When an enterprise uses multiple Alibaba Cloud accounts across different departments, it requires a unified data protection strategy for centralized management. The cross-account backup feature allows you to use a single management account to centrally back up and restore data from cloud resources in other accounts. This approach isolates source data from backup data at the account level, enabling centralized data protection that meets compliance and auditing requirements. It also streamlines operations and reduces overall maintenance costs as users in other accounts do not need to learn how to use the backup service.
How it works
Cloud Backup allows you to add accounts for cross-account backup by using two authorization methods: one based on Resource Directory and the other based on RAM role assumption. The following table describes how each method works and its recommended use cases.
Configure cross-account backup based on Resource Directory: Use this method when the management account and the accounts to be backed up are part of the same resource directory. The management account must be the management account of the resource directory or a delegated administrator account for Cloud Backup. This method provides a simple, visual way to manage accounts within your resource directory and back up their cloud resources. It is well-suited for enterprises that use Resource Directory to structure their multi-account environment and for industries such as finance and government that require strong compliance and centralized control.
Configure cross-account backup based on RAM role assumption: This method requires you to create a RAM role in the account to be backed up and grant permissions to the management account. This allows Cloud Backup to use the
AliyunServiceRoleForHbrCrossAccountBackupservice-linked role in the management account to temporarily assume the RAM role in the other account and access its resources. This method is suitable for scenarios where you do not use Resource Directory or need to grant temporary, phased authorization for cross-account backup.
Both methods allow a management account to provide unified data protection for other accounts. You can use a single backup policy to protect data across multiple accounts and restore data to any managed account on demand. All backup tasks and data are managed from the management account. The accounts to be backed up do not need to enable or operate the Cloud Backup service. Only the management account can access or delete the backup data, which ensures data isolation at the account level.
In a cross-account backup scenario, the management account and the managed accounts can perform the following operations:
Resource type | Management account operations | Managed account operations |
ECS instance |
|
|
Other resource types |
|
|
Limitations
The cross-account backup feature is available for ECS instance backup, ECS file backup, NAS backup, OSS backup, Tablestore backup, Database Backup, and SAP HANA backup. For an ECS instance, you can restore a backup point only to the source ECS instance's account. Cross-account restore is not supported. For specific supported scenarios, refer to the information in the Cloud Backup console.
The backup points of an ECS instance belong to the management account, but the generated ECS snapshots are stored in the account to be backed up. The account to be backed up incurs fees for the ECS snapshots. For more information, see Billing.
Cross-account backup does not affect backup performance, data deduplication efficiency, or network transmission speed.
When you configure cross-account backup based on Resource Directory, the management account must be the management account of the resource directory or a delegated administrator account for the Cloud Backup service. You can add a maximum of three delegated administrator accounts for Cloud Backup.
For a list of supported regions, see Features by region.
Prerequisites
Prepare a management account and one or more accounts to be backed up.
If you want to configure cross-account backup based on Resource Directory, make sure that the management account and the accounts to be backed up are in the same resource directory. For more information, see Enable a resource directory and Invite an Alibaba Cloud account to join a resource directory.
Decide which method to use—Resource Directory or RAM role assumption—based on your business scenario.
Add an account by using Resource Directory
(Optional) Step 1: Set a delegated administrator account
If you use the management account of the resource directory as the management account, skip this step.
To use a member account of a resource directory as the management account, you must set this account as a delegated administrator account for Cloud Backup. You can do this from the trusted services page for your resource directory in the Resource Management console. For more information, see Manage a delegated administrator account.
Log on to the Resource Management console by using the management account of your resource directory.
In the left-side navigation pane, choose Resource Directory > Trusted Services.
On the Trusted Services page, find the Cloud Backup service and click Manage in the Actions column.
In the Delegated Administrator Account section, click Add.
In the Add Delegated Administrator Account panel, select the intended management account.
Click OK.
