All Products
Search
Document Center

Cloud Backup:Cross-account backup

Last Updated:May 14, 2026

When an enterprise uses multiple Alibaba Cloud accounts across different departments, it requires a unified data protection strategy for centralized management. The cross-account backup feature allows you to use a single management account to centrally back up and restore data from cloud resources in other accounts. This approach isolates source data from backup data at the account level, enabling centralized data protection that meets compliance and auditing requirements. It also streamlines operations and reduces overall maintenance costs as users in other accounts do not need to learn how to use the backup service.

How it works

Cloud Backup allows you to add accounts for cross-account backup by using two authorization methods: one based on Resource Directory and the other based on RAM role assumption. The following table describes how each method works and its recommended use cases.

  • Configure cross-account backup based on Resource Directory: Use this method when the management account and the accounts to be backed up are part of the same resource directory. The management account must be the management account of the resource directory or a delegated administrator account for Cloud Backup. This method provides a simple, visual way to manage accounts within your resource directory and back up their cloud resources. It is well-suited for enterprises that use Resource Directory to structure their multi-account environment and for industries such as finance and government that require strong compliance and centralized control.

  • Configure cross-account backup based on RAM role assumption: This method requires you to create a RAM role in the account to be backed up and grant permissions to the management account. This allows Cloud Backup to use the AliyunServiceRoleForHbrCrossAccountBackup service-linked role in the management account to temporarily assume the RAM role in the other account and access its resources. This method is suitable for scenarios where you do not use Resource Directory or need to grant temporary, phased authorization for cross-account backup.

Both methods allow a management account to provide unified data protection for other accounts. You can use a single backup policy to protect data across multiple accounts and restore data to any managed account on demand. All backup tasks and data are managed from the management account. The accounts to be backed up do not need to enable or operate the Cloud Backup service. Only the management account can access or delete the backup data, which ensures data isolation at the account level.

image

In a cross-account backup scenario, the management account and the managed accounts can perform the following operations:

Resource type

Management account operations

Managed account operations

ECS instance

  • View the ECS instances of the accounts to be backed up.

  • Assign the management account's backup policies to the ECS instances of an account to be backed up or run cross-account backup tasks.

  • Manage the ECS instance backup points that are generated from cross-account backups.

  • Restore a backup point only to the source ECS instance's account. Cross-account restore is not supported.

  • View only the ECS instances in the current account.

  • In the ECS console, view or use the snapshots created by cross-account backups of ECS instances.

Other resource types

  • View the resources of the accounts to be backed up.

  • Assign the backup policies of the management account to the resources of an account to be backed up or run cross-account backup tasks.

  • Manage the backup points of resources that are generated from cross-account backups.

  • Restore backup points to any managed account.

  • View only the resources in the current account.

Limitations

  • The cross-account backup feature is available for ECS instance backup, ECS file backup, NAS backup, OSS backup, Tablestore backup, Database Backup, and SAP HANA backup. For an ECS instance, you can restore a backup point only to the source ECS instance's account. Cross-account restore is not supported. For specific supported scenarios, refer to the information in the Cloud Backup console.

  • The backup points of an ECS instance belong to the management account, but the generated ECS snapshots are stored in the account to be backed up. The account to be backed up incurs fees for the ECS snapshots. For more information, see Billing.

  • Cross-account backup does not affect backup performance, data deduplication efficiency, or network transmission speed.

  • When you configure cross-account backup based on Resource Directory, the management account must be the management account of the resource directory or a delegated administrator account for the Cloud Backup service. You can add a maximum of three delegated administrator accounts for Cloud Backup.

  • For a list of supported regions, see Features by region.

Prerequisites

  • Prepare a management account and one or more accounts to be backed up.

  • If you want to configure cross-account backup based on Resource Directory, make sure that the management account and the accounts to be backed up are in the same resource directory. For more information, see Enable a resource directory and Invite an Alibaba Cloud account to join a resource directory.

  • Decide which method to use—Resource Directory or RAM role assumption—based on your business scenario.

Add an account by using Resource Directory

(Optional) Step 1: Set a delegated administrator account

Note

If you use the management account of the resource directory as the management account, skip this step.

To use a member account of a resource directory as the management account, you must set this account as a delegated administrator account for Cloud Backup. You can do this from the trusted services page for your resource directory in the Resource Management console. For more information, see Manage a delegated administrator account.

