AWS KMS Encryption
Veeam Backup for AWS does not use automatic AWS KMS key rotation for KMS keys, as well as AWS Secrets Manager for storing secrets.
Veeam Backup for AWS allows you to back up, replicate and restore data of EC2 and RDS instance volumes encrypted with AWS KMS keys. Additionally, you can encrypt unencrypted data and change KMS keys used to encrypt data when performing the following operations:
- Creating EC2 instance snapshot replicas.
- Creating RDS instance snapshot replicas.
- Creating cloud-native snapshots of EC2 instances manually in another location.
- Creating cloud-native snapshots of RDS instances manually in another location.
- Restoring entire EC2 instances to another location.
- Restoring entire RDS instances to another location.
- Restoring EC2 instance volumes to another location.
If you back up, replicate or restore data of an encrypted RDS instance or an EC2 instance that has encrypted EBS volumes, depending on the operation performed with the instance, you must grant to the IAM role that Veeam Backup for AWS uses for the operation permissions to access different KMS keys:
- Creating cloud-native snapshots
- Creating snapshot replicas
- Restoring from cloud-native snapshots
- Creating image-level backups
- Restoring from image-level backups
If you back up, replicate or restore data of an unencrypted RDS instance or EC2 instance, and if you want to encrypt the backed-up or restored data, you must grant to the IAM role that Veeam Backup for AWS uses to perform the operation permissions to access only the KMS key with which you want to encrypt the data. To learn how to grant to an IAM role permissions to use a KMS key, see this Veeam KB article.