After the account is added, the Cloud Backup service appears in the list of trusted services when you log on to the Resource Management console with the delegated administrator account.
Step 2: Add a managed account
Log on to the Cloud Backup console by using the management account.
In the left-side navigation pane, choose Backup > Cross-Account Backup.
On the Cross-Account Backup page, switch to the region where the resources of the account to be backed up are located.
Click Add the account to be backed up.
In the Add the account to be backed up panel, configure the following parameters and click OK.

Parameter
Description
Cross-account type
Select Based on Resource Directory.
Select an account to be backed up
Select an account from the resource directory.
You can select only one account at a time. You can enter a keyword to quickly find the account that you want to add.
NoteFor accounts that are part of a resource directory, we recommend that you configure cross-account backup based on Resource Directory. However, you can also use the method based on RAM role assumption. For more information, see Add an account by using RAM role assumption.
After the account is added, it appears in the account list.
When an account to be backed up is managed for the first time, Cloud Backup automatically creates the AliyunServiceRoleForHbrRd service-linked role:Role name: AliyunServiceRoleForHbrRd
Permission policy: AliyunServiceRolePolicyForHbrRd
Description: Allows Cloud Backup to access the resources of other authorized accounts for cross-account backup and restore operations.
The following actions affect cross-account authorization and may cause cross-account backups to fail. Proceed with caution.
Removing an account to be backed up from the account list in the management account.
The management account loses its status as the management account of the resource directory or as a delegated administrator for Cloud Backup.
The account to be backed up no longer belongs to the resource directory managed by the management account.
Deleting the AliyunServiceRoleForHbrRd service-linked role in the account to be backed up.
Existing backup data is not affected. If you want to cancel cross-account backup, see Cancel cross-account backup.
Add an account by using RAM role assumption
Step 1: Create a service-linked role
You must authorize the management account to use the AliyunServiceRoleForHbrCrossAccountBackup service-linked role.
Role name: AliyunServiceRoleForHbrCrossAccountBackup
Permission policy: AliyunServiceRolePolicyForHbrCrossAccountBackup
Description: Allows the backup service to access resources in other authorized accounts for cross-account backup and restore operations.
You need to perform this operation only once when you configure cross-account backup for the first time. If you have already granted the authorization, proceed to Step 2.
Log on to the Cloud Backup console by using the management account.
In the left-side navigation pane, choose Backup > Cross-Account Backup.
On the Cross-Account Backup page, switch to the region where the resources to be backed up are located.
Click Add the account to be backed up. In the Add the account to be backed up panel, select Based on RAM Role Assumption for the Cross-account type parameter.
In the Cloud Backup Authorization dialog box, click Authorize.
For more information, see Service-linked roles for Cloud Backup.
Step 2: Create a RAM role in the managed account
Log on to the RAM console by using the account to be backed up.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, select Cloud Account for Principal Type and Other Cloud Account for Principal Name. Enter the Account ID of the management account, and then click OK.
NoteTo view your Alibaba Cloud account ID, go to the Security Settings page.
In the Create Role dialog box, enter a RAM role name, such as hbrcrossrole, and then click OK.
Step 3: Grant permissions to the RAM role
After creating the RAM role, you must grant it a policy. On the Add Permissions panel, RAM provides the following two default system policies:
AdministratorAccess: Grants permissions to manage all cloud resources in the destination account.
AliyunHBRRolePolicy: (Recommended) Grants the system permissions required by Cloud Backup.
