- Newest
- Most votes
- Most comments
I believe that SSE-S3 cannot be used for encryption of S3 objects in the case of cross-accounting.
SSE-S3 will probably not be able to restore because you cannot edit permissions on the key with a cross account.
For SSE-KMS it is probably possible.
Perhaps, but I have a feeling that the problem is around the permissions of the KMS key.
S3 itself supports cross-account backup as described in the following document.
https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#features-by-resource
Thanks. Very hard to troubleshoot aws backup without detailed logs, and in this case was showing as successful but objects were not in the restored buckey. It started working, I am not sure what the original issue was but in terms of encryption keys - looks like it is working when source is SSE-S3. I assume based on documentation that aws managed keys in kms are not supported, as you cannot edit their key policy. And it should be possible with customer managed keys, by allowing the target account to access the key. As AWS backup is doing the configuration and managing the backup, is it not able to decrypt data on source account and then re-encrypt on target account with aws managed keys (of source and target accounts respectively)? This is assuming the end user is happy with the encryption in transit solution as data is transferred between the accounts.
Relevant content
- asked 9 months ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 10 months ago
Thanks. The backup job runs on the same account as the s3 objects and copies to a vault in a separate account. Both backup and restore jobs complete successfully - isn’t it supposed to fail if there was a key or access issue? They succeed but no objects after restore.
I see that it is possible to restore on an object-by-object basis by specifying an object key, etc. If I restore in that way, will the object be created? https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-s3.html
Also, check that bucket ACLs, versioning, etc. are enabled on the target S3 bucket.