AWS CMK Encryption
Veeam Backup for AWS allows you to back up, replicate and restore data of an RDS instance encrypted with AWS Key Management Service (AWS KMS) customer master keys (CMKs) and an EC2 instance whose EBS volumes are encrypted with AWS KMS CMKs. Additionally, you can encrypt unencrypted data and change CMKs used to encrypt data when performing the following operations:
- Create EC2 instance snapshot replicas.
- Create RDS instance snapshot replicas.
- Create cloud-native snapshots of EC2 instances manually in another location.
- Create cloud-native snapshots of RDS instances manually in another location.
- Restore entire EC2 instances to another location.
- Restore entire RDS instances to another location.
- Restore EC2 instance volumes to another location.
If you back up, replicate and restore data of an unencrypted RDS instance or EC2 instance, and want to encrypt the backed-up or restored data, the IAM role that Veeam Backup for AWS uses to perform the operation requires permissions to access a CMK with which you want to encrypt the data.
If you back up, replicate and restore data of an encrypted RDS instance or an EC2 instance that has encrypted EBS volumes, depending on the operation performed with the instance, the IAM role that Veeam Backup for AWS uses for the operation requires specific permissions on CMKs. To learn what permissions must be assigned to the IAM role, see:
- Creating cloud-native snapshots
- Creating snapshot replicas
- Restoring from cloud-native snapshots
- Creating image-level backups
- Restoring from image-level backups
To learn how to grant permissions on a CMK to an IAM role, see this Veeam KB article.