AWS Cross-Account RDS Backups
It is hard to deny importance of cross-region copies of RDS snapshots. Recovery will be a very difficult process, if not entirely impossible, in case of a disaster as small as un-availability of AWS region. However, even cross-region copies of backups are not sufficient. What if AWS Account credentials gets compromised? Or some employee goes rogue and deletes snapshots? These scenarios are not unheard of . In any case, it is good idea to have off-site backups. Backup is not a backup if it is not in a completely separate location. Over AWS, these off-site backups can be snapshots stored in entirely different AWS Account. Unfortunately, AWS does not have service which you can use to create and store backups in different account. But it is trivial to set it up yourself using scripts or Lambdas. Creating manual snapshots and saving these snapshots in completely different AWS account will ensure data recovery in majority of disaster scenarios. And this process can be automated easily using AWS services such as Lambda, RDS, Cloud Watch.
- Create: A Lambda can be scheduled to execute and initiate the RDS snapshot process. Automated snapshots cannot be shared. This is why Lambda will need to create manual snapshot before it can be shared and copied.
- Share: Once snapshot has been created, share the snapshot with different AWS Account. All you need is AWS Account ID of new account. Access to this AWS Account should be highly restricted.
- Copy: Only Sharing RDS Snapshot is not enough. Snapshot is shared as a reference and old AWS account will have full ownership over this snapshot. It also means, if snapshot is deleted in old AWS Account then new AWS Account will also lose access to it. Therefore, new AWS Account needs to create copy of this snapshot to have ownership over the copy. Now this backup is entirely independent of original AWS snapshot.
- If you have multiple RDS instances, or if creating manual snapshots take more then 5 minutes, then a single lambda is not sufficient as it will time out. In this case, you can create 1 lambda to create snapshots. Then create another lambda to share/copy snapshots and schedule it to execute x amount of hours after first lambda has executed.
- If RDS instances are encrypted then new AWS account will also needs access to keys for obvious reasons.
- AWS SDK (AmazonRDSClient) has all the methods that you can possible need to create cross-account backups.
For Further Reading: