Encryption for backups in Amazon Backup
Note
Amazon Backup Audit Manager helps you automatically detect unencrypted backups.
You can configure encryption for resource types that support full Amazon Backup management in using Amazon Backup. If the resource type does not support full Amazon Backup management, you must configure its backup encryption by following that service's instructions, such as Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide. To see the list of resource types that support full Amazon Backup management, see the "Full Amazon Backup management" section of the Feature availability by resource table.
The following table lists each supported resource type, how encryption is configured for backups, and whether independent encryption for backups is supported. When Amazon Backup independently encrypts a backup, it uses the industry-standard AES-256 encryption algorithm.
| Resource type | How to configure encryption | Independent Amazon Backup encryption |
|---|---|---|
| Amazon Simple Storage Service (Amazon S3) | Amazon S3 backups are encrypted using a Amazon KMS (Amazon Key Management Service) key associated with the backup vault. The Amazon KMS key can either be a customer-managed CMK or an Amazon-managed CMK associated with the Amazon Backup service. Amazon Backup encrypts all backups even if the source Amazon S3 buckets are not encrypted. | Supported |
| Virtual machines | Virtual machine backups are always encrypted. The Amazon KMS encryption key for virtual machine backups is configured in the Amazon Backup vault that the virtual machine backups are stored in. | Supported |
| Amazon DynamoDB after enabling Advanced DynamoDB backup |
DynamoDB backups are always encrypted. The Amazon KMS encryption key for DynamoDB backups is configured in the Amazon Backup vault that the DynamoDB backups are stored in. |
Supported |
| Amazon DynamoDB without enabling Advanced DynamoDB backup |
DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. Snapshots of unencrypted DynamoDB tables are also unencrypted. NoteIn order for Amazon Backup to create a backup of an encrypted DynamoDB table, you must
add the permissions |
Not supported |
| Amazon Elastic File System (Amazon EFS) | Amazon EFS backups are always encrypted. The Amazon KMS encryption key for Amazon EFS backups is configured in the Amazon Backup vault that the Amazon EFS backups are stored in. | Supported |
| Amazon Elastic Block Store (Amazon EBS) | By default, Amazon EBS backups are either encrypted using the key that was used to encrypt the source volume, or they are unencrypted. During restore, you can choose to override the default encryption method by specifying a KMS key. | Not supported |
| Amazon Elastic Compute Cloud (Amazon EC2) AMIs | Amazon EC2 AMIs backed by Amazon EBS snapshots can take advantage of Amazon EBS encryption. Snapshots of both data and root volumes can be encrypted and attached to an AMI. Snapshots of unencrypted AMIs are also unencrypted. | Not supported |
| Amazon Relational Database Service (Amazon RDS) | Amazon RDS snapshots are automatically encrypted with the same encryption key that
was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS
databases are also unencrypted.NoteAmazon Backup currently supports all Amazon RDS database engines, including Amazon Aurora. |
Not supported |
| Amazon Aurora | Aurora cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Aurora cluster. Snapshots of unencrypted Aurora clusters are also unencrypted. | Not supported |
| Amazon Storage Gateway | Storage Gateway snapshots are automatically encrypted with the same encryption key that
was used to encrypt the source Storage Gateway volume. Snapshots of unencrypted Storage Gateway
volumes are also unencrypted. NoteYou don't need to use a customer managed key across all services to enable Storage Gateway. You only need to copy the Storage Gateway backup to a vault that configured a KMS key. This is because Storage Gateway does not have a service-specific Amazon KMS managed key. |
Not supported |
| Amazon FSx | Encryption features for Amazon FSx file systems differ based on the underlying file system. To learn more about your particular Amazon FSx file system, see the appropriate FSx User Guide. | Not supported |
| Amazon DocumentDB | Amazon DocumentDB cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon DocumentDB cluster. Snapshots of unencrypted Amazon DocumentDB clusters are also unencrypted. | Not supported |
| Amazon Neptune | Neptune cluster snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Neptune cluster. Snapshots of unencrypted Neptune clusters are also unencrypted. | Not supported |
| Amazon Timestream | Timestream table snapshot backups are always encrypted. The Amazon KMS encryption key for Timestream backups is configured in the backup vault in which the Timestream backups are stored. | Supported |
| Amazon Redshift | Amazon Redshift clusters are automatically encrypted with the same encryption key that was used to encrypt the source Amazon Redshift cluster. Snapshots of unencrypted Amazon Redshift clusters are also unencrypted. | Not supported |
| Amazon CloudFormation | CloudFormation backups are always encrypted. The CloudFormation encryption key for CloudFormation backups is configured in the CloudFormation vault in which the CloudFormation backups are stored. | Supported |
| SAP HANA databases on Amazon EC2 instances | SAP HANA database backups are always encrypted. The Amazon KMS encryption key for SAP HANA database backups is configured in the Amazon Backup vault in which the database backups are stored. | Supported |
Encryption for backup copies
When you use Amazon Backup to copy your backups across accounts or Regions, Amazon Backup automatically encrypts those copies, even if the original backup is unencrypted. Amazon Backup encrypts your copy using the target vault's KMS key.
Note
Note: Snapshots of unencrypted Aurora, Amazon DocumentDB, and Neptune clusters are also unencrypted.
Note
Amazon managed keys are not supported for cross-account copies. For more information, see Cross-account backup.