Creating Snapshot Replicas

The process of creating a snapshot replica of an encrypted RDS instance and an EC2 instance with encrypted EBS volumes differs depending on whether you create snapshot replicas within the same AWS account where the instance resides or not:

Creating Snapshot Replica in Same AWS Account

If you create a snapshot replica within the same AWS account where the encrypted EC2 or RDS instance resides, Veeam Backup for AWS performs the following steps:

  1. Creates an encrypted cloud-native snapshot of the instance.
  2. Copies the created snapshot to the target AWS Region.

To copy the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for copying and storing cloud-native snapshots in a target AWS Region. To learn how to specify this IAM role, see sections Creating EC2 Backup Policies (step 5) and Creating RDS Backup Policies (step 4). The IAM role must have permissions to access the following CMKs:

  • CMKs with which data of the source instance is encrypted (source CMKs).
  • A CMK with which you want to encrypt instance data in the snapshot replica (target CMK).

Important

Note that if you do not specify the target CMK, the snapshot replica of an encrypted instance will not be created, and the backup session will complete with warnings. To learn how to specify the target CMK, see Creating EC2 Backup Policies (step 5) and Creating RDS Backup Policies (step 4).

 

 

Creating Snapshot Replicas 

Creating Cross-Account Snapshot Replica of EC2 Instance

If you create a snapshot replica in an AWS account different from the AWS account where the EC2 instance with encrypted EBS volumes resides, Veeam Backup for AWS performs the following steps:

  1. Creates an encrypted cloud-native snapshot of the EC2 instance.
  2. Shares the created snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots. To learn how to specify this IAM role, see Creating EC2 Backup Policies (step 3.1). The IAM role must have permissions to access CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).

Important

If EBS volumes of the EC2 instance are encrypted with the default key for EBS encryption (aws/ebs alias), Veeam Backup for AWS will not be able to share the snapshot with another AWS account and the replication process will fail. For more information, see this Veeam KB article.

  1. Copies the shared snapshot to the target AWS Region in the target AWS account.

To copy the shared encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for copying and storing cloud-native snapshots in a target AWS Region. To learn how to specify this IAM role, see Creating EC2 Backup Policies (step 5). The IAM role must have permissions to access the following CMKs:

  • The CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).
  • A CMK with which you want to encrypt EBS volume data in the snapshot replica (target CMK).

Important

Note that if you do not specify the target CMK, the snapshot replica of an encrypted instance will not be created, and the backup session will complete with warnings. To learn how to specify the target CMK, see Creating EC2 Backup Policies (step 5).

 

Creating Snapshot Replicas 

Creating Cross-Account Snapshot Replica of RDS Instance

If you create a snapshot replica in an AWS account different from the AWS account where the encrypted RDS instance resides, Veeam Backup for AWS performs the following steps:

  1. Creates an encrypted cloud-native snapshot of the RDS instance.
  1. Shares the created snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots. To learn how to specify this IAM role, see Creating RDS Backup Policies (step 3.1). The IAM role must have permissions to access a CMK with which the RDS instance is encrypted (source CMK).

Important

If the RDS instance is encrypted with the default encryption key (aws/rds alias), Veeam Backup for AWS will not be able to share the snapshot with another AWS account and the replication process will fail. For more information, see this Veeam KB article.

  1. In the target AWS account, copies the shared encrypted snapshot to the same AWS Region where the RDS instance resides in the source AWS account. Then, if the target AWS Region differs from the source AWS Region, copies the shared cloud-native snapshot to the target AWS Region.

To copy the shared encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for copying and storing cloud-native snapshots in a target AWS Region. To learn how to specify this IAM role, see Creating RDS Backup Policies (step 4). The IAM role must have permissions to access the following CMKs:

  • The CMK with which the RDS instance is encrypted (source CMK).
  • A CMK with which you want to encrypt RDS instance data in the snapshot replica (target CMK).

Important

Note that if you do not specify the target CMK, the snapshot replica of an encrypted RDS instance will not be created, and the backup session will complete with warnings. To learn how to specify the target CMK, see Creating RDS Backup Policies (step 4).

 

 

Creating Snapshot Replicas 

I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.