CONCEPT Cited by 2 sources

Cross-account backup

Definition

Cross-account backup is backup / replication written to a different AWS account from the source, typically with distinct credentials and separate access control. The target account is a compromise-isolation boundary — credentials compromised in the source cannot reach the target.

This is the security-motivated counterpart to cross-Region backup. Cross-Region addresses natural/technical disasters (a region fails); cross-account addresses ransomware / malware / malicious insider scenarios where a bad actor with source-account credentials could otherwise delete/encrypt both the primary and the cross-Region copy in a single account.

"Cross-account backup is a critical security measure to enable recovery from malware and ransomware. By storing copies of your data in a separate clean room recovery account with distinct credentials, you create an isolated environment that can't be accessed, even if the source account is compromised." (Source: sources/2026-03-31-aws-streamlining-access-to-dr-capabilities)

Why the account boundary is the right isolation unit

AWS accounts are the strongest built-in isolation boundary for IAM: credentials do not cross account boundaries without explicit cross-account roles. A compromise of principals in account A cannot — short of explicit misconfiguration — act in account B. This is the same property exploited by:

• concepts/account-per-tenant-isolation — per-tenant blast- radius containment.
• concepts/clean-room-recovery-account — ransomware recovery isolation.
• Regulated environments — separate accounts for prod / dev / audit data.

Cross-account backup uses the boundary with a specific direction: push from source → pull by recovery only under tightly scoped IAM. The source account has no mutate / read path into the recovery account.

Compositional with cross-Region

The two axes are orthogonal:

• Cross-Region = fault isolation (natural / technical disaster).
• Cross-account = compromise isolation (security disaster).
• Cross-Region + cross-account = both — the canonical clean-room recovery account topology, which every mature DR design converges on.

AWS Backup can write a single copy job as cross-Region + cross-account in one primitive.

Seen in

• sources/2026-03-31-aws-streamlining-access-to-dr-capabilities — canonical wiki reference; names cross-account backup as the ransomware/malware isolation mechanism; clean-room-recovery-account as the concrete pattern realization.
• sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events — extends cross-account backup with the logically air- gapped vault primitive (service-enforced deletion protection inside the cross-account storage) and the IRE as a third account for execution-side isolation; positions cross-account backup as one orthogonal axis of a three-account cyber-recovery topology.

Related

• concepts/clean-room-recovery-account — the pattern this axis enables.
• concepts/cross-region-backup — the orthogonal axis.
• concepts/blast-radius — the containment principle.
• concepts/account-per-tenant-isolation — sibling use of the same primitive.
• concepts/cyber-resilience — the parent posture for the three-account extension.
• concepts/isolated-recovery-environment — the IRE as the third account.
• systems/aws-backup — unified cross-account copy mechanism.
• systems/aws-backup-logically-air-gapped-vault — the cyber- resilience storage primitive that adds service-enforced deletion protection on top of cross-account copy.
• patterns/three-account-cyber-recovery-topology — the canonical pattern this concept participates in.