Multi-account backup and disaster recovery with Druva and AWS Control Tower

Pranjal Gururani, Solutions Architect, AWS, David Gildea, VP of Product and Steven Duff, Product Marketing

With enterprises scaling up their AWS workloads across hundreds, if not thousands, of AWS accounts, customers have expressed the need to simplify data protection as they scale. Customers are now looking to Druva to centrally manage, monitor, and secure backups across multi-account AWS environments and achieve an enhanced organization-level view of data protection across their AWS services.

Druva offers a purpose-built, SaaS data protection solution for AWS – including cloud-native apps (Amazon EC2, Amazon RDS), containers (Amazon EKS), and migrated workloads (Oracle, SQL). 

With Druva’s cloud-native SaaS platform, you can leave behind the cost and complexity found in solutions that aren’t built for the cloud. You save time and money, while getting comprehensive backup, recovery, DR, lifecycle management and compliance for workloads on AWS, that’s secure, scalable, and always available.

Solution Overview

The Druva AWS Control Tower integration is purpose-built for enterprise users of AWS Cloud. Implementing this solution, you can automate the setup of your multi-account AWS environment with just a few clicks to simplify backup and disaster recovery management at an enterprise scale, utilizing native AWS services.

The solution is deployed using AWS CloudFormation templates and integrates with AWS Control Tower lifecycle events. When a new account is created or enrolled using the AWS Control Tower account factory, the lifecycle event triggers the AWS Lambda function to launch an AWS CloudFormation StackSet instance. The StackSet instance creates the required IAM resources in the new account.

AWS control tower management account

The following resources are deployed in the management account:

  • AWS CloudFormation StackSet: used in the AWS Control Tower management account as a template for all StackSet instances to be deployed in the new accounts
  • AWS Control Tower lifecycle rule: used as a trigger to deploy the integration in new accounts upon creation
  • AWS Lambda onboarding function: used in case any existing accounts are selected for integration
  • AWS Lambda StackSet function: used to deploy a StackSet instance to the new account
  • Amazon SNS topic: used as a trigger from the onboarding to StackSet function
  • AWS Secrets Manager: used to store the values used to identify the Druva customer
  • AWS IAM third-party access role: allows Druva to perform actions in your AWS environment on your behalf, such as taking backups and server management


To integrate Druva with AWS Control Tower, you must have the following:

  • A fully deployed AWS Control Tower environment. For information about setting up an AWS Control Tower landing zone, see Getting Started with AWS Control Tower 
  • Administrator privileges in the AWS Control Tower management account
  • A Druva account. If you don’t already have a Druva account, you can sign up for a free trial

Solution Walkthrough

Step 1: Get your Druva account details

  • Navigate to your Druva Console. On the top navigation bar, select Account. From the drop down, select All AWS Account. Select Add New Account.
  • On Add New Account panel, select AWS Control Tower tab. From AWS Control Tower panel, copy the below:
    • AWS CloudFormation Template Link
    • OrganizationKeyId
    • OrganizationToken

Step 2: Deploy the AWS CloudFormation template

  • Navigate to AWS Cloudformation console in your management account. Select Create Stack and choose “With new resources (standard)”. On Create Stack screen, under Amazon S3 URL, enter the CloudFormation URL you copied in step 1.2. Select Next.
  • On Specify Stack Details screen, provide the below values:
    • Stack name (Required)
    • LaunchAccountList (Optional): Comma-separated list of existing accounts 
    • OrganizationKeyId (Required): Enter this value from Step 1.2
    • OrganizationToken (Required): Enter this value from Step 1.2

Select Next.

  • On Configure stack options screen, keep default values. Select Next.
  • On the review screen, check the checkbox stating I acknowledge that AWS CloudFormation might create IAM resources. Select Create stack. Wait for the stack to complete.

Step 3: Test your integration

Add a managed account in AWS Control Tower

  • Navigate to Control Tower console. On left navigation panel, choose Account Factory.
  • Enter values for Account emailDisplay nameAWS SSO emailAWS SSO user name, and Organizational unit. Choose Enroll account.

It can take up to 30 minutes for the account to be created and the AWS Control Tower lifecycle event to trigger.

Navigate to your Druva Console. In the top navigation bar, select Account. From the drop down, select All AWS Account. You will see the account ID of the newly created account as well as the accounts IDs of the existing accounts that you provided while launching the stack.

Druva Multi-Account Dashboard

The Druva global dashboard, for simplified management across multiple AWS accounts, displays detailed information on the current status and historical trends of the latest backup and restores, policies, DR plans and jobs within your organization.

Druva global dashboard screenshot

Druva’s global dashboard provides an enhanced organization-level view of the resource data protection across all connected AWS accounts.

Druva account-level dashboard screenshot

Additionally, the Account-level dashboard provides an at-a-glance view of the latest backup and restore status, policies and disaster recovery plans, and jobs within your selected AWS account.

Getting started 

In this post, we’ve shown you how to automatically enroll new AWS Control Tower accounts with Druva, a data resiliency solution built for the enterprise. Druva integration for AWS Control Tower allows you to automatically protect any existing accounts, as well as any future AWS accounts as soon as they’re created. 



About the authors

Pranjal Gururani is a Solutions Architect at AWS based out of Seattle. Pranjal works with various customers to architect cloud solutions that address their business challenges. He enjoys hiking, kayaking, skydiving, and spending time with family during his spare time.
David Gildea is a VP of Product at Druva, focused on Data Resiliency for Cloud Workloads. David has been working in Data Protection in the cloud for seven years after a career in IT management in the financial services sector. At Druva, he works closely with customers to understand their requirements and design the future of data resiliency. He enjoys traveling with his family to the coast, and hobbies include golf and surfing.
Steven Duff is the Principal Product Marketing Manager focusing on cloud workloads at Druva. Based out of Donegal, Ireland, he is responsible for developing highly differentiated, and compelling positioning and messaging for Druva and its related data resiliency services. He leverages his 6 years of SaaS and cloud-native data protection experience to help enterprises understand the value of Druva’s products.