How are my backups and copies encrypted in AWS Backup?

2 minute read

I want to understand how my backups and copies are encrypted in AWS Backup.

Resolution

In AWS Backup, encryption depends on the resource types and their integration with the service. The encryption type depends on whether the resource you're backing up has full AWS Backup management. To see the resource types that support full AWS Backup management, see Feature availability by resource.

Backup encryption

Resources that support full AWS Backup management

Your resource's backup encrypts with the target backup vault's AWS Key Management Service (AWS KMS) managed keys. This applies regardless of the source service's AWS KMS key.

Resources that don't support full AWS Backup management

Your resource's backup encrypts with the source service's AWS KMS key. If a resource is unencrypted at the source, then the backup for that resource is also unencrypted in the backup vault.

For more information, see Encryption for backups in AWS Backup.

Copy encryption

Encryption for copies and cross-Region copies for resources that support full AWS Backup management

AWS Backup encrypts copies even when the backup isn't encrypted. AWS Backup encrypts copies with the target vault's AWS KMS key.

Cross-Region copies for resources that don't support full AWS Backup management

Cross-Region copies encrypt with the destination resource's AWS Region default AWS managed AWS KMS key.

Cross-Region copies don't encrypt with the AWS KMS managed key of AWS Backup.

For example, your destination default vault uses the aws/backup key in the US East (Ohio) Region. You perform a cross-Region copy of an Amazon Elastic Block Store (Amazon EBS) snapshot. The cross-Region snapshot copies to the destination default vault. Then, the snapshot copy encrypts with the aws/ebs key in the US East (Ohio) Region.

Cross-account copy for resources that support full AWS Backup management

Cross-account copies encrypt with the target vault's AWS KMS key.

Cross-account copy for resources that don't support full AWS Backup management

You can't copy backups across accounts that use an AWS KMS managed key.

You can copy backups across accounts that are in a custom vault with a customer managed AWS KMS key.

For more information, see How can I copy AWS Backups across AWS accounts?

Related information

Copy a backup

Key policies in AWS KMS

Topics

Storage

Relevant content

Backup elasticsearch from on-premise to AWS with encryption
rePost-User-9680164
asked a year ago
Template format error: Unrecognized resource types: [AWS::Backup::BackupPlan, AWS::Backup::BackupVault, AWS::Backup::BackupSelection] in eu-central-2?
rePost-User-1981346
asked a year ago
Protecting (Encryption) SAP backups on AWS
Accepted Answer
Ganesh
asked a year ago
WordPress on AWS via Cloudflare and the backup to the Proxmox Backup Server (PBS) ?
bobbobber
asked 7 hours ago
AWS Backup service
rePost-User-9323488
asked a year ago
How do I restore an encrypted backup file or encrypted Microsoft Azure backup in RDS for SQL Server from an on-premises environment?
AWS OFFICIALUpdated 2 years ago
How can I copy AWS Backups across AWS accounts?
AWS OFFICIALUpdated 10 months ago
Why is my cross-account copy failing in AWS Backup?
AWS OFFICIALUpdated 10 months ago
How can I resolve the "Given key ID not accessible" error when performing a cross-account copy in AWS Backup?
AWS OFFICIALUpdated 10 months ago
Recovering a VMware Cloud on AWS VM backup to EC2 using AWS Backup
EXPERT
apylnev
published a year ago