Encryption for backups in AWS Backup

Note

AWS Backup Audit Manager helps you automatically detect unencrypted backups.

You can configure encryption for resource types that support full AWS Backup management in using AWS Backup. If the resource type does not support full AWS Backup management, you must configure its backup encryption by following that service's instructions, such as Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide. To see the list of resource types that support full AWS Backup management, see the "Full AWS Backup management" section of the Feature availability by resource table.

The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported. When AWS Backup independently encrypts a backup, it uses the industry-standard AES-256 encryption algorithm.

Resource type	How to configure encryption	Independent AWS Backup encryption
Amazon Simple Storage Service (Amazon S3)	Amazon S3 backups are encrypted using a AWS KMS (AWS Key Management Service) key associated with the backup vault. The AWS KMS key can either be a customer-managed CMK or an AWS-managed CMK associated with the AWS Backup service. AWS Backup encrypts all backups even if the source Amazon S3 buckets are not encrypted.	Supported
VMware virtual machines	VM backups are always encrypted. The AWS KMS encryption key for virtual machine backups is configured in the AWS Backup vault in which the virtual machine backups are stored.	Supported
Amazon DynamoDB after enabling Advanced DynamoDB backup	DynamoDB backups are always encrypted. The AWS KMS encryption key for DynamoDB backups is configured in the AWS Backup vault that the DynamoDB backups are stored in.	Supported
Amazon DynamoDB without enabling Advanced DynamoDB backup	DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted. Note In order for AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions `kms:Decrypt` and `kms:GenerateDataKey` to the IAM role used for backup. Alternately, you can use the AWS Backup default service role.	Not supported
Amazon Elastic File System (Amazon EFS)	Amazon EFS backups are always encrypted. The AWS KMS encryption key for Amazon EFS backups is configured in the AWS Backup vault that the Amazon EFS backups are stored in.	Supported
Amazon Elastic Block Store (Amazon EBS)	By default, Amazon EBS backups are either encrypted using the key that was used to encrypt the source volume, or they are unencrypted. During restore, you can choose to override the default encryption method by specifying a KMS key.	Not supported
Amazon Elastic Compute Cloud (Amazon EC2) AMIs	AMIs are unencrypted. EBS snapshots are encrypted by the default encryption rules for EBS backups (see entry for EBS). EBS snapshots of data and root volumes can be encrypted and attached to an AMI.	Not supported
Amazon Relational Database Service (Amazon RDS)	Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted. Note AWS Backup currently supports all Amazon RDS database engines, including Amazon Aurora.	Not supported
Amazon Aurora	Aurora cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Aurora cluster. Snapshots of unencrypted Aurora clusters are also unencrypted.	Not supported
AWS Storage Gateway	Storage Gateway snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Storage Gateway volume. Snapshots of unencrypted Storage Gateway volumes are also unencrypted. Note You don't need to use a customer managed key across all services to enable Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a KMS key. This is because Storage Gateway does not have a service-specific AWS KMS managed key.	Not supported
Amazon FSx	Encryption features for Amazon FSx file systems differ based on the underlying file system. To learn more about your particular Amazon FSx file system, see the appropriate FSx User Guide.	Not supported
Amazon DocumentDB	Amazon DocumentDB cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon DocumentDB cluster. Snapshots of unencrypted Amazon DocumentDB clusters are also unencrypted.	Not supported
Amazon Neptune	Neptune cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Neptune cluster. Snapshots of unencrypted Neptune clusters are also unencrypted.	Not supported
Amazon Timestream	Timestream table snapshot backups are always encrypted. The AWS KMS encryption key for Timestream backups is configured in the backup vault in which the Timestream backups are stored.	Supported
Amazon Redshift	Amazon Redshift clusters are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Redshift cluster. Snapshots of unencrypted Amazon Redshift clusters are also unencrypted.	Not supported
AWS CloudFormation	CloudFormation backups are always encrypted. The CloudFormation encryption key for CloudFormation backups is configured in the CloudFormation vault in which the CloudFormation backups are stored.	Supported
SAP HANA databases on Amazon EC2 instances	SAP HANA database backups are always encrypted. The AWS KMS encryption key for SAP HANA database backups is configured in the AWS Backup vault in which the database backups are stored.	Supported

Encryption for backup copies

When you use AWS Backup to copy your backups across accounts or Regions, AWS Backup automatically encrypts those copies for most resource types, even if the original backup is unencrypted. AWS Backup encrypts your copy using the target vault's KMS key. However, snapshots of unencrypted Aurora, Amazon DocumentDB, and Neptune clusters are also unencrypted.

Encryption and backup copies

Cross-account copy with AWS managed KMS keys isn't supported for resources that aren't fully managed by AWS Backup. Refer to Full AWS Backup management to determine which resources are fully managed.

For the resources that are fully managed by AWS Backup, the backups are encrypted with the encryption key of the backup vault. For the resources that aren't fully managed by AWS Backup, cross-account copies use the same KMS key as the source resource. For more information, see Encryption keys and cross-account copies

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data protection

Virtual machine hypervisor credential encryption