  1. Log on to the Resource Management console by using the management account of your resource directory.

  2. In the left-side navigation pane, choose Resource Directory > Trusted Services.

  3. On the Trusted Services page, find the Cloud Backup service and click Manage in the Actions column.

  4. In the Delegated Administrator Account section, click Add.

  5. In the Add Delegated Administrator Account panel, select the intended management account.

  6. Click OK.

    After the account is added, the Cloud Backup service appears in the list of trusted services when you log on to the Resource Management console with the delegated administrator account.

Step 2: Add a managed account

  1. Log on to the Cloud Backup console by using the management account.

  2. In the left-side navigation pane, choose Backup > Cross-Account Backup.

  3. On the Cross-Account Backup page, switch to the region where the resources of the account to be backed up are located.

  4. Click Add the account to be backed up.

  5. In the Add the account to be backed up panel, configure the following parameters and click OK.image

    Parameter

    Description

    Cross-account type

    Select Based on Resource Directory.

    Select an account to be backed up

    Select an account from the resource directory.

    You can select only one account at a time. You can enter a keyword to quickly find the account that you want to add.

    Note

    For accounts that are part of a resource directory, we recommend that you configure cross-account backup based on Resource Directory. However, you can also use the method based on RAM role assumption. For more information, see Add an account by using RAM role assumption.

    After the account is added, it appears in the account list.imageWhen an account to be backed up is managed for the first time, Cloud Backup automatically creates the AliyunServiceRoleForHbrRd service-linked role:

    • Role name: AliyunServiceRoleForHbrRd

    • Permission policy: AliyunServiceRolePolicyForHbrRd

    • Description: Allows Cloud Backup to access the resources of other authorized accounts for cross-account backup and restore operations.

Warning

The following actions affect cross-account authorization and may cause cross-account backups to fail. Proceed with caution.

  • Removing an account to be backed up from the account list in the management account.

  • The management account loses its status as the management account of the resource directory or as a delegated administrator for Cloud Backup.

  • The account to be backed up no longer belongs to the resource directory managed by the management account.

  • Deleting the AliyunServiceRoleForHbrRd service-linked role in the account to be backed up.

Existing backup data is not affected. If you want to cancel cross-account backup, see Cancel cross-account backup.

Add an account by using RAM role assumption

Step 1: Create a service-linked role

You must authorize the management account to use the AliyunServiceRoleForHbrCrossAccountBackup service-linked role.

  • Role name: AliyunServiceRoleForHbrCrossAccountBackup

  • Permission policy: AliyunServiceRolePolicyForHbrCrossAccountBackup

  • Description: Allows the backup service to access resources in other authorized accounts for cross-account backup and restore operations.

Important

You need to perform this operation only once when you configure cross-account backup for the first time. If you have already granted the authorization, proceed to Step 2.

  1. Log on to the Cloud Backup console by using the management account.

  2. In the left-side navigation pane, choose Backup > Cross-Account Backup.

  3. On the Cross-Account Backup page, switch to the region where the resources to be backed up are located.

  4. Click Add the account to be backed up. In the Add the account to be backed up panel, select Based on RAM Role Assumption for the Cross-account type parameter.

  5. In the Cloud Backup Authorization dialog box, click Authorize.

    image.pngFor more information, see Service-linked roles for Cloud Backup.

Step 2: Create a RAM role in the managed account

  1. Log on to the RAM console by using the account to be backed up.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select Cloud Account for Principal Type and Other Cloud Account for Principal Name. Enter the Account ID of the management account, and then click OK.

    image

    Note

    To view your Alibaba Cloud account ID, go to the Security Settings page.

  5. In the Create Role dialog box, enter a RAM role name, such as hbrcrossrole, and then click OK.

Step 3: Grant permissions to the RAM role

After creating the RAM role, you must grant it a policy. On the Add Permissions panel, RAM provides the following two default system policies:

  • AdministratorAccess: Grants permissions to manage all cloud resources in the destination account.

  • AliyunHBRRolePolicy: (Recommended) Grants the system permissions required by Cloud Backup.

