Veeam Backup for AWS 3.0
User Guide
Related documents
REST API ReferenceVeeam Backup & Replication User GuideIntegration with Veeam Backup for AWS Guide
Search

Creating Image-Level Backups

In this article

    The process of creating an image-level backup of an EC2 instance with encrypted EBS volumes differs depending on whether a worker instance processing EBS volume data is launched in the same AWS account or not:

    Creating Image-Level Backup in Same AWS Account

    If a worker instance is launched in the same AWS account where the processed EC2 instance resides, Veeam Backup for AWS performs the following steps:

    1. Creates an encrypted cloud-native snapshot of the EC2 instance.
    2. Creates encrypted EBS volumes from the snapshot, and then attaches them to the worker instance to read and further transfer EBS volume data to an S3 repository.

    To access the data, Veeam Backup for AWS uses an IAM role specified to launch worker instances, as described in section Configuring Worker Instance Settings. The IAM role must have permissions to access CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).

    Creating Image-Level Backups 

    Creating Image-Level Backup in Another AWS Account

    If a worker instance is launched in an AWS account different from the AWS account where the processed EC2 instance resides, Veeam Backup for AWS performs the following steps:

    1. Creates an encrypted cloud-native snapshot of the EC2 instance.
    2. Shares the created snapshot with the AWS account where the worker instance is launched.

    To share the encrypted snapshot, Veeam Backup for AWSuses the IAM role specified at the Sources step of the Add Policy wizard, as described in section Creating EC2 Backup Policies. The IAM role must have permissions to access CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).

    Important

    If EBS volumes of the EC2 instance are encrypted with the default key for EBS encryption (aws/ebs alias), Veeam Backup for AWS will not be able to share the snapshot with another AWS account and the backup process will fail. For more information, see this Veeam KB article.

    1. Creates encrypted EBS volumes from the shared encrypted snapshot, and then attaches them to the worker instance to read and further transfer EBS volume data to an S3 repository.

    Note that according to AWS requirements, EBS volumes created from encrypted snapshots must also be encrypted. Thus, Veeam Backup for AWS encrypts re-created EBS volumes with the default encryption key specified for the AWS Region where the worker instance is launched.

    To access the data, Veeam Backup for AWS uses an IAM role specified to launch worker instances, as described in section Configuring Worker Instance Settings. The IAM role must have permissions to access the following CMKs:

    • The CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).
    • The default encryption key specified for the AWS Region where the worker instance is launched.

    Creating Image-Level Backups