Logo

dev-resources.site

for different kinds of informations.

Aurora snapshot recovery cross-account

Published at
11/20/2024
Categories
awsbackup
awscli
aws
backup
Author
Anuj Tyagi
Categories
4 categories in total
awsbackup
open
awscli
open
aws
open
backup
open
Aurora snapshot recovery cross-account

This is the next part from https://dev.to/sudo_anuj/global-disaster-recovery-for-aws-aurora-2ih8

In part one, we took backup in cross region and cross account of AWS Aurora. Now, we will test how can restore it back in case a disaster happens.

We did setup of our automated backup using Terraform but here for recovery we will use awsli which will be quick in case of data recovery.

We will use 123 as account_id for main_account and 321 for disaster_recovery account.

First, we need to note our source and destination accounts, and their regions.

Source account (GDR) and region where we have target snapshot stored in AWS backup vault: 123 (US-EAST-1)

Destination account (RCW production) and region where we will restore the Aurora database: 321 (US-WEST-2)

Note: AWS don't support single copy action that performs both cross-Region AND cross-account backup. You can choose one or the other.

For that reason, we will first copy the aurora snapshot from aws backup in a intermediate RCW production account vault-123 (US-EAST-1)

Policy updates

Before we start restoration, we need to update access policies on source and destination accounts.

Source account

Find the KMS key in use on the GDR backup vault. Update policy for that key so it can be shared with the destination account.

{
"Version": "2012-10-17",
"Id": "cab-kms-key",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SourceAccountID :root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::SourceAccountID :root",
"arn:aws:iam::DestinationAccountID:root"
]
},
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::SourceAccountID:root",
"arn:aws:iam::DestinationAccountID:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

Destination account
We need to update AWS backup vault policy so we can copy Aurora snapshot from source destination account to destination account AWS backup vault.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SourceAccountID:root"
},
"Action": "backup:CopyIntoBackupVault",
"Resource": "*"
}
]
}

*List AWS backup vault *

In the GDR account, we don't have AWS console access but we need to get vault name ARN that we want to check after the copy is completed.
Also, during restoration we need to get GDR vault name ARN and recovery points.
We can use below command to list recovery points in GDR vault
aws backup list-recovery-points-by-backup-vault --backup-vault-name-us-east-1-aurora-dr-backup --region us-east-1

Copy the snapshot cross-account from aws console
From the source account AWS backup vault, select AWS backup vault where our snapshot is stored.
Select the recovery point we want to restore and click actions > copy

  1. When you click "copy", you need to select existing destination vault ARN and IAM role with permission to copy AWS backup

Now, check the destination vault. You should see the recovery point.

Copy the snapshot cross-account from aws cli

export RECOVERY_POINT_ARN="<ARN of source vault recovery point>"
export SOURCE_VAULT_NAME="<Source Vault name>"
export TARGET_VAULT_ARN="<Destination vault ARN>"
export IAM_ROLE_ARN="<Source AWS IAM role with cross account AWS copy permission>"
export TOKEN="<customer chosen string to identify among multiple copy jobs>"
export REGION="<aws-region must be same for source and destination>"

aws backup start-copy-job --recovery-point-arn "$RECOVERY_POINT_ARN" --source-backup-vault-name "$SOURCE_VAULT_NAME" --destination-backup-vault-arn "$TARGET_VAULT_ARN" --iam-role-arn "$IAM_ROLE_ARN" --idempotency-token "$TOKEN" --region "$REGION"

Example of cross-account via aws cli from 321 eu-west-1 to 123 eu-west-1

`aws backup start-copy-job --recovery-point-arn arn:aws:rds:eu-west-1:321:cluster-snapshot:awsbackup:copyjob-32b5a35c-ec86-7957-8c41-2e26439ed634 --source-backup-vault-name 321-eu-west-1-rcw-devops-aurora-db --destination-backup-vault-arn arn:aws:backup:eu-west-1:123:backup-vault:restore-test --iam-role-arn arn:aws:iam::321:role/aws-backup-20111111421470 --idempotency-token 5aac8974-78d2-11ea-bc55-01111111 --region eu-west-1

{
"CopyJobId": "A3B03165-5D50-07C2-0289-8B887B53D8B5",
"CreationDate": 1718993105.097
}`

Note: You cannot copy Aurora snapshot cross account and cross region both at same time. Only one is possible at a time.

If you try to perform vault copy operation in different accounts and different region, you may get below error.

Copy snapshot cross-region from aws console

Similar to cross-account, we can go to source AWS vault > select recovery point ID > Actions > copy

Copy snapshot cross-region from aws cli

export RECOVERY_POINT_ARN="<ARN of source vault recovery point>"
export SOURCE_VAULT_NAME="<Source Vault name>"
export TARGET_VAULT_ARN="<Destination vault ARN>"
export IAM_ROLE_ARN="<Source AWS IAM role with cross account AWS copy permission>"
export REGION="<aws-region must be same for source and destination>"

aws backup start-copy-job --recovery-point-arn "$RECOVERY_POINT_ARN" --source-backup-vault-name "$SOURCE_VAULT_NAME" --destination-backup-vault-arn "$TARGET_VAULT_ARN" --iam-role-arn "$IAM_ROLE_ARN" --region "$REGION"

*Example execution of cross region copy operation from us-east-1 vault to us-west-2 vault *

`aws backup start-copy-job --recovery-point-arn arn:aws:rds:us-east-1:123:cluster-snapshot:awsbackup:copyjob-755c193e-8a59-ef96-9e6e --source-backup-vault-name -us-east-1-aurora-dr-backup --destination-backup-vault-arn arn:aws:backup:us-west-2:123:backup-vault:us-west-2-aurora-restore --iam-role-arn arn:aws:iam::123:role/service-role/AWSBackupDefaultServiceRole --idempotency-token 5aac8974-78d-12312313 --region us-east-1

{
"CopyJobId": "xxxxxxx-123-11111-xxxxxxxxxx5433A",
"CreationDate": 1719263869.899
}`

Restoration of database
Once we get a database snapshot in the required account and region after copy from the previous step, we can start with restoration of the database.

This will be done in 2 steps:

  • Start restoration from recovery point and RDS cluster creation
  • Create database instance - read and write

Start restoration from recovery point and RDS cluster creation

Go to aws account and the region where we want to restore the database. Make sure we successfully received a snapshot in the recovery point of aws backup in that region through a copy job.
Now, go to that aws vault and select recovery point we want to restore > click actions and select restore

Then, you will get the option to select before starting restoration. After selecting all options here, the Aurora cluster will start creating. This can take approx. 10 mins.

Create database instance - read and write

This step should be done after cluster creation

aws rds create-db-instance --db-instance-identifier <instance-name> --db-cluster-identifier <existing-cluster-name> --db-instance-class <db-instance-class> --engine aurora-postgresql --region <region of restoration>

References:
https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-feature-availability.html#features-by-resource
https://docs.aws.amazon.com/cli/latest/reference/kms/get-key-policy.html#examples
https://repost.aws/knowledge-center/backup-troubleshoot-cross-account-copy
https://docs.aws.amazon.com/cli/latest/reference/backup/start-copy-job.html
https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-feature-availability.html#features-by-resource

Featured ones: