Skip to content

omarionya/aws-cross-account-backup-dr

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Cross‑Account & Cross‑Region Backup Project (Prod → DR)

This project implements a secure, automated, cross‑account and cross‑region backup architecture using:

  • AWS Backup
  • AWS Organizations
  • AWS SSO
  • KMS encryption
  • Terraform

The design ensures that Production backups are safely replicated to a Disaster Recovery (DR) account, fully isolated, encrypted, and recoverable even if the Production account or region is compromised.


🎯 Project Goals

  • Automated daily backups
  • Cross‑account backup replication
  • Cross‑region disaster recovery
  • Encrypted backups using customer‑managed KMS keys
  • Infrastructure as Code (Terraform)
  • Secure IAM + SSO integration
  • Compliance‑ready architecture

🧭 Architecture Overview

Accounts:

  • Prod Account → Runs workloads (EC2, EBS, RDS)
  • DR Account → Stores backups only

Regions:

  • Prod region: configurable
  • DR region: configurable

Core Components:

  • AWS Backup Vaults
  • AWS Backup Plans
  • AWS Backup Selections
  • KMS Customer Managed Keys
  • IAM Roles

🧭 Architecture Diagram

Architecture

🔐 Security Model

Component Ownership
Prod Backup Vault Prod account
DR Backup Vault DR account
Prod KMS Key Prod account
DR KMS Key DR account
Backup IAM Role Prod account

Trust model:

  • DR account explicitly trusts Prod account
  • Prod account never controls DR encryption
  • DR controls encryption, retention, and access

🔁 Backup Flow

  1. AWS Backup runs in Prod
  2. Resources are backed up into the Prod Backup Vault
  3. Backup plan triggers copy action
  4. Backups are copied to DR Backup Vault
  5. Data is encrypted using DR‑owned KMS key
  6. DR stores immutable recovery points

📁 Project Structure

environments/
  prod/
    main.tf
    providers.tf
    terraform.tfvars
    iam-backup.tf
    outputs.tf
    variables.tf

  dr/
    main.tf
    providers.tf
    terraform.tfvars
    variables.tf
    outputs.tf


modules/
  backup/
  kms/
  ec2/
  rds/
  bastion/
  network/

🔑 KMS Ownership Model

  • DR owns the KMS key used for DR backups

  • Prod is granted usage permission only

  • DR controls:

    • Rotation
    • Deletion
    • Policy
    • Encryption lifecycle

This guarantees:

  • True isolation
  • Blast‑radius control
  • Secure disaster recovery

🛡️ IAM Model

Prod Account

  • AWS Backup IAM Role

  • AWS Managed Policy:

    • AWSBackupServiceRolePolicyForBackup

DR Account

  • Backup Vault Policy:

    • Allows backup:CopyIntoBackupVault from Prod

🔄 Cross‑Account Trust

Two trust layers exist:

  1. KMS Key Policy (DR)

    • Allows Prod to encrypt backups
  2. Backup Vault Policy (DR)

    • Allows Prod to copy backups into DR vault

No trust is defined in Prod → all trust is defined in DR.


📦 Resources Backed Up

  • EC2 Instances
  • EBS Volumes
  • RDS PostgreSQL

(All referenced using ARNs in backup selection)


🔐 Encryption Model

Location Encryption
Prod backups Prod KMS key
DR backups DR KMS key

Encryption keys are account‑owned and account‑controlled.


🧪 Recovery Capability

In a disaster scenario:

  • DR account holds encrypted backups

  • DR can restore to:

    • New region
    • New account
    • New VPC
    • New infrastructure

No dependency on Prod account availability.


🧰 Terraform Workflow

aws sso login --profile prod
aws sso login --profile dr

cd ../dr
terraform init
terraform apply

cd environments/prod
terraform init
terraform apply

🛑 Safety Controls

  • Backup vaults protected from deletion
  • KMS keys protected from deletion
  • Cross‑account permissions explicitly scoped
  • No wildcard trust

🧠 Design Principles

  • Least privilege
  • Separation of duties
  • Account isolation
  • Immutable backups
  • Defense‑in‑depth
  • Infrastructure as Code
  • Compliance‑ready

📌 Best Practices Implemented

  • Cross‑account backup isolation
  • Separate encryption domains
  • Centralized DR ownership
  • Automated replication
  • SSO‑based access control
  • Terraform modular design

🚀 Outcome

This system provides:

✅ Automated backups ✅ Cross‑account replication ✅ Cross‑region DR ✅ Secure encryption ✅ Account isolation ✅ Recovery independence ✅ Compliance readiness


📄 License

Internal / Educational / Architecture Reference Project


✍️ Author

Built as a multi‑account cloud resilience architecture project demonstrating:

  • Cloud security
  • Disaster recovery design
  • Infrastructure automation
  • Enterprise AWS architecture

Releases

No releases published

Packages

 
 
 

Contributors

Languages