AWS Database Blog

Setting up for cross-account native backup and restore in HAQM RDS for Microsoft SQL Server

Reviewed and updated on June 2022.

HAQM Relational Database Service (HAQM RDS) supports native backup and restore for Microsoft SQL Server databases. If you have multiple AWS accounts, you can perform native backup and restore across these accounts, provided that your HAQM RDS instance and the HAQM Simple Storage Service (HAQM S3) bucket are in the same AWS Region. It’s important to understand this requirement before proceeding with these steps.

This post describes how to set up the permissions and policies necessary to perform cross-account native backup and restore in HAQM RDS for SQL Server. The steps in this procedure assume that you have the following AWS accounts containing these resources:

  • Account A – HAQM RDS for SQL Server instance
  • Account B – HAQM S3 bucket

For Account A, you can refer to Importing and Exporting SQL Server Databases on how to setup the native backup and restore for a RDS SQL Server instance

For Account B, which contains the S3 bucket, you need to create a bucket policy to authorize the role from Account A to access the S3 bucket.

Configure the S3 bucket policy

The next step is to configure the S3 bucket and its policy to allow Account A to access the bucket. You can create a bucket or use an existing one. However, make sure that the bucket is in the same AWS Region as your HAQM RDS instance.

  1. On the HAQM S3 console, choose the bucket that you want to create a policy for. Choose Permissions, and then choose Bucket Policy.
  2. To allow RDS to access the S3 bucket for backup and restore, include the following bucket policy: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permission to cross account",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNTA-NUMBER:role/service-role/NATIVE-BACKUP-ROLE-NAME"
                ]
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::AccountB-S3BucketName"
            ]
        },
        {
            "Sid": "Permission to cross account on object level",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNTA-NUMBER:role/service-role/NATIVE-BACKUP-ROLE-NAME"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::AccountB-S3BucketName/*"
            ]
        }
    ]
}

Resource to the IAM policy linked to the option group that is in use with the RDS SQL Server Instance (Account A). Once done you are ready to use the cross-account S3 bucket for HAQM RDS SQL Server native backup and restore.

For more information, see Manually Creating an IAM Role for Native Backup and Restore in the HAQM RDS User Guide.

Note: We currently don’t support native backup and restore with cross account customer managed key (CMK).

Summary

This post briefly describes what you need to set up in order to perform cross-account native backup and restore in HAQM RDS for SQL Server. You can perform native backup and restore across multiple AWS accounts provided that you have an RDS instance and S3 bucket in the same AWS Region.

For more information about native backup and restore, see Microsoft SQL Server Native Backup and Restore Support in the HAQM RDS User Guide.

About the Authors

 

Fabio Albuquerque is a Sr Software Development Engineer with HAQM Web Services.

 

 

 

 

Kirthi Vishal is Support Engineer with HAQM Web Services. He is subject matter expert on RDS and RDS-SQL Server who works with our customers to provide guidance and technical assistance on Relational Database Services, helping them improve the value of their solutions when using AWS.