Independent encryption Copy encryption Permissions, grants, and deny statements

Encryption for backups in AWS Backup

Independent encryption

AWS Backup offers independent encryption for resource types that support full AWS Backup management. Independent encryption means that recovery points (backups) you create through AWS Backup can have an encryption method other than one determined by the source resource's encryption. For example, your backup of an Amazon S3 bucket can have a different encryption method than the source bucket you encrypted with Amazon S3 encryption. This encryption is controlled through the AWS KMS key configuration in the backup vault where your backup in stored.

Backups of resource types that are not fully managed by AWS Backup typically inherit the encryption settings from their source resource. You can configure these encryption settings according to that service's instructions, such as Amazon EBS encryption in the Amazon EBS User Guide.

Your IAM role must have access to the KMS key being used to back up and restore the object. Otherwise the job is successful but the objects are not backed up or restored. The permissions in IAM policy and KMS key policy must be consistent. For more information, see Specifying KMS keys in IAM policy statements in the AWS Key Management Service Developer Guide.

The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported. When AWS Backup independently encrypts a backup, it uses the industry-standard AES-256 encryption algorithm. For more information about encryption in AWS Backup, see cross-Region and cross-account backup.

Resource type	How to configure encryption	Independent AWS Backup encryption
Amazon Simple Storage Service (Amazon S3)	Amazon S3 backups are encrypted using a AWS KMS (AWS Key Management Service) key associated with the backup vault. The AWS KMS key can either be a customer-managed key or an AWS-managed key associated with the AWS Backup service. AWS Backup encrypts all backups even if the source Amazon S3 buckets are not encrypted.	Supported
VMware virtual machines	VM backups are always encrypted. The AWS KMS encryption key for virtual machine backups is configured in the AWS Backup vault in which the virtual machine backups are stored.	Supported
Amazon DynamoDB after enabling Advanced DynamoDB backup	DynamoDB backups are always encrypted. The AWS KMS encryption key for DynamoDB backups is configured in the AWS Backup vault that the DynamoDB backups are stored in.	Supported
Amazon DynamoDB without enabling Advanced DynamoDB backup	DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted. In order for AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions `kms:Decrypt` and `kms:GenerateDataKey` to the IAM role used for backup. Alternately, you can use the AWS Backup default service role.	Not supported
Amazon Elastic File System (Amazon EFS)	Amazon EFS backups are always encrypted. The AWS KMS encryption key for Amazon EFS backups is configured in the AWS Backup vault that the Amazon EFS backups are stored in.	Supported
Amazon Elastic Block Store (Amazon EBS)	By default, Amazon EBS backups are either encrypted using the key that was used to encrypt the source volume, or they are unencrypted. During restore, you can choose to override the default encryption method by specifying a KMS key.	Not supported
Amazon Elastic Compute Cloud (Amazon EC2) AMIs	AMIs are unencrypted. EBS snapshots are encrypted by the default encryption rules for EBS backups (see entry for EBS). EBS snapshots of data and root volumes can be encrypted and attached to an AMI.	Not supported
Amazon Relational Database Service (Amazon RDS)	Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted.	Not supported
Amazon Aurora	Aurora cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Aurora cluster. Snapshots of unencrypted Aurora clusters are also unencrypted.	Not supported
AWS Storage Gateway	Storage Gateway snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Storage Gateway volume. Snapshots of unencrypted Storage Gateway volumes are also unencrypted. You don't need to use a customer managed key across all services to enable Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a KMS key. This is because Storage Gateway does not have a service-specific AWS KMS managed key.	Not supported
Amazon FSx	Encryption features for Amazon FSx file systems differ based on the underlying file system. To learn more about your particular Amazon FSx file system, see the appropriate FSx User Guide.	Not supported
Amazon DocumentDB	Amazon DocumentDB cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon DocumentDB cluster. Snapshots of unencrypted Amazon DocumentDB clusters are also unencrypted.	Not supported
Amazon Neptune	Neptune cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Neptune cluster. Snapshots of unencrypted Neptune clusters are also unencrypted.	Not supported
Amazon Timestream	Timestream table snapshot backups are always encrypted. The AWS KMS encryption key for Timestream backups is configured in the backup vault in which the Timestream backups are stored.	Supported
Amazon Redshift	Amazon Redshift clusters are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Redshift cluster. Snapshots of unencrypted Amazon Redshift clusters are also unencrypted.	Not supported
AWS CloudFormation	CloudFormation backups are always encrypted. The CloudFormation encryption key for CloudFormation backups is configured in the CloudFormation vault in which the CloudFormation backups are stored.	Supported
SAP HANA databases on Amazon EC2 instances	SAP HANA database backups are always encrypted. The AWS KMS encryption key for SAP HANA database backups is configured in the AWS Backup vault in which the database backups are stored.	Supported

Tip

AWS Backup Audit Manager helps you automatically detect unencrypted backups.

