HiveBrain v1.2.0
Get Started
← Back to all entries
snippetsqlMinor

How to handle AWS Offsite or cross-account RDS (mysql) backups?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
backupshandlecrossaccountmysqlawshowrdsoffsite

Problem

AWS Provides a great solution to provide point-in-time recovery backups within RDS. However, while we take every measure to protect the root account, I'm paranoid that if someone were to gain access they can wipe the entire AWS account including all backups and therefore take the whole company down. What are the best ways to handle this? Do you have 100% trust in your root account and policies to prevent someone malicious from wiping the database and all backups?

What are the best ways to handle an offsite backup to a different RDS account? Should we simply execute mysqldump periodically from a separate system, or is there a better way?

Solution

On top of protecting your root account as best as you can, you should be able to reduce the risk of such resource deletion if you have more than 1 resource to protect.

For example if all AWS resources you had to protect were 2 RDS database servers, you could create 2 other accounts that have access to only copy the snapshots of one of your database servers each - and no other access to any other resource. This setup would then require an intruder to hack both root accounts of your main and one backup account each, which should be significantly more difficult.

To copy snapshots from one account A (your current RDS account) to account B (your new account) you should need the following parts (untested)

  • Create a new IAM role in Account A, for access from account B:



-
Create a new policy for reading RDS snapshots from account A

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Action":
            [
                "rds:CopyDbSnapshot",
                "rds:DescribeDbSnapshots"

            ],
        "Resource": "arn:aws:rds:::"
        }
   ]
}


and assign it to the IAM role

-
Check that the "trust policy" is enabled as described in this walk through for another cross account action: https://aws.amazon.com/blogs/database/setting-up-for-cross-account-native-backup-and-restore-in-amazon-rds-for-microsoft-sql-server/

-
Then in account B, you should be able to run copy-db-snapshot from account B: https://docs.aws.amazon.com/cli/latest/reference/rds/copy-db-snapshot.html

-
To automate, I prefer to use Lambda functions, which can simply call AWS API calls, you can trigger them with a Cloudwatch Event

Code Snippets

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Action":
            [
                "rds:CopyDbSnapshot",
                "rds:DescribeDbSnapshots"


            ],
        "Resource": "arn:aws:rds:::"
        }
   ]
}

Context

StackExchange DevOps Q#8016, answer score: 2

Revisions (0)

No revisions yet.