AWS KMS Encryption


Veeam Backup for AWS does not use automatic AWS KMS key rotation for KMS keys, as well as AWS Secrets Manager for storing secrets.

Veeam Backup for AWS allows you to back up, replicate and restore data of EC2 and RDS instance volumes encrypted with AWS KMS keys, as well as back up and restore EFS file systems and DynamoDB tables encrypted with AWS KMS keys. Additionally, you can encrypt unencrypted data and change KMS keys used to encrypt data when performing the following operations:

Depending on the operation performed for an encrypted RDS instance or an EC2 instance that has encrypted EBS volumes, the IAM role that Veeam Backup for AWS uses for the operation requires permissions to access various KMS keys:


If you back up, replicate or restore data of an unencrypted RDS instance or EC2 instance, and if you want to encrypt the backed-up or restored data, you must grant to the IAM role that Veeam Backup for AWS uses to perform the operation permissions to access only the KMS key with which you want to encrypt the data. To learn how to grant to an IAM role permissions to use a KMS key, see this Veeam KB article.