The AliyunHBRRolePolicy system policy includes the following permissions:
{ "Version": "1", "Statement": [ { "Action": [ "nas:DescribeFileSystems", "nas:CreateMountTargetSpecial", "nas:DeleteMountTargetSpecial", "nas:DescribeMountTargets", "nas:DescribeAccessGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:RunCommand", "ecs:CreateCommand", "ecs:InvokeCommand", "ecs:DeleteCommand", "ecs:DescribeCommands", "ecs:StopInvocation", "ecs:DescribeInvocationResults", "ecs:DescribeCloudAssistantStatus", "ecs:DescribeInstances", "ecs:DescribeInstanceRamRole", "ecs:DescribeInvocations", "ecs:CreateSnapshotGroup", "ecs:DescribeSnapshotGroups", "ecs:DeleteSnapshotGroup", "ecs:CopySnapshot" ], "Resource": "*", "Effect": "Allow" }, { "Action": "bssapi:QueryAvailableInstances", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:AttachInstanceRamRole", "ecs:DetachInstanceRamRole" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ram:*:*:role/aliyunecsaccessinghbrrole" ], "Effect": "Allow" }, { "Action": [ "ram:PassRole", "ram:GetRole", "ram:GetPolicy", "ram:ListPoliciesForRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "hcs-sgw:DescribeGateways" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:ListBuckets", "oss:GetBucketInventory", "oss:ListObjects", "oss:HeadBucket", "oss:GetBucket", "oss:GetBucketAcl", "oss:GetBucketLocation", "oss:GetBucketInfo", "oss:PutObject", "oss:CopyObject", "oss:GetObject", "oss:AppendObject", "oss:GetObjectMeta", "oss:PutObjectACL", "oss:GetObjectACL", "oss:PutObjectTagging", "oss:GetObjectTagging", "oss:InitiateMultipartUpload", "oss:UploadPart", "oss:UploadPartCopy", "oss:CompleteMultipartUpload", "oss:AbortMultipartUpload", "oss:ListMultipartUploads", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:ListTable", "ots:CreateTable", "ots:UpdateTable", "ots:DescribeTable", "ots:BatchWriteRow", "ots:CreateTunnel", "ots:DeleteTunnel", "ots:ListTunnel", "ots:DescribeTunnel", "ots:ConsumeTunnel", "ots:GetRange", "ots:ListStream", "ots:DescribeStream", "ots:CreateIndex", "ots:CreateSearchIndex", "ots:DescribeSearchIndex", "ots:ListSearchIndex" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cms:QueryMetricList" ], "Resource": "*" }, { "Action": [ "ecs:DescribeSecurityGroups", "ecs:DescribeImages", "ecs:CreateImage", "ecs:DeleteImage", "ecs:DescribeSnapshots", "ecs:CreateSnapshot", "ecs:DeleteSnapshot", "ecs:DescribeSnapshotLinks", "ecs:DescribeAvailableResource", "ecs:ModifyInstanceAttribute", "ecs:CreateInstance", "ecs:DeleteInstance", "ecs:AllocatePublicIpAddress", "ecs:CreateDisk", "ecs:DescribeDisks", "ecs:AttachDisk", "ecs:DetachDisk", "ecs:DeleteDisk", "ecs:ResetDisk", "ecs:StartInstance", "ecs:StopInstance", "ecs:ReplaceSystemDisk", "ecs:ModifyResourceMeta" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kms:ListKeys", "kms:ListAliases" ], "Resource": "*", "Effect": "Allow" } ] }
The following steps show how to grant the AliyunHBRRolePolicy permissions to the hbrcrossrole RAM role:
Log on to the RAM console by using the account to be backed up.
In the left-side navigation pane, choose Identities > Roles.
Find the target RAM role hbrcrossrole, and go to its details page.
On the Permissions tab, click Add Permissions.
In the Add Permissions panel, set Policy Type to System Policy, enter AliyunHBRRolePolicy as the policy name, and then click OK.
A message appears indicating that the permissions are granted. Click Close.
Modify the trust policy of the RAM role.
On the role details page, click the Trust Policy tab.
Click Edit Trust Policy.
Click the JSON Editor tab and copy the following code into the policy editor. Replace management-account-id with the ID of the management account.
This policy allows the management account to obtain a temporary token through Cloud Backup to operate the resources of the account to be backed up.
