dev-resources.site
for different kinds of informations.
Disaster recovery for AWS Aurora
In the event of a global disaster recovery, it's essential we have database backup stored in a different AWS account. Aurora RDS can copy DB backups to a different region or a different account but not both. In addition, cross-account copy is not supported if the Aurora DB cluster is deployed with AWS managed keys. Changing a cluster key requires cluster re-deployment.
For such use case, one of the approach is to use AWS backup
For such use case, one of the approach described in AWS document: Protecting encrypted Amazon RDS instances with cross-account and cross-Region backups.
But AWS documentation is based on the AWS cloudformation template. I re-created this using terraform.
This approach provides flexibility to copy AWS Aurora backup to Vault in cross account and cross region both. We don't need the Aurora cluster to be deployed with a custom KMS key.
The solution uses an AWS Backup plan to create scheduled backups of the Amazon RDS database to a source vault (Prod region, Prod account).
The same backup plan defines a copy rule, which copies the backup to an intermediate vault in the same account, but in a DR Region (Prod account, DR storage region).
The solution then uses EventBridge to capture the successful AWS Backup copy job completion and uses these events to trigger an AWS Lambda function. The AWS Lambda function then uses AWS Backup to perform another backup copy job to copy the backup from the intermediate vault in the Prod account to the destination vault that is in a DR account (DR account, DR storage region).
The RDS DB instance encrypted with the default RDS KMS AWS managed key in the production account is backed up by AWS Backup to a SourceVault (configured to use cmk-source-vault-account-a-region-a encryption), and the backup is then copied to the IntermediateVault (configured to use cmk-intermediate-vault-account-a-region-b encryption). Although the SourceVault is configured to use โcmk-source-vault-account-a-region-aโ encryption, the Amazon RDS snapshot that is stored on the SourceVault is still encrypted with the default RDS KMS AWS managed key (aws/rds). The step of copying the snapshot from SourceVault to IntermediateVault will decrypt the snapshot and re-encrypt the snapshot with โcmk-intermediate-vault-account-a-region-bโ in the IntermediateVault. The โcmk-intermediate-vault-account-a-region-bโ customer managed key can then be shared to the DR backup account to be used for the cross-account copy. During the cross-account copy the snapshot will be re-encrypted again with the destination vault key โcmk-destination-vault-account-b-region-bโ.
After the copy to the IntermediateVault is complete, an EvenBridge rule in the production account (account A, Region A) identifies the โcopy job completeโ event and forwards the event to the EventBridge in account A, Region B, which in turn triggers a Lambda function. The Lambda function will check that the appropriate tags exist on the recovery points and will request AWS Backup to copy the backup from the production account (account A, Region B, IntermediateVault) to the DR backup account (account B, Region B, DestinationVault) to achieve the cross-account and cross-Region backup copy.
Pros
- No need to redeploy Aurora clusters
- DR backup copy in another region.
Cons
- Complicated solution.
Implementation
Prerequisites
- An existing organization structure configured in AWS Organizations
- Cross account feature of AWS Backup enabled in the organization
- Opting in for backing up Amazon RDS in each Region
Backup Flow
RDS/S3/EFS instance โ AWS Backup into your account's Vault โ Cross-account copy backup from your Vault into GDR Vault
You can get the Terraform code from Github Repo
Featured ones: