CONCEPT Cited by 1 source
Cross-account backup¶
Definition¶
Cross-account backup is backup / replication written to a different AWS account from the source, typically with distinct credentials and separate access control. The target account is a compromise-isolation boundary — credentials compromised in the source cannot reach the target.
This is the security-motivated counterpart to cross-Region backup. Cross-Region addresses natural/technical disasters (a region fails); cross-account addresses ransomware / malware / malicious insider scenarios where a bad actor with source-account credentials could otherwise delete/encrypt both the primary and the cross-Region copy in a single account.
"Cross-account backup is a critical security measure to enable recovery from malware and ransomware. By storing copies of your data in a separate clean room recovery account with distinct credentials, you create an isolated environment that can't be accessed, even if the source account is compromised." (Source: sources/2026-03-31-aws-streamlining-access-to-dr-capabilities)
Why the account boundary is the right isolation unit¶
AWS accounts are the strongest built-in isolation boundary for IAM: credentials do not cross account boundaries without explicit cross-account roles. A compromise of principals in account A cannot — short of explicit misconfiguration — act in account B. This is the same property exploited by:
- concepts/account-per-tenant-isolation — per-tenant blast- radius containment.
- concepts/clean-room-recovery-account — ransomware recovery isolation.
- Regulated environments — separate accounts for prod / dev / audit data.
Cross-account backup uses the boundary with a specific direction: push from source → pull by recovery only under tightly scoped IAM. The source account has no mutate / read path into the recovery account.
Compositional with cross-Region¶
The two axes are orthogonal:
- Cross-Region = fault isolation (natural / technical disaster).
- Cross-account = compromise isolation (security disaster).
- Cross-Region + cross-account = both — the canonical clean-room recovery account topology, which every mature DR design converges on.
AWS Backup can write a single copy job as cross-Region + cross-account in one primitive.
Seen in¶
- sources/2026-03-31-aws-streamlining-access-to-dr-capabilities — canonical wiki reference; names cross-account backup as the ransomware/malware isolation mechanism; clean-room-recovery-account as the concrete pattern realization.
Related¶
- concepts/clean-room-recovery-account — the pattern this axis enables.
- concepts/cross-region-backup — the orthogonal axis.
- concepts/blast-radius — the containment principle.
- concepts/account-per-tenant-isolation — sibling use of the same primitive.
- systems/aws-backup — unified cross-account copy mechanism.