Contact Us

AWS RDS – Enabling Cross Region Backups

Luke Benwell Avatar
Luke Benwell


Introduction


In today’s cloud environments, ensuring data durability and availability is crucial for businesses of all sizes. Amazon RDS (Relational Database Service) offers a variety of backup and disaster recovery options to safeguard your critical data. One of the most effective methods for improving the resiliency of your RDS instances is enabling cross-region automated backups.

This feature allows you to replicate your automated backups to a different AWS region, ensuring that your data is protected from regional failures and disasters. By leveraging cross-region backups, you can achieve greater fault tolerance and business continuity, all while minimizing downtime and data loss. In this post, we’ll walk through the steps of enabling cross-region backups for RDS, along with the key considerations to keep in mind, such as the use of KMS keys for encryption.

Whether you’re aiming to meet strict disaster recovery requirements or simply looking to enhance your data protection strategy, enabling cross-region automated backups for RDS is a crucial step in building a resilient, scalable infrastructure in AWS.


  • Sign in to AWS Console:
  • Select the Target Region:
    • Switch to the destination region (where you want to store the backup).
  • Create a New KMS Key:
    • Click Create Key.
    • Choose Symmetric key (default for RDS encryption).
    • Click Next and provide a key alias (e.g., rds-backup-key).
    • Select the IAM users and roles that will have access to this key.
  • Set Key Policy:
    • Ensure that the policy allows RDS to use the key for backup encryption.
    • Example key policy looks something like this below
{
"Version": "2012-10-17",
"Id": "rds-backup-key-policy",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}

Enable Cross-Region Backups After Creating the KMS Key

  1. Go back to the RDS Console.
  2. Select your RDS instance and click Modify.
  1. Choose the destination region.
  2. Select the newly created KMS key from the dropdown.
  1. Save the changes. (FYI it DOES NOT restart so don’t worry!)

About Author

Luke Benwell
Luke Benwell Avatar
Luke Benwell is a seasoned IT professional with extensive experience in cloud platforms, on-premise infrastructure, cybersecurity and networking. With multiple industry-recognized certifications, including AWS, Microsoft and cybersecurity qualifications, Luke has helped businesses design, implement, and secure their IT environments. Passionate about technology and innovation, he shares his insights through in-depth guides, best practices and industry updates to help businesses optimize their IT strategies.

Other Posts

CYBERDAN

.

Company

Services

Legal

Cyberdan Limited is a registered company in England and Wales number 4523560 • Registered Office Matrix House, 12-16 Lionel Road, Canvey Island, Essex SS8 9DE • Registered for VAT in Great Britain No 778046007