Encryption for Backups in AWS - AWS Backup

Encryption for Backups in AWS

All backups in AWS are encrypted using AWS KMS managed keys (SSE-KMS). The way to configure encryption differs depending on the resource type. Certain resource types support the ability to encrypt your backups using a separate encryption key from the key used to encrypt the source resource. This capability adds another layer of protection for your backups.

The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported.

Resource Type How to Configure Encryption Independent Backup Encryption
Amazon Elastic Block Store (Amazon EBS) Amazon EBS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source EBS volume. Snapshots of unencrypted EBS volumes are also unencrypted. Not supported
Amazon Relational Database Service (Amazon RDS) Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted.
Note

AWS Backup currently supports all Amazon RDS database engines except Amazon Aurora.

Not supported
Amazon Elastic File System (Amazon EFS) Amazon EFS backups are always encrypted. The AWS KMS encryption key for Amazon EFS backups is configured in the AWS Backup vault that the Amazon EFS backups are stored in. Supported
Amazon DynamoDB DynamoDB backups are always encrypted. DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted. Not supported
AWS Storage Gateway AWS Storage Gateway snapshots are automatically encrypted with the same encryption key that was used to encrypt the source AWS Storage Gateway volume. Snapshots of unencrypted AWS Storage Gateway volumes are also unencrypted.
Note

You don't need to use a customer master key (CMK) across all services to enable AWS Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a CMK. This is because Storage Gateway does not have a service-specific AWS KMS managed key.

Not supported

Encryption for Backup Copies

AWS Backup encrypts backup copies by default whenever possible, even if the original backup is unencrypted.

You have two options for encrypting backup copies:

  • Use the default AWS managed CMK for the destination backup vault. The default key is different for each service and is managed by AWS.

  • Designate a customer managed CMK across all services to be used by the copy job. This is the only supported option for AWS Storage Gateway backups.

For more information about AWS KMS, see What is AWS Key Management Service?

To learn more about backup encryption for each of the services that AWS Backup supports, see the following topics: