How do you currently define "offsite" backups for RDS in your organization? The traditional 3-2-1 backup rule remains relevant, but considering AWS, "offsite" can mean various things. For example, are you using cross-region snapshots, cross-account backups, or even exporting data outside AWS into a multi-cloud setup? Specifically for PostgreSQL on RDS, what procedures are you following? Is cross-region backup sufficient, or do you opt for cross-account or external storage solutions? If you're exporting your backups, what methods do you use — snapshot exports to S3, pg_dump, or techniques like logical replication or CDC?
11 Answers
We also export our snapshots to S3 and Glacier for more cost-effective long-term retention.
Our method involves exporting to a cross-account S3 bucket with limited permissions through a role that restricts access to only a specific prefix based on time format. This prevents overwriting or unauthorized access.
We follow a detailed process: using CMK KMS for RDS/Aurora, enabling AWS backups with point-in-time recovery in the source account, then sending copies to a cross-account, cross-region vault with its own KMS encryption for additional security.
Since we can't do cross-region backups, we've opted for utilizing third-party services for our offsite backups.
We see cross-region backups as just the baseline for offsite storage, so we don't rely solely on that.
Exactly! Cross-account plus cross-region backup is pretty much our minimum standard.
We set up a backup vault in a different account and region where users have no overlapping permissions, adding a layer of security against threats.
It's really important to consider what kind of risks you're protecting against. If you're worried about a user breach, your backups need to be in a separate account. If it's a datacenter failure, go with another region— or even somewhere outside of AWS entirely to avoid vendor lock-in.
We implement a cross-region replica which gives us 2 copies in one format and 1 offsite. Then, we do an engine-native backup to S3 for another copy, creating a solid backup system. On top of that, we replicate our S3 backups to another region for additional security.
Backing up cross-region to the AWS Backup vault is a great strategy since those backups are immutable and can't be deleted by anyone even from the owner account. It’s a robust solution against disasters and ransom attacks, and AWS suggested this over cross-account backups in our discussions with them.
We keep local snapshots for a certain number of days and also have backups off AWS in SQL format for extra safety.
For most teams, cross-region and cross-account backups are usually enough to ensure data safety.
When doing cross-account, make sure to consider organization-wide access permissions. You definitely don’t want similar access in case of a ransomware attack.
Adding a specific region out of range from any threats could also be smart.
That's definitely cheaper for keeping backups over extended periods.