I've set up AWS Backup using Control Tower, and while it worked on a test Organizational Unit (OU) with a local vault and the default backup plans, I've hit a snag. The local vault name includes the account ID, making it impossible to create a shared backup plan across AWS Organizations for backing up to this vault and then copying it to a central account. Has anyone run into this issue before and found a solution? It felt much smoother a couple of years ago when it all worked well.
2 Answers
I found this helpful page in the AWS docs regarding backup policy syntax. But bear in mind, it assumes that the vault name is uniform across all accounts, which isn't the case with Control Tower's setup.
You might want to try using "$account" as a placeholder in your backup policy. It should replace it with the actual account number for each account. Just a heads up, though—I’m not using Control Tower, but this is how we manage a backup policy across various production accounts with their own local vaults.
I wish that worked for all parts! Unfortunately, it’s only applicable in the copy_actions section of the policy. I tried putting it in the target_backup_vault_name field, but it didn’t take.
Yeah, I checked that out too, but that really doesn’t help here since the vault names differ when you use Control Tower.