NoteYou can go to the Security Settings page to view your Alibaba Cloud account ID.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::management-account-id:role/AliyunServiceRoleForHbrCrossAccountBackup" ] } } ], "Version": "1" }Click OK.
Step 4: Add the managed account
Log on to the Cloud Backup console by using the management account.
In the left-side navigation pane, choose Backup > Cross-Account Backup.
On the Cross-Account Backup page, switch to the region where the resources to be backed up are located.
ImportantYou must add the account to be backed up in the same region as its resources (ECS files, NAS, OSS, Tablestore, Database Backup, or ECS instances). Otherwise, Cloud Backup cannot find the resources, causing backup plans or tasks to fail.
Click Add the account to be backed up. In the Add the account to be backed up panel, set Cross-account type to Based on RAM Role Assumption, configure the following parameters, and then click OK.

Parameter
Description
Cross-account type
Select Based on RAM role assumption. If the management account is a Cloud Backup administrator for a resource directory, we recommend that you see Add an account by using Resource Directory.
Alibaba Cloud Account ID
Enter the ID of the account to be backed up.
NoteYou can go to the Security Settings page to view your Alibaba Cloud account ID.
Role Name
Enter the RAM role name for the account to be backed up, such as hbrcrossrole.
ImportantClick Check Permissions to verify that the authorization is configured correctly. If an error is reported, check your configuration and try again. If the check is successful, the message You are authorized to access the resources of this role. appears.
Account Alias
Set an easy-to-identify name for the account. We recommend that you use the account name of the account to be backed up.
After the account is added, it appears in the account list.

The following actions affect cross-account authorization and may cause cross-account backups to fail. Proceed with caution:
Removing an account to be backed up from the account list in the management account.
Deleting the AliyunServiceRoleForHbrCrossAccountBackup service-linked role in the management account.
Deleting the RAM role used for cross-account backup in the account to be backed up.
The required permissions are not granted to the RAM role that is used for cross-account backup.
Existing backup data is not affected. If you want to cancel cross-account backup, see Cancel cross-account backup.
Configure cross-account backup
After adding an account to be backed up, log on to the console as the management account and switch to the newly added account. You can then configure cross-account backups for its resources.
Log on to the Cloud Backup console by using your management account.
In the top navigation bar, select the region where the resources to be backed up are located.
Click Logon Account, and select the account that you added.

In the left-side navigation pane, select a backup feature to perform a cross-account backup.
ImportantCross-account backup is supported for ECS file backup, ECS instance backup, NAS backup, OSS backup, Tablestore backup, Database Backup, and SAP HANA backup. After you back up an ECS instance across accounts, you can restore the instance only to the source Alibaba Cloud account. For specific supported scenarios, see the information in the Cloud Backup console.
For example, to back up ECS files, first switch to the account where the ECS instance is located in the upper-left corner of the console. Then, select the ECS instance from the instance list. Create a backup policy or select an existing one and bind it to the ECS instance to complete the backup plan configuration. After the backup task is complete, the ECS file data is backed up to the backup vault of the management account.
ImportantA backup vault can store data from different accounts. A backup policy can be bound to data sources from different accounts, enabling unified data protection for various resources across multiple accounts. Before you configure a cross-account backup plan, make sure that you have completed all the prerequisites.
Cross-account restore
The backup vault of the management account stores the backup data of that account and the accounts to be backed up. You can restore data from any historical backup point in the backup vault to the management account or any account to be backed up as needed. The following example shows how to restore data to an account to be backed up:
Switch to the destination account to which you want to restore the backup data.
Create a restore job. The procedure for creating a restore job is the same as for each data source.
