Virtual machine hypervisor credential encryption - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Virtual machine hypervisor credential encryption

Virtual machines managed by a hypervisor use Amazon Backup Gateway to connect on-premises systems to Amazon Backup. It is important that hypervisors have the same robust and reliable security. This security can be achieved by encrypting the hypervisor, either by Amazon owned keys or by customer managed keys.

Amazon owned and customer managed keys

Amazon Backup provides encryption for hypervisor credentials to protect sensitive customer login information using Amazon owned encryption keys. You have the option of using customer managed keys instead.

By default, the keys used to encrypt credentials in your hypervisor are Amazon owned keys. Amazon Backup uses these keys to automatically encrypt hypervisor credentials. You can neither view, manage, or use Amazon owned keys, nor can you audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see Amazon owned keys in the Amazon KMS Developer Guide.

Alternatively, credentials can be encrypted using Customer managed keys. Amazon Backup supports the use of symmetric customer-managed keys that you create, own, and manage to perform your encryption. Because you have full control of this encryption, you can perform tasks such as:

  • Establishing and maintaining key policies

  • Establishing and maintaining IAM policies and grants

  • Enabling and disabling key policies

  • Rotating key cryptographic material

  • Adding tags

  • Creating key aliases

  • Scheduling keys for deletion

When you use a customer managed key, Amazon Backup validates whether your role has permission to decrypt using this key (prior to a backup or restore job being run). You must add the kms:Decrypt action to the role used to start a backup or restore job.

Because the kms:Decrypt action cannot be added to the default backup role, you must use a role other than the default backup role to use customer managed keys.

For more information, see customer managed keys in the Amazon Key Management Service Developer Guide.

Grant required when using customer managed keys

Amazon KMS requires a grant to use your customer managed key. When you import a hypervisor configuration encrypted with a customer managed key, Amazon Backup creates a grant on your behalf by sending a CreateGrant request to Amazon KMS. Amazon Backup uses grants to access a KMS key in a customer account.

You can revoke access to the grant, or remove Amazon Backup's access to the customer managed key at any time. If you do, all your gateways associated with your hypervisor can no longer access the hypervisor's username and password encrypted by the customer managed key, which will affect your backup and restore jobs. Specifically, backup and restore jobs you perform on the virtual machines in this hypervisor will fail.

Backup gateway uses the RetireGrant operation to remove a grant when you delete a hypervisor.

Monitoring encryption keys

When you use an Amazon KMS customer managed key with your Amazon Backup resources, you can use Amazon CloudTrail or Amazon CloudWatch Logs to track requests that Amazon Backup sends to Amazon KMS.

Look for Amazon CloudTrail events with the following "eventName" fields to for monitor Amazon KMS operations called by Amazon Backup to access data encrypted by your customer managed key:

  • "eventName": "CreateGrant"

  • "eventName": "Decrypt"

  • "eventName": "Encrypt"

  • "eventName": "DescribeKey"