Encryption for backup copies Least Privilege

Encryption for backups in AWS

The way to configure encryption differs depending on the resource type. Certain resource types support the ability to encrypt your backups using a separate encryption key from the key used to encrypt the source resource. This capability adds another layer of protection for your backups.

The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported.

Resource Type	How to Configure Encryption	Independent Backup Encryption
Amazon Elastic File System (Amazon EFS)	Amazon EFS backups are always encrypted. The AWS KMS encryption key for Amazon EFS backups is configured in the AWS Backup vault that the Amazon EFS backups are stored in.	Supported
Amazon Elastic Block Store (Amazon EBS)	Amazon EBS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source EBS volume. Snapshots of unencrypted EBS volumes are also unencrypted.	Not supported
Amazon Elastic Compute Cloud (Amazon EC2) AMIs	Amazon EC2 AMIs backed by Amazon EBS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source EBS volume. Snapshots of unencrypted AMIs are also unencrypted.	Not supported
Amazon Relational Database Service (Amazon RDS)	Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted. Note AWS Backup currently supports all Amazon RDS database engines, including Amazon Aurora.	Not supported
Amazon Aurora	Aurora cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Aurora cluster. Snapshots of unencrypted Aurora clusters are also unencrypted.	Not supported
Amazon DynamoDB	DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted. Note In order for AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions `kms:Decrypt` and `kms:GenerateDataKey` to the IAM role used for backup. Alternately, you can use the AWS Backup default service role.	Not supported
AWS Storage Gateway	AWS Storage Gateway snapshots are automatically encrypted with the same encryption key that was used to encrypt the source AWS Storage Gateway volume. Snapshots of unencrypted AWS Storage Gateway volumes are also unencrypted. Note You don't need to use a customer managed key across all services to enable AWS Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a KMS key. This is because Storage Gateway does not have a service-specific AWS KMS managed key.	Not supported
Amazon FSx	Encryption features for Amazon FSx file systems differ based on the underlying file system. To learn more about your particular Amazon FSx file system, see the appropriate FSx User Guide.	Not supported

Encryption for backup copies

AWS Backup encrypts backup copies by default whenever possible, even if the original backup is unencrypted.

You have two options for encrypting backup copies:

Use the default AWS KMS key for the destination backup vault. The default key is different for each service and is managed by AWS.
Designate a customer managed key via the destination vault. This is the only supported option for AWS Storage Gateway backups.

Least privilege

The following sample policy illustrates the least amount of privilege in a KMS key policy to copy an encrypted Amazon RDS snapshot from AWS GovCloud (US-East) to AWS GovCloud (US-East).


{
  "Sid":"Allow use of the key - added",
  "Effect":"Allow",
  "Principal":{
    "AWS":"arn:aws-us-gov:iam::112233445566:root"
  },
  "Action":[
    "kms:CreateGrant",
    "kms:DescribeKey"
  ],
  "Resource":"*",
  "Condition":{
    "StringLike":{
      "kms:ViaService":[
        "rds.us-gov-west-1.amazonaws.com",
        "backup.us-gov-west-1.amazonaws.com"
      ],
      "kms:CallerAccount":"998877665544"
    }
  }
}

For more information about AWS KMS, see What is AWS KMS ?

To learn more about backup encryption for each of the services that AWS Backup supports, see the following topics:

Encrypting Your Data Using AWS Key Management Service in the AWS Storage Gateway User Guide.
Encrypting Amazon RDS Resources in the Amazon RDS User Guide

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data Protection

Identity and access management