Air-Gapped Backup Vault: Custom Solution
In 2023, we embarked on a quest to find a robust backup solution that could safeguard our data even if an AWS account faced catastrophic failure. You might wonder why we didn't simply opt for the AWS Backup feature. The answer is the "Logically air-gapped vault" feature wasn't available at that time. In this blog post, we delve into the technical setup of our custom solution, exploring its advantages and disadvantages compared to the AWS offering.
Technical Setup Overview
In our solution, we implemented cross-region backups, an optional feature that provides additional resilience by allowing data restoration even if an entire AWS region goes down. We configured two AWS accounts, referred to as Bunker and Workload, both part of the same AWS organization. Within the Bunker account, we created a KMS key shared with the Workload account. This Customer Managed Key (CMK) encrypts the backup vaults in both AWS accounts, ensuring fully managed resource types like S3 and DynamoDB use it by default for backups. For not fully managed resource types like EC2 or RDS, specifying the shared KMS key during resource creation is necessary. Additionally, the backup vault utilizes vault lock to prevent deletion of relevant backups.
Benefits of the Custom Solution
- 1. Support for Native Amazon Relational Database Service (RDS)
AWS's provided solution does not support RDS. This limitation was a key reason for us not to switch to the "Logically air-gapped vault" even after its release in 2024. To achieve cross-region and cross-account backups for RDS even in our custom solution an additional step is required:
https://aws.amazon.com/blogs/database/automate-cross-account-backups-of-amazon-rds-and-amazon-aurora-databases-with-aws-backup/ - Customizable Settings
The AWS solution uses vault lock with compliance mode and encryption via an AWS-owned key. If your organization prefers governance mode or requires a customer-managed key (CMK), implementing a custom backup solution is necessary. - Independence from AWS Organization
In certain scenarios, you might want the Bunker account to be outside the AWS Organization structure. Initially, the AWS solution required both accounts to be within the same organization, but now also supports separate organizations. However, if the Bunker account is not part of any AWS organization, an error message will occur during backups.
Downsides of the Custom Solution
- Complexity of Setup
The AWS solution is straightforward to set up, and if your requirements don't align with the custom solution's benefits, the AWS solution is recommended. - Missing AWS Resource Access Manager (RAM) Sharing
A significant downside of the custom solution compared to AWS's offering is the absence of RAM sharing. Recovery points must be copied from the Bunker account to the Workload account before restoration, which can be time-consuming, especially for large recovery points exceeding 1TB. The AWS solution allows direct restoration by sharing recovery points within the backup account using RAM.
In conclusion, while our custom solution offers unique advantages for specific needs, it also presents certain challenges. Assessing your company requirements will guide you in choosing between the custom solution and AWS's logically air-gapped vault.
