How do I restore a KMS-encrypted back up file to RDS for SQL Server from an on-premises environment?

4 minute read

I want to restore an AWS Key Management Service (AWS KMS)-encrypted backup file from an on-premises environment to an Amazon Relational Database Service (Amazon RDS) for Microsoft SQL Server instance. How can I do this using the native backup and restore feature?

Short description

AWS KMS encryption securely encrypts a Microsoft SQL Server backup file in RDS for SQL Server using an AWS KMS key. You can restore the encrypted backup to another RDS for SQL Server instance.

Resolution

Note: Before starting the following resolution, make sure that you have the following:

An Amazon Simple Storage Service (Amazon S3) bucket.
A customer managed AWS KMS key.
Note: Amazon RDS doesn't support asymmetric AWS KMS keys.
A pre-configured RDS instance to perform the native backup restoration. For more information, see How do I perform native backups of an Amazon RDS DB instance that's running SQL Server?
Python 3.10 installed in the local system to decrypt the backup files.

1. Initiate client-side encryption on the native backup by specifying the AWS KMS key parameter (@kms_master_key_arn):

exec msdb.dbo.rds_backup_database @source_db_name='database-name',
@s3_arn_to_backup_to='arn:aws:s3:::bucket-name/Filename.bak',
@kms_master_key_arn='arn:aws:kms:us-east-1:account-id:key/xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx1';

2. Restore the AWS KMS encrypted backup in another RDS for SQL Server instance in the same Region and account. To do this, specify the same AWS KMS key used to encrypt the backup in the following command:

exec msdb.dbo.rds_restore_database @restore_db_name='database-name',
@s3_arn_to_restore_from='arn:aws:s3:::bucket-name/Filename.bak',
@kms_master_key_arn='arn:aws:kms:us-east-1:account-id:key/xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx1';

Restore an AWS KMS encrypted backup in another Region under the same account

If the AWS KMS encrypted backup needs to be restored in another Region under the same account, do the following:

1. Create a multi-Region AWS KMS key. Make sure to choose Symmetric key for the key type.

2. Create replica keys for the required destination Region.

3. Start an encrypted native backup by specifying the AWS KMS key parameter (@kms_master_key_arn) in region-A:

exec msdb.dbo.rds_backup_database @source_db_name='database-name', 
@s3_arn_to_backup_to='arn:aws:s3:::bucket-name/Filename.bak',
@kms_master_key_arn='arn:aws:kms:us-east-1:account-id:key/xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx2';

4. Copy the backup file to the S3 bucket in the same Region. Amazon RDS doesn't support cross-Region buckets.

5. Restore the AWS KMS encrypted backup in region-B, by specifying the same AWS KMS key ID used to encrypt the backup.

Note: The Region associated with @kms_master_key_arn changes accordingly.

exec msdb.dbo.rds_restore_database ;@restore_db_name='database-name',
@s3_arn_to_restore_from='arn:aws:s3:::bucket-name/Filename.bak',
@kms_master_key_arn='arn:aws:kms:us-east-2:account-id:key/xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx2';

Restore an AWS KMS encrypted backup in an on-premises environment, cross accounts, or cross-Region.

The following three scenarios require a work around to restore the backup:

The AWS KMS encrypted database backup must be restored in the same Region but under a different account (cross-account). Amazon RDS doesn't support cross-account AWS KMS key sharing. This means that you can't encrypt a backup in account-A with KMS key K1 and then restore the backup in account-B using the same key.
The AWS KMS encrypted database backup must be restored in a different Region and in a different account (cross-Region and cross-account). Amazon RDS doesn't support cross-account AWS KMS key sharing or cross-Region buckets.
The AWS KMS encrypted database backup must be restored in an on-premises environment. The on-premises environment isn't aware of the AWS KMS key details because it's an external entity. So, you must decrypt the AWS KMS encrypted files prior to restoring.

For a work-around for these limitations, see the Export from Amazon RDS for SQL Server section in Client-side encryption and decryption of Microsoft SQL Server backups for use with Amazon RDS.

Related information

Migrate TDE-enabled SQL Server databases to Amazon RDS for SQL Server

How do I restore an encrypted backup file or encrypted Microsoft Azure backup in RDS for SQL Server from an on-premises environment?

Topics

Database

Relevant content

sql server restore from backup is failing
Accepted Answer
DanielAT2021
asked 2 years ago
MS SQL Server RDS Database Restore from S3 gets Stuck Everytime
Accepted Answer
bojanderson
asked 3 years ago
Can an AWS RDS SQL Server Audit File be encypted with a kms key prior to upload to S3?
Jon
asked 2 years ago
MS SQL Server RDS, Backup / Restore disk space issue
Dylan Janeke
asked 5 days ago
Migrating an RDS instance from SQL Server Standard Edition to Enterprise Edition
Accepted Answer
AWS-User-4109882
asked 3 years ago
How do I upgrade or downgrade the SQL Server engine edition in RDS for SQL Server?
AWS OFFICIALUpdated 9 months ago
How do I move SQL Server users from one RDS for SQL Server instance to another or to an on-premises environment from RDS?
AWS OFFICIALUpdated 14 days ago
How do I restore an encrypted backup file or encrypted Microsoft Azure backup in RDS for SQL Server from an on-premises environment?
AWS OFFICIALUpdated 8 months ago
How do I perform native backups of an Amazon RDS DB instance that's running SQL Server?
AWS OFFICIALUpdated a year ago
Announcement: Amazon RDS for SQL Server is ending support for Microsoft SQL Server 2014
EXPERT
appadman
published 23 days ago