4

We are running AWS RDS PostgreSQL, with daily automatic snapshots, encrypted by AWS managed KMS key. My objective is to minimize risks and data loss, in case when main AWS account (running RDS) got compromised or RDS deleted/damaged in some way.

What we've implemented so far: RDS snapshots are shared with different (backup) account, periodically copied to backup account and re-encrypted with the KMS key from the backup account, to make copies local, and independent from the main AWS account.

Picture of periodic backup flow

I'm wondering if there are better ways to minimize recovery time objective and recovery point objective in case of a disaster event?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
mva
  • 384
  • 1
  • 5
  • 12

2 Answers2

0

This AWS blog post seems to weigh the options well.

Automated backups are limited to a single AWS Region while manual snapshots and Read Replicas are supported across multiple Regions.

Having cross region Read replica would give you the best RPO and RTO as you can promote replica to be an independent instance which should improve your RPO / RTO

Alternatively, if you choose to use Amazon Aurora Backtrack it seems to offer a similar option to having a read replica but I do not have a personal experience with this feature so can't say how effective it is in improving RTO and RPO.

Database Backup options

Parth Mehta
  • 1,869
  • 5
  • 15
  • 1
    Thank you for the answer @Parth Mehta my focus was on the data availability after disaster event. Cross-account RDS replica is not supported, unfortunately, so the only option left is the snapshots. – mva Jan 31 '20 at 11:05
  • 2
    Hey @mva, I saw that you were looking to achieve redundancy across different aws accounts. I mistakenly ignored that assuming it was added as a workaround for improved redundancy. So now that I know you need it, I agree with your conclusion. – Parth Mehta Jan 31 '20 at 11:29
0

I wrote two scripts implementing flow at the diagram drawn above ^^^, the idea is to run them daily:

src_acc_take_share_rds_snapshot.py in src account:

  • list available RDS snapshots according to provided regexp
  • recrypt them with KMS key, shared from dst account
  • share recrypted RDS snapshots with the dst account
  • remove old decrypted snapshots

dst_acc_copy_shared_rds_snapshot_to_local.py in dst account

  • list RDS snapshots, shared in src account with dst account
  • copy RDS snapshots from src account to dst account
  • remove old decrypted snapshots
  • fire an SNS message if desired snapshot count != actual

and put them at GitHub https://github.com/mvasilenko/dr-rds-share-snapshot

mva
  • 384
  • 1
  • 5
  • 12