AWS CMK Encryption
Veeam Backup for AWS allows you to back up, replicate and restore data of EC2 and RDS instance volumes encrypted with AWS Key Management Service (AWS KMS) customer master keys (CMKs). Additionally, you can encrypt unencrypted data and change CMKs used to encrypt data when performing the following operations:
- Creating EC2 instance snapshot replicas.
- Creating RDS instance snapshot replicas.
- Creating cloud-native snapshots of EC2 instances manually in another location.
- Creating cloud-native snapshots of RDS instances manually in another location.
- Restoring entire EC2 instances to another location.
- Restoring entire RDS instances to another location.
- Restoring EC2 instance volumes to another location.
If you back up, replicate or restore data of an encrypted RDS instance or an EC2 instance that has encrypted EBS volumes, depending on the operation performed with the instance, you must grant to the IAM role that Veeam Backup for AWS uses for the operation permissions to access different CMKs:
- Creating cloud-native snapshots
- Creating snapshot replicas
- Restoring from cloud-native snapshots
- Creating image-level backups
- Restoring from image-level backups
If you back up, replicate or restore data of an unencrypted RDS instance or EC2 instance, and if you want to encrypt the backed-up or restored data, you must grant to the IAM role that Veeam Backup for AWS uses to perform the operation permissions to access only the CMK with which you want to encrypt the data.
To learn how to grant to an IAM role permissions to use a CMK, see this Veeam KB article.