In this post, we describe these features and provide a step-by-step guide for using them to copy DynamoDB backups across AWS Regions and across accounts, configure your backup lifecycle, and configure an additional layer of encryption for backups.
You can now copy your DynamoDB backups across Regions and across AWS accounts, move your DynamoDB backups to a cold storage tier, and add cost-allocation tags to the backups. You can also encrypt your backups using different encryption settings than are used on your source DynamoDB tables.
You might have to store copies of backups in a secondary Region or account to help meet your organizational requirements, especially if the organization is in a regulated industry. Support for cross-Region and cross-account copy for DynamoDB on-demand backups can help you meet your business continuity and disaster recovery requirements. Additionally, if you have long-term retention needs for backups, you can use the cold storage tiering and cost allocation features to help decrease costs and improve cost management. Finally, if you have security requirements around using different encryption for primary and secondary workloads, the new features can help you comply with those requirements.
This solution includes the following high-level steps:
Enable AWS Backup for DynamoDB.
Configure an AWS Backup vault and set up secondary encryption.
Configure a DynamoDB backup.
Configure a DynamoDB backup lifecycle and add tags.
Copy the DynamoDB backup across Regions and accounts.
Enable AWS Backup settings for DynamoDB
You can use the AWS Management Console for either AWS Backup or DynamoDB to use the new features. In this post, you’ll learn how to configure and use the advanced backup features including cross account backup and adding cost-allocation tags to the backups on the DynamoDB console, starting with enabling backups.
To enable AWS Backup
On the DynamoDB console, choose Backups in the navigation pane and then choose Enable (if not already enabled).
Configure an AWS Backup vault and set up secondary encryption
To use cross account backup and cost allocation tags, you must configure a backup vault in AWS Backup. A backup vault is a container that stores and organizes your backups.
To configure an AWS Backup vault and secondary encryption
On the AWS Backup console, choose Backup vaults in the navigation pane and then choose Create Backup vault.
On the Create Backup vault page:
Enter a backup vault name (for this post, enter DynamoDBVault).
Choose an encryption key.
Note: We recommend adding an extra layer of security by encrypting your backups with a different encryption key than that of the source DynamoDB table. You can choose either the default encryption key—called (default) aws/backup—or a key you previously created in the AWS Key Management Service (AWS KMS).
Choose Create Backup vault.
Note: For this solution, we use DynamoDBVault to store backups, which are encrypted using the key configured during vault creation.
Configure a DynamoDB backup
Now that you’ve set up a backup vault, you can create an on-demand backup of our DynamoDB table.
To configure a DynamoDB backup
On the DynamoDB console, navigate to the Tables page and select the table you want to configure for cross-Region and cross-account backup.
Note: If you need to create a new DynamoDB table and populate it with sample data, refer to Create Example Tables for instructions. These instructions use an existing table called order_detail.
[Optional] On the Overview tab, choose Additional Info. You’ll see that the encryption type for the table shows Owned by Amazon, meaning that the table is encrypted using the AWS owned key, which isn’t stored in your AWS account.
On the Backups tab, in the Backups section, choose Create backup, and then select Create on-demand backup.
Select Customize settings, Backup with AWS Backup, and then select Create Backup now to start backup creation immediately.
For more information about scheduling a backup, refer to Set up scheduled backups for Amazon DynamoDB using AWS Backup.
Configure a DynamoDB backup lifecycle and add tags
You now configure the lifecycle, which defines when a backup is transitioned to cold storage and when it expires.
To configure a DynamoDB backup lifecycle and add tags
On the schedule section of the Create Backup Plan page, select the following:
For Transition to cold storage select Days and enter 31.
For Retention period, select Days and enter 366.
For Backup vault, select the vault you created earlier.
[Optionally] For Tags, set the Key to dept and the Value to sales.
Choose Create backup.
You should now see a status message that your backup request has been submitted. Wait a few moments and choose the refresh icon until your backup appears in the list. Select your new backup to view its details.
In the Backup job summary section, choose DynamoDBVault. This redirects you to the AWS Backup console, where you can see all the backups in this vault. Each is identified by a recovery point ID.
Copy the DynamoDB backup across Regions and accounts
Now that you have created a backup, you can copy it across different Regions or accounts.
To copy the DynamoDB backup
On the AWS Backup console, go to the DynamoDBVault vault details page and select the backup you want to copy. Choose the Actions menu and select Copy.
On the Copy configuration page:
For Copy to destination, choose the Region where you want to copy the backup. These instructions use Europe (Ireland) as the destination Region.
Note: The Region you’re copying from is shown in the upper corner of the console.
For Destination Backup vault, choose Default.
Configure the retention period to expire the backup copy after 366 days.
Turn on Copy to another account’s vault to configure cross-account backup and enter the ARN of the backup vault in the destination account, provided you have appropriate permissions. Both the source and destination AWS accounts must be members of the same organization in your AWS Organizations for a cross-account copy.
Wait for the Status of the copy to change to Completed. Depending on the size of the backup, it may take a few minutes or several hours for the copy to complete.
Go to the destination Region.
On the AWS Backup console, choose Backup vaults in the navigation pane and choose the Default vault to verify that the backup has been copied successfully to our destination Region. You can now restore the table in the secondary Region as well.
To avoid incurring future charges, follow these steps to remove the example resources:
Delete the source and the restored DynamoDB tables if you created them for this post.
Delete the backup plans and recovery points. For instructions, see Clean up resources.
In this post, we provided a step-by-step guide to copy DynamoDB backups across Regions to meet your compliance and regulatory requirements, and we explained how you can copy DynamoDB backups across accounts to enable global disaster recovery. We also provided a walkthrough of how you can add tags to DynamoDB backups, and lifecycle backups to cold storage.
To learn more about AWS Backup, check out the Developer Guide.
About the Authors
Dhiraj Thakur is a Solutions Architect with Amazon Web Services. He works with AWS customers and partners to provide guidance on enterprise cloud adoption, migration, and strategy. He is passionate about technology and enjoys building and experimenting in the analytics and AI and ML space.
Read MoreAWS Database Blog