How do I keep encryption consistent across all recovery points in my AWS Backup vault?

2 minute read

I want to standardize encryption across all recovery points in my AWS Backup vault.

Resolution

It's a best practice to use a single AWS Key Management Service (AWS KMS) key to keep encryption consistent across all AWS Backup recovery points.

To configure your resources to use the same AWS KMS key as your backup vault, complete the following steps:

Open the AWS Backup console.
In the navigation pane, choose Vaults.
In the Vaults create by this account section, identify your backup vault. Then, get the encryption key for your vault in the KMS encryption key ID column.
Update your key policy.
Note: The AWS Identity and Access Management (IAM) roles that use your resources and AWS Backup must have permissions to use the AWS KMS key.

Note: When you configure resources, make sure that you specify the AWS KMS key for that resource. For example, if you create an Amazon Elastic Block Store (Amazon EBS) volume, then specify the AWS KMS key for the new volume.

To keep the backup encryption consistent, separate resources based on fully managed and not fully managed, and then create different vaults for them. The fully managed services use the vault's encryption, and the not fully managed services use their own encryption.

If you must use different AWS KMS keys for different resources, then create separate backup vaults for each encryption key. Or, you can copy the backup to a central vault that's configured to use a customer managed key. You must create the central vault in the same AWS account and AWS Region that your vault is located in.

Note: Not all AWS services support independent encryption for AWS Backup. For resources that don't support it, AWS Backup maintains the same encryption settings as the source resource. If you make a backup copy, then AWS Backup decrypts the backup and re-encrypts the copy with a customer managed key in the central vault. You can copy cross-accounts with a backup encrypted with a customer managed key.

Related information

Encryption for backups in AWS Backup

Protecting Amazon Relational Database Service (Amazon RDS) DB instances encrypted using AWS KMS managed key with cross-account and cross-Region backups

Create and share encrypted backups across accounts and Regions using AWS Backup

How encryption works in AWS Backup

Topics: Storage
Tags: AWS Backup
Language: English

AWS OFFICIALUpdated 17 days ago

No comments

Relevant content

Immutability of AWS Backup
Thomas
asked a year ago
Expired s3 Backup Recovery Point
Anis
asked 4 years ago
delete multiple Amazon Backup Recovery Points
BTS-Administrator
asked a year ago
How does the DynamoDb Point in Time Recovery Works ?
rePost-User-3288232
asked 3 years ago
AWS Backup for S3 is expiring
Accepted Answer
AWS-User-6328292
asked 4 years ago
How do I delete a recovery point from a backup vault in AWS Backup?
AWS OFFICIALUpdated 3 years ago
How do I delete recovery points that are under a legal hold or stored in a locked backup vault for AWS Backup?
AWS OFFICIALUpdated a month ago
How do I use AWS Backup to perform an S3 restore job?
AWS OFFICIALUpdated a month ago
How do I find the missing destination recovery points for my on-demand backup copy in AWS Backup?
AWS OFFICIALUpdated 2 days ago
AWS Control Tower Backup Integration: Best Practices Guide
EXPERT
Tyler_P
published 6 months ago