This project implements a secure, automated, cross‑account and cross‑region backup architecture using:
- AWS Backup
- AWS Organizations
- AWS SSO
- KMS encryption
- Terraform
The design ensures that Production backups are safely replicated to a Disaster Recovery (DR) account, fully isolated, encrypted, and recoverable even if the Production account or region is compromised.
- Automated daily backups
- Cross‑account backup replication
- Cross‑region disaster recovery
- Encrypted backups using customer‑managed KMS keys
- Infrastructure as Code (Terraform)
- Secure IAM + SSO integration
- Compliance‑ready architecture
Accounts:
- Prod Account → Runs workloads (EC2, EBS, RDS)
- DR Account → Stores backups only
Regions:
- Prod region: configurable
- DR region: configurable
Core Components:
- AWS Backup Vaults
- AWS Backup Plans
- AWS Backup Selections
- KMS Customer Managed Keys
- IAM Roles
| Component | Ownership |
|---|---|
| Prod Backup Vault | Prod account |
| DR Backup Vault | DR account |
| Prod KMS Key | Prod account |
| DR KMS Key | DR account |
| Backup IAM Role | Prod account |
Trust model:
- DR account explicitly trusts Prod account
- Prod account never controls DR encryption
- DR controls encryption, retention, and access
- AWS Backup runs in Prod
- Resources are backed up into the Prod Backup Vault
- Backup plan triggers copy action
- Backups are copied to DR Backup Vault
- Data is encrypted using DR‑owned KMS key
- DR stores immutable recovery points
environments/
prod/
main.tf
providers.tf
terraform.tfvars
iam-backup.tf
outputs.tf
variables.tf
dr/
main.tf
providers.tf
terraform.tfvars
variables.tf
outputs.tf
modules/
backup/
kms/
ec2/
rds/
bastion/
network/
-
DR owns the KMS key used for DR backups
-
Prod is granted usage permission only
-
DR controls:
- Rotation
- Deletion
- Policy
- Encryption lifecycle
This guarantees:
- True isolation
- Blast‑radius control
- Secure disaster recovery
-
AWS Backup IAM Role
-
AWS Managed Policy:
AWSBackupServiceRolePolicyForBackup
-
Backup Vault Policy:
- Allows
backup:CopyIntoBackupVaultfrom Prod
- Allows
Two trust layers exist:
-
KMS Key Policy (DR)
- Allows Prod to encrypt backups
-
Backup Vault Policy (DR)
- Allows Prod to copy backups into DR vault
No trust is defined in Prod → all trust is defined in DR.
- EC2 Instances
- EBS Volumes
- RDS PostgreSQL
(All referenced using ARNs in backup selection)
| Location | Encryption |
|---|---|
| Prod backups | Prod KMS key |
| DR backups | DR KMS key |
Encryption keys are account‑owned and account‑controlled.
In a disaster scenario:
-
DR account holds encrypted backups
-
DR can restore to:
- New region
- New account
- New VPC
- New infrastructure
No dependency on Prod account availability.
aws sso login --profile prod
aws sso login --profile dr
cd ../dr
terraform init
terraform apply
cd environments/prod
terraform init
terraform apply- Backup vaults protected from deletion
- KMS keys protected from deletion
- Cross‑account permissions explicitly scoped
- No wildcard trust
- Least privilege
- Separation of duties
- Account isolation
- Immutable backups
- Defense‑in‑depth
- Infrastructure as Code
- Compliance‑ready
- Cross‑account backup isolation
- Separate encryption domains
- Centralized DR ownership
- Automated replication
- SSO‑based access control
- Terraform modular design
This system provides:
✅ Automated backups ✅ Cross‑account replication ✅ Cross‑region DR ✅ Secure encryption ✅ Account isolation ✅ Recovery independence ✅ Compliance readiness
Internal / Educational / Architecture Reference Project
Built as a multi‑account cloud resilience architecture project demonstrating:
- Cloud security
- Disaster recovery design
- Infrastructure automation
- Enterprise AWS architecture