Restore a database on an ECS instance (Restore a MySQL database, Restore an Oracle database, or Restore a SQL Server database)

Best practices
Select a cross-account method: Select the cross-account configuration method that aligns with your enterprise's account structure. For multi-account scenarios that are not managed by Resource Directory or for cross-enterprise collaboration, we recommend that you configure cross-account backup based on RAM role assumption. For multi-account architectures that are already in a resource directory, configure cross-account backup based on Resource Directory for unified control and permission management.
Follow the principle of least privilege: Use the AliyunHBRRolePolicy system policy instead of the AdministratorAccess policy to avoid security risks from excessive permissions. Grant only the minimum set of permissions required for backup and restore operations. Regularly review your cross-account backup permissions and promptly revoke access that is no longer needed.
Plan your regions: Add cross-account configurations based on the region where the resources to be backed up are located. This ensures optimal backup performance and data transfer efficiency. Prioritize configuring cross-account backup in regions with a high concentration of resources.
Control your costs: The cross-account backup feature is free of charge. For information about other fees, see Billing. Plan your backup policies and retention periods to control storage costs.
Cancel cross-account backup
After canceling cross-account backup, the management account can no longer back up data from the specified account. Evaluate the impact before you proceed.
If you add an account to be backed up but do not perform any backup or restore operations, no fees are incurred.
After canceling cross-account backup, the existing backup data is retained in the backup vaults of the management account and can be restored to the current account or other managed accounts. This data continues to consume storage capacity and incur charges. To stop billing, see How do I stop being charged for Cloud Backup? Note that deleted backups cannot be recovered.
Switch to the account to be backed up. On the page for the corresponding data source, delete the backup plan, uninstall the backup client (if any), deregister the instance, and delete the backup vault. For more information, see How do I stop being charged for Cloud Backup?
Switch to the management account. On the Cross-Account Backup page in the Cloud Backup console, delete the account to be backed up.

If you configured cross-account backup based on Resource Directory, delete the AliyunServiceRoleForHbrRd service-linked role in the account to be backed up.
Log on to the RAM console by using the account to be backed up.
In the left-side navigation pane, choose Identities > Roles.
Find the AliyunServiceRoleForHbrRd service-linked role, click Delete Role in the Actions column, and then confirm the deletion.
If you configured cross-account backup based on RAM role assumption, delete the RAM role in the account to be backed up.
Log on to the RAM console by using the account to be backed up.
In the left-side navigation pane, choose Identities > Roles.
Find the RAM role created for the account to be backed up, such as hbrcrossrole, click Delete Role in its Actions column, and confirm the deletion.
Billing
You are not charged for using the cross-account backup feature of Cloud Backup. However, fees are incurred for backup and restore operations, as described in the following table. For more information, see Billing methods and billable items.
Managed account resource | Management account billing | Managed account billing |
ECS instance |
|
|
ECS files |
| Fees for resources such as disks that are used after a restore from a backup point |
NAS |
|
|
OSS |
|
|
Tablestore |
|
|
Database Backup |
| Fees for resources such as disks that are used after a restore from a backup point |
SAP HANA |
| Fees for resources such as disks that are used after a restore from a backup point |
FAQ
Is the cross-account backup feature free of charge?
The feature itself is free, but costs associated with backup and restore operations are charged to the management account. Snapshot service fees for ECS instance backups and OSS request fees are charged to the account being backed up. For more information, see Billing.
Cross-account replication vs. cross-account backup
Cross-account replication of a backup vault: The source account performs a backup and then copies the data from its backup vault to another Alibaba Cloud account. As a result, both accounts have a copy of the backup data. This is used to create backup data redundancy or to use the data in a different account.
Cross-account backup: The management account assigns backup policies to other accounts. The backup data from these accounts is stored centrally in the management account. The management account can then use this data for on-demand restore operations, which allows for unified management of backup data. The accounts being backed up cannot view or manage the backed-up data.
Both methods are widely used for enterprise data security and compliance. They both support account-level data isolation for accounts within or outside a resource directory. You can select a method based on your business needs or combine both methods to achieve unified data management and backup data redundancy.