Encryption for Backups in AWS

All backups in AWS are encrypted using AWS KMS managed keys (SSE-KMS). The way to configure encryption differs depending on the resource type. Certain resource types support the ability encrypt your backups with a separate encryption key from the key used to encrypt the source resource. This capability adds another layer of protection for your backups.

The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported.

Resource Type	How to Configure Encryption	Independent Backup Encryption
Amazon Elastic Block Store (Amazon EBS)	Amazon EBS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source EBS volume. Snapshots of unencrypted EBS volumes are also unencrypted.	Not supported
Amazon Relational Database Service (Amazon RDS)	Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted. Note AWS Backup currently supports all Amazon RDS database engines except Amazon Aurora.	Not supported
Amazon Elastic File System (Amazon EFS)	Amazon EFS backups are always encrypted. The AWS KMS encryption key for Amazon EFS backups is configured in the AWS Backup vault that the Amazon EFS backups are stored in.	Supported
Amazon DynamoDB	DynamoDB backups are always encrypted. DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted.	Not supported
AWS Storage Gateway	AWS Storage Gateway snapshots are automatically encrypted with the same encryption key that was used to encrypt the source AWS Storage Gateway volume. Snapshots of unencrypted AWS Storage Gateway volumes are also unencrypted.	Not supported

To learn more about backup encryption for each of the services that AWS Backup supports, see the following links:

Encrypting Your Data Using AWS Key Management Service in the AWS Storage Gateway User Guide.
Encrypting Amazon RDS Resources in the Amazon RDS User Guide
Amazon DynamoDB Encryption at Rest in the Amazon DynamoDB Developer Guide

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

« Previous Next »