Encryption for backups in AWS
The way to configure encryption differs depending on the resource type. Certain resource types support the ability to encrypt your backups using a separate encryption key from the key used to encrypt the source resource. This capability adds another layer of protection for your backups.
The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported.
Resource Type | How to Configure Encryption | Independent Backup Encryption |
---|---|---|
Amazon Elastic File System (Amazon EFS) | Amazon EFS backups are always encrypted. The AWS KMS encryption key for Amazon EFS backups is configured in the AWS Backup vault that the Amazon EFS backups are stored in. | Supported |
Amazon Elastic Block Store (Amazon EBS) | Amazon EBS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source EBS volume. Snapshots of unencrypted EBS volumes are also unencrypted. | Not supported |
Amazon Elastic Compute Cloud (Amazon EC2) AMIs | Amazon EC2 AMIs backed by Amazon EBS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source EBS volume. Snapshots of unencrypted AMIs are also unencrypted. | Not supported |
Amazon Relational Database Service (Amazon RDS) | Amazon RDS snapshots are automatically encrypted with the same encryption key that
was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon
RDS
databases are also unencrypted.
AWS Backup currently supports all Amazon RDS database engines, including Amazon Aurora. |
Not supported |
Amazon Aurora | Aurora cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Aurora cluster. Snapshots of unencrypted Aurora clusters are also unencrypted. | Not supported |
Amazon DynamoDB |
DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted. In order for AWS Backup to create a backup of an encrypted DynamoDB table, you must
add the permissions |
Not supported |
AWS Storage Gateway | AWS Storage Gateway snapshots are automatically encrypted with the same encryption
key that
was used to encrypt the source AWS Storage Gateway volume. Snapshots of unencrypted
AWS Storage Gateway
volumes are also unencrypted.
You don't need to use a customer managed key across all services to enable AWS Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a KMS key. This is because Storage Gateway does not have a service-specific AWS KMS managed key. |
Not supported |
Amazon FSx | Encryption features for Amazon FSx file systems differ based on the underlying file system. To learn more about your particular Amazon FSx file system, see the appropriate FSx User Guide. | Not supported |
Encryption for backup copies
AWS Backup encrypts backup copies by default whenever possible, even if the original backup is unencrypted.
You have two options for encrypting backup copies:
-
Use the default AWS KMS key for the destination backup vault. The default key is different for each service and is managed by AWS.
-
Designate a customer managed key via the destination vault. This is the only supported option for AWS Storage Gateway backups.
Least privilege
The following sample policy illustrates the least amount of privilege in a KMS key policy to copy an encrypted Amazon RDS snapshot from AWS GovCloud (US-East) to AWS GovCloud (US-East).
{ "Sid":"Allow use of the key - added", "Effect":"Allow", "Principal":{ "AWS":"arn:aws-us-gov:iam::
112233445566
:root" }, "Action":[ "kms:CreateGrant", "kms:DescribeKey" ], "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":[ "rds.us-gov-west-1.amazonaws.com", "backup.us-gov-west-1.amazonaws.com" ], "kms:CallerAccount":"998877665544
" } } }
For more information about AWS KMS, see What is AWS KMS ?
To learn more about backup encryption for each of the services that AWS Backup supports, see the following topics:
-
Encrypting Your Data Using AWS Key Management Service in the AWS Storage Gateway User Guide.
-
Encrypting Amazon RDS Resources in the Amazon RDS User Guide