    The AliyunHBRRolePolicy system policy includes the following permissions:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "nas:DescribeFileSystems",
            "nas:CreateMountTargetSpecial",
            "nas:DeleteMountTargetSpecial",
            "nas:DescribeMountTargets",
            "nas:DescribeAccessGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:RunCommand",
            "ecs:CreateCommand",
            "ecs:InvokeCommand",
            "ecs:DeleteCommand",
            "ecs:DescribeCommands",
            "ecs:StopInvocation",
            "ecs:DescribeInvocationResults",
            "ecs:DescribeCloudAssistantStatus",
            "ecs:DescribeInstances",
            "ecs:DescribeInstanceRamRole",
            "ecs:DescribeInvocations",
            "ecs:CreateSnapshotGroup",
            "ecs:DescribeSnapshotGroups",
            "ecs:DeleteSnapshotGroup",
            "ecs:CopySnapshot"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "bssapi:QueryAvailableInstances",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:AttachInstanceRamRole",
            "ecs:DetachInstanceRamRole"
          ],
          "Resource": [
            "acs:ecs:*:*:instance/*",
            "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:PassRole",
            "ram:GetRole",
            "ram:GetPolicy",
            "ram:ListPoliciesForRole"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "hcs-sgw:DescribeGateways"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets",
            "oss:GetBucketInventory",
            "oss:ListObjects",
            "oss:HeadBucket",
            "oss:GetBucket",
            "oss:GetBucketAcl",
            "oss:GetBucketLocation",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:CopyObject",
            "oss:GetObject",
            "oss:AppendObject",
            "oss:GetObjectMeta",
            "oss:PutObjectACL",
            "oss:GetObjectACL",
            "oss:PutObjectTagging",
            "oss:GetObjectTagging",
            "oss:InitiateMultipartUpload",
            "oss:UploadPart",
            "oss:UploadPartCopy",
            "oss:CompleteMultipartUpload",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ots:ListInstance",
            "ots:GetInstance",
            "ots:ListTable",
            "ots:CreateTable",
            "ots:UpdateTable",
            "ots:DescribeTable",
            "ots:BatchWriteRow",
            "ots:CreateTunnel",
            "ots:DeleteTunnel",
            "ots:ListTunnel",
            "ots:DescribeTunnel",
            "ots:ConsumeTunnel",
            "ots:GetRange",
            "ots:ListStream",
            "ots:DescribeStream",
            "ots:CreateIndex",
            "ots:CreateSearchIndex",
            "ots:DescribeSearchIndex",
            "ots:ListSearchIndex"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "cms:QueryMetricList"
          ],
          "Resource": "*"
        },
        {
          "Action": [
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeImages",
            "ecs:CreateImage",
            "ecs:DeleteImage",
            "ecs:DescribeSnapshots",
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotLinks",
            "ecs:DescribeAvailableResource",
            "ecs:ModifyInstanceAttribute",
            "ecs:CreateInstance",
            "ecs:DeleteInstance",
            "ecs:AllocatePublicIpAddress",
            "ecs:CreateDisk",
            "ecs:DescribeDisks",
            "ecs:AttachDisk",
            "ecs:DetachDisk",
            "ecs:DeleteDisk",
            "ecs:ResetDisk",
            "ecs:StartInstance",
            "ecs:StopInstance",
            "ecs:ReplaceSystemDisk",
            "ecs:ModifyResourceMeta"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

The following steps show how to grant the AliyunHBRRolePolicy permissions to the hbrcrossrole RAM role:

  1. Log on to the RAM console by using the account to be backed up.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. Find the target RAM role hbrcrossrole, and go to its details page.

  4. On the Permissions tab, click Add Permissions.

  5. In the Add Permissions panel, set Policy Type to System Policy, enter AliyunHBRRolePolicy as the policy name, and then click OK.

  6. A message appears indicating that the permissions are granted. Click Close.

  7. Modify the trust policy of the RAM role.

    1. On the role details page, click the Trust Policy tab.

    2. Click Edit Trust Policy.

    3. Click the JSON Editor tab and copy the following code into the policy editor. Replace management-account-id with the ID of the management account.

      This policy allows the management account to obtain a temporary token through Cloud Backup to operate the resources of the account to be backed up.

      Note

      You can go to the Security Settings page to view your Alibaba Cloud account ID.

      {
       "Statement": [
           {
               "Action": "sts:AssumeRole",
               "Effect": "Allow",
               "Principal": {
                   "RAM": [
                       "acs:ram::management-account-id:role/AliyunServiceRoleForHbrCrossAccountBackup"
                   ]
               }
           }
       ],
       "Version": "1"
      }
    4. Click OK.

