AWS KMS Encryption
Note |
Veeam Backup for AWS does not use automatic AWS KMS key rotation for KMS keys, as well as AWS Secrets Manager for storing secrets. |
Veeam Backup for AWS allows you to back up, replicate and restore data of EC2 and RDS instance volumes encrypted with AWS KMS keys, as well as back up and restore EFS and FSx file systems, DynamoDB tables and Redshift clusters encrypted with AWS KMS keys. Additionally, you can encrypt unencrypted data and change KMS keys used to encrypt data when performing the following operations:
- Creating EC2 instance snapshot replicas.
- Creating RDS instance snapshot replicas.
- Creating cloud-native snapshots of EC2 instances manually.
- Creating cloud-native snapshots of RDS instances manually.
- Restoring entire EC2 instances to a new location.
- Restoring entire RDS instances to a new location.
- Restoring EC2 instance volumes to a new location.
- Restoring entire EFS file systems to a new location.
- Restoring FSx file systems to a new location.
- Restoring DynamoDB tables to a new location.
- Restoring Redshift clusters to the original location.
Depending on the operation performed for an encrypted RDS instance or an EC2 instance that has encrypted EBS volumes, the IAM role that Veeam Backup for AWS uses for the operation requires permissions to access various KMS keys:
- Creating cloud-native snapshots
- Creating snapshot replicas
- Restoring from cloud-native snapshots
- Creating image-level backups
- Restoring from image-level backups
Important |
If you back up, replicate or restore data of an unencrypted RDS instance or EC2 instance, and if you want to encrypt the backed-up or restored data, you must grant to the IAM role that Veeam Backup for AWS uses to perform the operation permissions to access only the KMS key with which you want to encrypt the data. To learn how to grant to an IAM role permissions to use a KMS key, see this Veeam KB article. |