Encryption for copies of a backup to a different account or AWS Region

When you copy your backups across accounts or Regions, AWS Backup automatically encrypts those copies for most resource types, even if the original backup is unencrypted.

Before you copy a backup from one account to another (cross-account copy job) or copy a backup from one Region to another (cross-Region copy job), note the following conditions, many of which depend on whether the resource type in the backup (recovery point) is fully managed by AWS Backup or not fully managed.

A copy of a backup to another AWS Region is encrypted using the key of the destination vault.
For a copy of a recovery point (backup) of a resource that is fully managed by AWS Backup, you can choose to encrypt it with a customer managed key (CMK) or an AWS Backup managed key (aws/backup).

For a copy of a recovery point of a resource that is not fully managed by AWS Backup, the key associated to the destination vault must be a CMK or the managed key of the service that owns the underlying resource. For example, if you are copying an EC2 instance, a Backup managed key cannot be used. Instead, a CMK or Amazon EC2 KMS key (aws/ec2) must be used to avoid copy job failure.
Cross-account copy with AWS managed keys isn't supported for resources that aren't fully managed by AWS Backup. The key policy of an AWS managed key is immutable, which prevents copying the key across accounts. If your resources are encrypted with AWS managed keys and you want to perform a cross-account copy, you may change the encryption keys to a customer managed key, which can be used for cross-account copying. Or, you can follow the instructions in Protecting encrypted Amazon RDS instances with cross-account and cross-Region backups to continue using AWS managed keys.
Copies of unencrypted Amazon Aurora, Amazon DocumentDB, and Amazon Neptune clusters are also unencrypted.

AWS Backup permissions, grants, and deny statements

To help avoid failed jobs, you can examine the AWS KMS key policy to ensure it has required permissions and does not have any deny statements that prevent successful operations.

Failed jobs can occur due to either one or more Deny statements applied to the KMS key or due to a grant revoked for the key.

In an AWS managed access policy such as AWSBackupFullAccess, there are Allow actions that permit AWS Backup to interface with AWS KMS to create a grant on a KMS key on a customer's behalf as part backup, copy, and storage operations.

At a minimum, the key policy requires the following permissions:

kms:createGrant
kms:generateDataKey
kms:decrypt

If Deny policies are necessary, you will need to allowlist the required roles for backup and restore operations.

These elements can look like:



{
    "Sid": "KmsPermissions",
    "Effect": "Allow",
    "Action": [
        "kms:ListKeys",
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:ListAliases"
    ],
    "Resource": "*"
},
{
    "Sid": "KmsCreateGrantPermissions",
    "Effect": "Allow",
    "Action": [
        "kms:CreateGrant"
    ],
    "Resource": "*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "kms:EncryptionContextKeys": "aws:backup:backup-vault"
        },
        "Bool": {
            "kms:GrantIsForAWSResource": true
        },
        "StringLike": {
            "kms:ViaService": "backup.*.amazonaws.com"
        }
    }
}

These permissions must be part of the key, whether it is AWS managed or customer managed.

Ensure required permissions are part of KMS key policy
1. Run KMS CLI get-key-policy (kms:GetKeyPolicy) to view the key policy attached to the specified KMS key.
2. Review the returned permissions.
Ensure there are no Deny statements that affect operations
1. Run (or re-run) CLI get-key-policy (kms:GetKeyPolicy) to view the key policy attached to the specified KMS key.
2. Review the policy.
3. Remove relevant Deny statements from the KMS key policy.
If needed, run kms:put-key-policy to replace or update key policy with revised permissions and removed Deny statements.

Additionally, the key associated with the role initiating a cross-Region copy job must have "kms:ResourcesAliases": "alias/aws/backup" in the DescribeKey permission.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data protection

Virtual machine hypervisor credential encryption