Encryption for backups in AWS Backup - AWS Backup

Encryption for backups in AWS Backup

You can configure encryption for resource types that support full AWS Backup management in using AWS Backup. If the resource type does not support full AWS Backup management, you must configure its backup encryption by following that service's instructions, such as Amazon EBS encryption in the Amazon EBS User Guide. To see the list of resource types that support full AWS Backup management, see the "Full AWS Backup management" section of the Feature availability by resource table.

Your IAM role must have access to the KMS key being used to back up and restore the object. Otherwise the job is successful but the objects are not backed up or restored. The permissions in IAM policy and KMS key policy must be consistent. For more information, see Specifying KMS keys in IAM policy statements in the AWS Key Management Service Developer Guide.

Note

AWS Backup Audit Manager helps you automatically detect unencrypted backups.

The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported. When AWS Backup independently encrypts a backup, it uses the industry-standard AES-256 encryption algorithm. For more information about encryption in AWS Backup, see cross-Region and cross-account backup.

Resource type How to configure encryption Independent AWS Backup encryption
Amazon Simple Storage Service (Amazon S3) Amazon S3 backups are encrypted using a AWS KMS (AWS Key Management Service) key associated with the backup vault. The AWS KMS key can either be a customer-managed key or an AWS-managed key associated with the AWS Backup service. AWS Backup encrypts all backups even if the source Amazon S3 buckets are not encrypted. Supported
VMware virtual machines VM backups are always encrypted. The AWS KMS encryption key for virtual machine backups is configured in the AWS Backup vault in which the virtual machine backups are stored. Supported
Amazon DynamoDB after enabling Advanced DynamoDB backup

DynamoDB backups are always encrypted. The AWS KMS encryption key for DynamoDB backups is configured in the AWS Backup vault that the DynamoDB backups are stored in.

Supported
Amazon DynamoDB without enabling Advanced DynamoDB backup

DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted.

In order for AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions kms:Decrypt and kms:GenerateDataKey to the IAM role used for backup. Alternately, you can use the AWS Backup default service role.

Not supported
Amazon Elastic File System (Amazon EFS) Amazon EFS backups are always encrypted. The AWS KMS encryption key for Amazon EFS backups is configured in the AWS Backup vault that the Amazon EFS backups are stored in. Supported
Amazon Elastic Block Store (Amazon EBS) By default, Amazon EBS backups are either encrypted using the key that was used to encrypt the source volume, or they are unencrypted. During restore, you can choose to override the default encryption method by specifying a KMS key. Not supported
Amazon Elastic Compute Cloud (Amazon EC2) AMIs AMIs are unencrypted. EBS snapshots are encrypted by the default encryption rules for EBS backups (see entry for EBS). EBS snapshots of data and root volumes can be encrypted and attached to an AMI. Not supported
Amazon Relational Database Service (Amazon RDS) Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted. Not supported
Amazon Aurora Aurora cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Aurora cluster. Snapshots of unencrypted Aurora clusters are also unencrypted. Not supported
AWS Storage Gateway Storage Gateway snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Storage Gateway volume. Snapshots of unencrypted Storage Gateway volumes are also unencrypted.

You don't need to use a customer managed key across all services to enable Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a KMS key. This is because Storage Gateway does not have a service-specific AWS KMS managed key.

Not supported
Amazon FSx Encryption features for Amazon FSx file systems differ based on the underlying file system. To learn more about your particular Amazon FSx file system, see the appropriate FSx User Guide. Not supported
Amazon DocumentDB Amazon DocumentDB cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon DocumentDB cluster. Snapshots of unencrypted Amazon DocumentDB clusters are also unencrypted. Not supported
Amazon Neptune Neptune cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Neptune cluster. Snapshots of unencrypted Neptune clusters are also unencrypted. Not supported
Amazon Timestream Timestream table snapshot backups are always encrypted. The AWS KMS encryption key for Timestream backups is configured in the backup vault in which the Timestream backups are stored. Supported
Amazon Redshift Amazon Redshift clusters are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Redshift cluster. Snapshots of unencrypted Amazon Redshift clusters are also unencrypted. Not supported
AWS CloudFormation CloudFormation backups are always encrypted. The CloudFormation encryption key for CloudFormation backups is configured in the CloudFormation vault in which the CloudFormation backups are stored. Supported
SAP HANA databases on Amazon EC2 instances SAP HANA database backups are always encrypted. The AWS KMS encryption key for SAP HANA database backups is configured in the AWS Backup vault in which the database backups are stored. Supported

Encryption for backup copies

When you use AWS Backup to copy your backups across accounts or Regions, AWS Backup automatically encrypts those copies for most resource types, even if the original backup is unencrypted. AWS Backup encrypts your copy using the target vault's KMS key. However, snapshots of unencrypted Aurora, Amazon DocumentDB, and Neptune clusters are also unencrypted.

Encryption and backup copies

Cross-account copy with AWS managed KMS keys isn't supported for resources that aren't fully managed by AWS Backup. Refer to Full AWS Backup management to determine which resources are fully managed.

For the resources that are fully managed by AWS Backup, the backups are encrypted with the encryption key of the backup vault. For the resources that aren't fully managed by AWS Backup, cross-account copies use the same KMS key as the source resource. For more information, see Encryption keys and cross-account copies