How to handle AWS Offsite or cross-account RDS (mysql) backups?

Question

AWS Provides a great solution to provide point-in-time recovery backups within RDS. However, while we take every measure to protect the root account, I'm paranoid that if someone were to gain access they can wipe the entire AWS account including all backups and therefore take the whole company down. What are the best ways to handle this? Do you have 100% trust in your root account and policies to prevent someone malicious from wiping the database and all backups?

What are the best ways to handle an offsite backup to a different RDS account? Should we simply execute mysqldump periodically from a separate system, or is there a better way?

Answer 1

On top of protecting your root account as best as you can, you should be able to reduce the risk of such resource deletion if you have more than 1 resource to protect.

For example if all AWS resources you had to protect were 2 RDS database servers, you could create 2 other accounts that have access to only copy the snapshots of one of your database servers each - and no other access to any other resource. This setup would then require an intruder to hack both root accounts of your main and one backup account each, which should be significantly more difficult.

To copy snapshots from one account A (your current RDS account) to account B (your new account) you should need the following parts (untested)

• Create a new IAM role in Account A, for access from account B:

• Create a new policy for reading RDS snapshots from account A

  {
      "Version": "2012-10-17",
      "Statement": [
          {
          "Effect": "Allow",
          "Action":
              [
                  "rds:CopyDbSnapshot",
                  "rds:DescribeDbSnapshots"
  
  
              ],
          "Resource": "arn:aws:rds:::"
          }
     ]
  }
  

and assign it to the IAM role

• Check that the "trust policy" is enabled as described in this walk through for another cross account action: https://aws.amazon.com/blogs/database/setting-up-for-cross-account-native-backup-and-restore-in-amazon-rds-for-microsoft-sql-server/

• Then in account B, you should be able to run copy-db-snapshot from account B: https://docs.aws.amazon.com/cli/latest/reference/rds/copy-db-snapshot.html

• To automate, I prefer to use Lambda functions, which can simply call AWS API calls, you can trigger them with a Cloudwatch Event

Answer 2

In terms of your root account, you should be very paranoid about the power it wields and protect it as thoroughly as possible.

I would suggest that you get yourself a Hardware Key Fob as listed in MFA devices on this page: https://aws.amazon.com/iam/details/mfa/

Having a physical factor means that you can be sure only people with access to the physical device could log in and do that kind of damage. You can even secure it in a physical safe.

If your root account is considerably secure, I would be of the opinion that is Good Enough for DB back-ups. If you're worried about those then s3 or other amazon services will have the same problems. While you could look at other storage options, realistically if your aws root account is compromised it might just be the end of days - I would focus on the security aspect personally.