apply backup plans across the accounts within your organization.
Cross-Region backup copies are particularly valuable for cross-Region disaster recovery. You take backups and copy them to another Amazon Region so that in the event of a disaster in the primary Amazon Region, you can restore from backup and recover availability quickly in the other Amazon Region. You can also use backup copies to clone your file dataset to another Amazon Region or within the same Amazon Region. You make backup copies within the same Amazon account (cross-Region or in-Region) by using the Amazon FSx console, Amazon CLI, or Amazon FSx for Lustre API. You can also use Amazon Backup to perform backup copies, either on-demand or policy-based.
Cross-account backup copies are valuable for meeting your regulatory compliance requirements to copy backups to an isolated account. They also provide an additional layer of data protection to help prevent accidental or malicious deletion of backups, loss of credentials, or compromise of Amazon KMS keys. Cross-account backups support fan-in (copy backups from multiple primary accounts to one isolated backup copy account) and fan-out (copy backups from one primary account to multiple isolated backup copy accounts).
You can make cross-account backup copies by using Amazon Backup with Amazon Organizations support. Account boundaries for cross-account copies are defined by Amazon Organizations policies. For more information about using Amazon Backup to make cross-account backup copies, see Creating backup copies across Amazon Web Services accounts in the Amazon Backup Developer Guide.
Backup copy limitations
The following are some limitations when you copy backups:
-
Cross-Region backup copies are supported only between any two commercial Amazon Web Services Regions, between the China (Beijing) and China (Ningxia) Regions, and between the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions, but not across those sets of Regions.
-
Cross-Region backup copies are not supported in opt-in Regions.
-
You can make in-Region backup copies within any Amazon Region.
-
The source backup must have a status of
AVAILABLE
before you can copy it. -
You cannot delete a source backup if it is being copied. There might be a short delay between when the destination backup becomes available and when you are allowed to delete the source backup. You should keep this delay in mind if you retry deleting a source backup.
-
You can have up to five backup copy requests in progress to a single destination Amazon Region per account.
Permissions for cross-Region backup copies
You use an IAM policy statement to grant permissions to perform a backup copy operation. To communicate with the source Amazon Region to request a cross-Region backup copy, the requester (IAM role or IAM user) must have access to the source backup and the source Amazon Region.
You use the policy to grant permissions to the CopyBackup
action
for the backup copy operation. You specify the action in the policy's Action
field,
and you specify the resource value in the policy's Resource
field, as in the
following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "fsx:CopyBackup", "Resource": "arn:aws-cn:fsx:*:111122223333:backup/*" } ] }
For more information on IAM policies, see Policies and permissions in IAM in the IAM User Guide.
Full and incremental copies
When you copy a backup to a different Amazon Web Services Region from the source backup, the first copy is a full backup copy. After the first backup copy, all subsequent backup copies to the same destination Region within the same Amazon account are incremental, provided that you haven't deleted all previously-copied backups in that Region and have been using the same Amazon KMS key. If both conditions aren't met, the copy operation results in a full (not incremental) backup copy.