Encryption for backups in Amazon Backup
You can configure encryption for resource types that support full Amazon Backup management in using Amazon Backup. If the resource type does not support full Amazon Backup management, you must configure its backup encryption by following that service's instructions, such as Amazon EBS encryption in the Amazon EBS User Guide. To see the list of resource types that support full Amazon Backup management, see the "Full Amazon Backup management" section of the Feature availability by resource table.
Your IAM role must have access to the KMS key being used to back up and restore the object. Otherwise the job is successful but the objects are not backed up or restored. The permissions in IAM policy and KMS key policy must be consistent. For more information, see Specifying KMS keys in IAM policy statements in the Amazon Key Management Service Developer Guide.
Note
Amazon Backup Audit Manager helps you automatically detect unencrypted backups.
The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported. When Amazon Backup independently encrypts a backup, it uses the industry-standard AES-256 encryption algorithm. For more information about encryption in Amazon Backup, see cross-Region and cross-account backup.
Resource type | How to configure encryption | Independent Amazon Backup encryption |
---|---|---|
Amazon Simple Storage Service (Amazon S3) | Amazon S3 backups are encrypted using a Amazon KMS (Amazon Key Management Service) key associated with the backup vault. The Amazon KMS key can either be a customer-managed key or an Amazon-managed key associated with the Amazon Backup service. Amazon Backup encrypts all backups even if the source Amazon S3 buckets are not encrypted. | Supported |
VMware virtual machines | VM backups are always encrypted. The Amazon KMS encryption key for virtual machine backups is configured in the Amazon Backup vault in which the virtual machine backups are stored. | Supported |
Amazon DynamoDB after enabling Advanced DynamoDB backup |
DynamoDB backups are always encrypted. The Amazon KMS encryption key for DynamoDB backups is configured in the Amazon Backup vault that the DynamoDB backups are stored in. |
Supported |
Amazon DynamoDB without enabling Advanced DynamoDB backup |
DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted. In order for Amazon Backup to create a backup of an encrypted DynamoDB table, you must
add the permissions |
Not supported |
Amazon Elastic File System (Amazon EFS) | Amazon EFS backups are always encrypted. The Amazon KMS encryption key for Amazon EFS backups is configured in the Amazon Backup vault that the Amazon EFS backups are stored in. | Supported |
Amazon Elastic Block Store (Amazon EBS) | By default, Amazon EBS backups are either encrypted using the key that was used to encrypt the source volume, or they are unencrypted. During restore, you can choose to override the default encryption method by specifying a KMS key. | Not supported |
Amazon Elastic Compute Cloud (Amazon EC2) AMIs | AMIs are unencrypted. EBS snapshots are encrypted by the default encryption rules for EBS backups (see entry for EBS). EBS snapshots of data and root volumes can be encrypted and attached to an AMI. | Not supported |
Amazon Relational Database Service (Amazon RDS) | Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted. | Not supported |
Amazon Aurora | Aurora cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Aurora cluster. Snapshots of unencrypted Aurora clusters are also unencrypted. | Not supported |
Amazon Storage Gateway | Storage Gateway snapshots are automatically encrypted with the same encryption key that
was used to encrypt the source Storage Gateway volume. Snapshots of unencrypted Storage Gateway
volumes are also unencrypted.
You don't need to use a customer managed key across all services to enable Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a KMS key. This is because Storage Gateway does not have a service-specific Amazon KMS managed key. |
Not supported |
Amazon FSx | Encryption features for Amazon FSx file systems differ based on the underlying file system. To learn more about your particular Amazon FSx file system, see the appropriate FSx User Guide. | Not supported |
Amazon DocumentDB | Amazon DocumentDB cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon DocumentDB cluster. Snapshots of unencrypted Amazon DocumentDB clusters are also unencrypted. | Not supported |
Amazon Neptune | Neptune cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Neptune cluster. Snapshots of unencrypted Neptune clusters are also unencrypted. | Not supported |
Amazon Timestream | Timestream table snapshot backups are always encrypted. The Amazon KMS encryption key for Timestream backups is configured in the backup vault in which the Timestream backups are stored. | Supported |
Amazon Redshift | Amazon Redshift clusters are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Redshift cluster. Snapshots of unencrypted Amazon Redshift clusters are also unencrypted. | Not supported |
Amazon CloudFormation | CloudFormation backups are always encrypted. The CloudFormation encryption key for CloudFormation backups is configured in the CloudFormation vault in which the CloudFormation backups are stored. | Supported |
SAP HANA databases on Amazon EC2 instances | SAP HANA database backups are always encrypted. The Amazon KMS encryption key for SAP HANA database backups is configured in the Amazon Backup vault in which the database backups are stored. | Supported |
Encryption for backup copies
When you use Amazon Backup to copy your backups across accounts or Regions, Amazon Backup automatically encrypts those copies for most resource types, even if the original backup is unencrypted. Amazon Backup encrypts your copy using the target vault's KMS key. However, snapshots of unencrypted Aurora, Amazon DocumentDB, and Neptune clusters are also unencrypted.
Encryption and backup copies
Cross-account copy with Amazon managed KMS keys isn't supported for resources that aren't fully managed by Amazon Backup. Refer to Full Amazon Backup management to determine which resources are fully managed.
For the resources that are fully managed by Amazon Backup, the backups are encrypted with the encryption key of the backup vault. For the resources that aren't fully managed by Amazon Backup, cross-account copies use the same KMS key as the source resource. For more information, see Encryption keys and cross-account copies