Encryption for backups in AWS - AWS Backup

Encryption for backups in AWS

The way to configure encryption differs depending on the resource type. Certain resource types support the ability to encrypt your backups using a separate encryption key from the key used to encrypt the source resource. This capability adds another layer of protection for your backups.

The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported.

Resource Type How to Configure Encryption Independent Backup Encryption
Amazon Elastic File System (Amazon EFS) Amazon EFS backups are always encrypted. The AWS KMS encryption key for Amazon EFS backups is configured in the AWS Backup vault that the Amazon EFS backups are stored in. Supported
Amazon Elastic Block Store (Amazon EBS) Amazon EBS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source EBS volume. Snapshots of unencrypted EBS volumes are also unencrypted. Not supported
Amazon Elastic Compute Cloud (Amazon EC2) AMIs Amazon EC2 AMIs backed by Amazon EBS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source EBS volume. Snapshots of unencrypted AMIs are also unencrypted. Not supported
Amazon Relational Database Service (Amazon RDS) Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted.
Note

AWS Backup currently supports all Amazon RDS database engines, including Amazon Aurora.

Not supported
Amazon Aurora Aurora cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Aurora cluster. Snapshots of unencrypted Aurora clusters are also unencrypted. Not supported
Amazon DynamoDB

DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted.

Note

In order for AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions kms:Decrypt and kms:GenerateDataKey to the IAM role used for backup. Alternately, you can use the AWS Backup default service role.

Not supported
AWS Storage Gateway AWS Storage Gateway snapshots are automatically encrypted with the same encryption key that was used to encrypt the source AWS Storage Gateway volume. Snapshots of unencrypted AWS Storage Gateway volumes are also unencrypted.
Note

You don't need to use a customer managed key across all services to enable AWS Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a KMS key. This is because Storage Gateway does not have a service-specific AWS KMS managed key.

Not supported
Amazon FSx Encryption features for Amazon FSx file systems differ based on the underlying file system. To learn more about your particular Amazon FSx file system, see the appropriate FSx User Guide. Not supported

Encryption for backup copies

AWS Backup encrypts backup copies by default whenever possible, even if the original backup is unencrypted.

You have two options for encrypting backup copies:

  1. Use the default AWS KMS key for the destination backup vault. The default key is different for each service and is managed by AWS.

  2. Designate a customer managed key via the destination vault. This is the only supported option for AWS Storage Gateway backups.

Least privilege

The following sample policy illustrates the least amount of privilege in a KMS key policy to copy an encrypted Amazon RDS snapshot from AWS GovCloud (US-East) to AWS GovCloud (US-East).

{ "Sid":"Allow use of the key - added", "Effect":"Allow", "Principal":{ "AWS":"arn:aws-us-gov:iam::112233445566:root" }, "Action":[ "kms:CreateGrant", "kms:DescribeKey" ], "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":[ "rds.us-gov-west-1.amazonaws.com", "backup.us-gov-west-1.amazonaws.com" ], "kms:CallerAccount":"998877665544" } } }

For more information about AWS KMS, see What is AWS KMS ?

To learn more about backup encryption for each of the services that AWS Backup supports, see the following topics: