- Newest
- Most votes
- Most comments
Hi,
You may want to read this blog on the exact use case that you are working on: https://aws.amazon.com/blogs/storage/secure-data-recovery-with-cross-account-backup-and-cross-region-copy-using-aws-backup/
It provides all details on implementation, in particular around management of encryption keys.
Best,
Didier
- Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database, so in order to have a cross-account backup of RDS, we must use CMK to encrypt RDS. (Snapshots of unencrypted Amazon RDS databases are also unencrypted). We use AWS KMS-CMK because it can be shared across accounts.
- If you don't need the backup in the source account, you can simply create a shorter retention period so that they expire soon while the destination backup can have a longer retention.
I appreciate the advice and have reviewed the links. Each RDS instance we have (in prod, staging and qa) use a different CMK for encryption. Does this mean we need to use different AWS BackUp vaults for each one. Or can we just add permissions for AWSServiceRoleforBackup to each of the CMK keys?
Each Vault has its own CMK and it is independent from the RDS encryption key and there is no need to create a vault for each RDS instance. When AWS backup backups an instance, it uses the RDS instance CMK to encrypt the instance recovery point, and send the snaps into a vault which is itself encrypted to protect all the other backups you might have.
Relevant content
- asked 8 months ago
- asked 9 months ago
- asked 8 months ago
- asked 8 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 8 months ago
I've already looked at that, plus many other blog posts. Unfortunately, they use cloudformation to hide all the relevant information. I'll dig into the magic now
Hi, this question / anwer shows how to access encryption keys cross-account with details on IAM pollicies: https://repost.aws/questions/QUTn6inF5-RtmQgj6R7zY2oA/allowing-access-to-a-kms-key-from-another-account