Step 4: Add the managed account

  1. Log on to the Cloud Backup console by using the management account.

  2. In the left-side navigation pane, choose Backup > Cross-Account Backup.

  3. On the Cross-Account Backup page, switch to the region where the resources to be backed up are located.

    Important

    You must add the account to be backed up in the same region as its resources (ECS files, NAS, OSS, Tablestore, Database Backup, or ECS instances). Otherwise, Cloud Backup cannot find the resources, causing backup plans or tasks to fail.

  4. Click Add the account to be backed up. In the Add the account to be backed up panel, set Cross-account type to Based on RAM Role Assumption, configure the following parameters, and then click OK.

    image

    Parameter

    Description

    Cross-account type

    Select Based on RAM role assumption. If the management account is a Cloud Backup administrator for a resource directory, we recommend that you see Add an account by using Resource Directory.

    Alibaba Cloud Account ID

    Enter the ID of the account to be backed up.

    Note

    You can go to the Security Settings page to view your Alibaba Cloud account ID.

    Role Name

    Enter the RAM role name for the account to be backed up, such as hbrcrossrole.

    Important

    Click Check Permissions to verify that the authorization is configured correctly. If an error is reported, check your configuration and try again. If the check is successful, the message You are authorized to access the resources of this role. appears.

    Account Alias

    Set an easy-to-identify name for the account. We recommend that you use the account name of the account to be backed up.

After the account is added, it appears in the account list.

image

Warning

The following actions affect cross-account authorization and may cause cross-account backups to fail. Proceed with caution:

  • Removing an account to be backed up from the account list in the management account.

  • Deleting the AliyunServiceRoleForHbrCrossAccountBackup service-linked role in the management account.

  • Deleting the RAM role used for cross-account backup in the account to be backed up.

  • The required permissions are not granted to the RAM role that is used for cross-account backup.

Existing backup data is not affected. If you want to cancel cross-account backup, see Cancel cross-account backup.

Configure cross-account backup

After adding an account to be backed up, log on to the console as the management account and switch to the newly added account. You can then configure cross-account backups for its resources.

  1. Log on to the Cloud Backup console by using your management account.

  2. In the top navigation bar, select the region where the resources to be backed up are located.

  3. Click Logon Account, and select the account that you added.image

  4. In the left-side navigation pane, select a backup feature to perform a cross-account backup.

    Important

    Cross-account backup is supported for ECS file backup, ECS instance backup, NAS backup, OSS backup, Tablestore backup, Database Backup, and SAP HANA backup. After you back up an ECS instance across accounts, you can restore the instance only to the source Alibaba Cloud account. For specific supported scenarios, see the information in the Cloud Backup console.

    For example, to back up ECS files, first switch to the account where the ECS instance is located in the upper-left corner of the console. Then, select the ECS instance from the instance list. Create a backup policy or select an existing one and bind it to the ECS instance to complete the backup plan configuration. After the backup task is complete, the ECS file data is backed up to the backup vault of the management account.

    Important

    A backup vault can store data from different accounts. A backup policy can be bound to data sources from different accounts, enabling unified data protection for various resources across multiple accounts. Before you configure a cross-account backup plan, make sure that you have completed all the prerequisites.

Cross-account restore

The backup vault of the management account stores the backup data of that account and the accounts to be backed up. You can restore data from any historical backup point in the backup vault to the management account or any account to be backed up as needed. The following example shows how to restore data to an account to be backed up:

  1. Switch to the destination account to which you want to restore the backup data.

  2. Create a restore job. The procedure for creating a restore job is the same as for each data source.

    image.png

Best practices

  • Select a cross-account method: Select the cross-account configuration method that aligns with your enterprise's account structure. For multi-account scenarios that are not managed by Resource Directory or for cross-enterprise collaboration, we recommend that you configure cross-account backup based on RAM role assumption. For multi-account architectures that are already in a resource directory, configure cross-account backup based on Resource Directory for unified control and permission management.

  • Follow the principle of least privilege: Use the AliyunHBRRolePolicy system policy instead of the AdministratorAccess policy to avoid security risks from excessive permissions. Grant only the minimum set of permissions required for backup and restore operations. Regularly review your cross-account backup permissions and promptly revoke access that is no longer needed.

  • Plan your regions: Add cross-account configurations based on the region where the resources to be backed up are located. This ensures optimal backup performance and data transfer efficiency. Prioritize configuring cross-account backup in regions with a high concentration of resources.

  • Control your costs: The cross-account backup feature is free of charge. For information about other fees, see Billing. Plan your backup policies and retention periods to control storage costs.

Cancel cross-account backup

Important
  • After canceling cross-account backup, the management account can no longer back up data from the specified account. Evaluate the impact before you proceed.

  • If you add an account to be backed up but do not perform any backup or restore operations, no fees are incurred.

  • After canceling cross-account backup, the existing backup data is retained in the backup vaults of the management account and can be restored to the current account or other managed accounts. This data continues to consume storage capacity and incur charges. To stop billing, see How do I stop being charged for Cloud Backup? Note that deleted backups cannot be recovered.

  1. Switch to the account to be backed up. On the page for the corresponding data source, delete the backup plan, uninstall the backup client (if any), deregister the instance, and delete the backup vault. For more information, see How do I stop being charged for Cloud Backup?

  2. Switch to the management account. On the Cross-Account Backup page in the Cloud Backup console, delete the account to be backed up.image.png

  3. If you configured cross-account backup based on Resource Directory, delete the AliyunServiceRoleForHbrRd service-linked role in the account to be backed up.

    1. Log on to the RAM console by using the account to be backed up.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. Find the AliyunServiceRoleForHbrRd service-linked role, click Delete Role in the Actions column, and then confirm the deletion.

  4. If you configured cross-account backup based on RAM role assumption, delete the RAM role in the account to be backed up.

    1. Log on to the RAM console by using the account to be backed up.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. Find the RAM role created for the account to be backed up, such as hbrcrossrole, click Delete Role in its Actions column, and confirm the deletion.

Billing

You are not charged for using the cross-account backup feature of Cloud Backup. However, fees are incurred for backup and restore operations, as described in the following table. For more information, see Billing methods and billable items.

Managed account resource

Management account billing

Managed account billing

ECS instance

  • ECS instance backup software usage fees

  • Snapshot capacity fees

  • Cross-region traffic fees and destination region snapshot capacity fees if you enable Replication to Other Region

  • Fees for resources such as ECS instances and disks that are used after a restore from a backup point

ECS files

  • File backup software usage fees

  • Backup vault storage capacity fees

  • Mirror vault storage capacity fees and cross-region replication traffic fees if you enable cross-region replication

Fees for resources such as disks that are used after a restore from a backup point

NAS

  • Backup vault storage capacity fees

  • Mirror vault storage capacity fees and cross-region replication traffic fees if you enable cross-region replication

  • NAS Infrequent Access (IA) read/write traffic fees generated by the backup service when accessing NAS IA storage data

  • Fees for resources such as NAS file systems that are used after a restore from a backup point

OSS

  • Backup vault storage capacity fees

  • Mirror vault storage capacity fees and cross-region replication traffic fees if you enable cross-region replication

  • OSS request fees generated during backups

  • Fees for resources such as OSS that are used after a restore from a backup point

Tablestore

  • Backup vault storage capacity fees

  • Mirror vault storage capacity fees and cross-region replication traffic fees if you enable cross-region replication

  • Restore fees, which are data write fees generated when you restore data to Tablestore

  • Fees for resources such as Tablestore instances that are used after a restore from a backup point

Database Backup

  • Database backup repository rental fees

  • Database backup storage capacity fees

Fees for resources such as disks that are used after a restore from a backup point

SAP HANA

  • SAP HANA backup software usage fees

  • Backup vault storage capacity fees

  • Mirror vault storage capacity fees and cross-region replication traffic fees if you enable cross-region replication

Fees for resources such as disks that are used after a restore from a backup point

FAQ

Is the cross-account backup feature free of charge?

The feature itself is free, but costs associated with backup and restore operations are charged to the management account. Snapshot service fees for ECS instance backups and OSS request fees are charged to the account being backed up. For more information, see Billing.

Cross-account replication vs. cross-account backup

  • Cross-account replication of a backup vault: The source account performs a backup and then copies the data from its backup vault to another Alibaba Cloud account. As a result, both accounts have a copy of the backup data. This is used to create backup data redundancy or to use the data in a different account.

  • Cross-account backup: The management account assigns backup policies to other accounts. The backup data from these accounts is stored centrally in the management account. The management account can then use this data for on-demand restore operations, which allows for unified management of backup data. The accounts being backed up cannot view or manage the backed-up data.

Both methods are widely used for enterprise data security and compliance. They both support account-level data isolation for accounts within or outside a resource directory. You can select a method based on your business needs or combine both methods to achieve unified data management and backup data redundancy.

References