Restoring From Snapshots and Replicas

The process of restoring an RDS or EC2 instance from an encrypted cloud-native snapshot differs depending on whether you perform restore to the same location where the cloud-native snapshot resides or not:

• Restoring the instance to the same location where the snapshot resides.
• Restoring the instance to another location.

Restoring to Same Location

To restore an EC2 or RDS instance to the location where the snapshot resides, Veeam Backup for AWS uses the IAM role specified for the restore operation, as described in sections Performing Entire EC2 Instance Restore and Performing RDS Instance Restore. The IAM role must have permissions to access the following KMS keys:

• KMS keys with which the cloud-native snapshot is encrypted.
• A KMS key with which you want to encrypt data of the restored instance.

Restoring to Another Location

The process of restoring an instance to another location differs depending on the AWS resource that you want to restore:

• Restoring the EC2 instance to another AWS Region in the same AWS account.
• Restoring the EC2 instance in another AWS account to the same AWS Region.
• Restoring the EC2 instance in another AWS account to another AWS Region.
• Restoring the RDS instance to another AWS Region in the same AWS account.
• Restoring the RDS instance in another AWS account to the same AWS Region.
• Restoring the RDS instance in another AWS account to another AWS Region.

Restoring EC2 instance in Same AWS Account but to Another AWS Region

To restore an EC2 instance to another AWS Region in the same AWS account where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

1. Copies the encrypted cloud-native snapshot to the target AWS Region.
2. Creates an EC2 instance in the target AWS Region.
3. Creates encrypted EBS volumes from the copied encrypted snapshot and attaches them to the created EC2 instance.

To copy the encrypted snapshot, and to create and encrypt EBS volumes, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing Entire EC2 Instance Restore. The IAM role must have permissions to access the following KMS keys:

• KMS keys with which the cloud-native snapshot is encrypted (source KMS keys).
• A KMS key with which you want to encrypt EBS volumes of the restored EC2 instance (target KMS key).

Restoring EC2 Instance to Same AWS Region but in Another AWS Account

To restore an EC2 instance in another AWS account to the same AWS Region where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

1. Shares the encrypted cloud-native snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots (if you restore from a snapshot) or for copying and storing snapshot replicas (if you restore from a snapshot replica). The IAM role must have permissions to access KMS keys with which the cloud-native snapshot is encrypted (source KMS keys).

2. Creates an EC2 instance in the target AWS account in the same AWS Region where the snapshot resides in the source AWS account.
3. Creates encrypted EBS volumes from the shared encrypted snapshot and attaches them to the created EC2 instance.

To create and encrypt EBS volumes, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing Entire EC2 Instance Restore. The IAM role must have permissions to access the following KMS keys:

• The KMS keys with which the cloud-native snapshot is encrypted (source KMS keys).
• A KMS key with which you want to encrypt EBS volumes of the restored EC2 instance (target KMS key).

Restoring EC2 Instance to Another AWS Region in Another AWS Account

To restore an EC2 instance to another AWS Region in an AWS account that is different from the AWS account where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

1. Shares the encrypted cloud-native snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots (if you restore from a snapshot) or for copying and storing snapshot replicas (if you restore from a snapshot replica). The IAM role must have permissions to access the following KMS keys:

• KMS keys with which the cloud-native snapshot is encrypted (source KMS keys).
• A KMS key with which you want to encrypt EBS volumes of the restored EC2 instance (target KMS key).

2. Copies the shared snapshot to the target AWS Region in the target AWS account.
3. Creates an EC2 instance in the target AWS Region in the target AWS account.
4. Creates encrypted EBS volumes from the shared encrypted snapshot and attaches them to the created EC2 instance.

To copy the snapshot, create and encrypt EBS volumes, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing Entire EC2 Instance Restore. The IAM role must have permissions to access the following KMS keys:

• The KMS keys with which the cloud-native snapshot is encrypted (source KMS keys).
• The KMS key with which you want to encrypt EBS volumes of the restored EC2 instance (target KMS key).

Restoring RDS Instance to Another AWS Region but in Same AWS Account

To restore an RDS instance to a different AWS Region in the same AWS account where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

1. Copies the encrypted cloud-native snapshot to the target AWS Region.

2. Creates an RDS instance from the copied encrypted snapshot in the target AWS Region.

To copy the encrypted snapshot, and to create the RDS instance, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing RDS Instance Restore. The IAM role must have permissions to access the following KMS keys:

• A KMS key with which the cloud-native snapshot is encrypted (source KMS key).
• A KMS key with which you want to encrypt the restored RDS instance (target KMS key).

Restoring RDS Instance in Another AWS Account but to Same AWS Region

To restore an RDS instance in a different AWS account to the same AWS Region where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

1. Shares the encrypted cloud-native snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots (if you restore from a snapshot) or for copying and storing snapshot replicas (if you restore from a snapshot replica). The IAM role must have permissions to access a KMS key with which the cloud-native snapshot is encrypted (source KMS key).

2. In the target AWS account, copies the shared snapshot to the same AWS Region where the snapshot resides in the source AWS account, and re-encrypts the snapshot with the KMS keys that you specified to encrypt the restored RDS instance.

To copy the shared encrypted snapshot and to re-encrypt it, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing RDS Instance Restore. The IAM role must have permissions to access the following KMS keys:

• The KMS key with which the cloud-native snapshot is encrypted (source KMS key).
• A KMS key with which you want to encrypt the restored RDS instance (target KMS key).

3. Creates an encrypted RDS instance from the copied encrypted snapshot in the target AWS account in the same AWS Region where the snapshot resides in the source AWS account.

To create and encrypt the RDS instance, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing RDS Instance Restore. The IAM role must have permissions to access the KMS key with which you want to encrypt the restored RDS instance (target KMS key).

Restoring RDS Instance to Another AWS Region in Another AWS Account

To restore an RDS instance to a different AWS Region in a different AWS account, Veeam Backup for AWS performs the following steps:

1. Shares the encrypted cloud-native snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots (if you restore from a snapshot) or for copying and storing snapshot replicas (if you restore from a snapshot replica). The IAM role must have permissions to access the following KMS keys:

• A KMS key with which the cloud-native snapshot is encrypted (source KMS key).
• A KMS key with which you want to encrypt the restored RDS instance (target KMS key).

2. In the target AWS account, copies the shared snapshot to the same AWS Region where the snapshot resides in the source AWS account.

To copy the shared encrypted snapshot, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing RDS Instance Restore. The IAM role must have permissions to access the KMS key with which the cloud-native snapshot is encrypted (source KMS key).

3. Copies the copied encrypted snapshot to the target AWS Region in the target AWS account and re-encrypts the snapshot with the KMS key specified to encrypt the restored RDS Instance.

5. Creates an encrypted RDS instance in the target AWS Region in the target AWS account.

To copy and re-encrypt the snapshot, create and encrypt the RDS instance, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing RDS Instance Restore. The IAM role must have permissions to access the KMS key with which you want to encrypt the restored RDS instance (target KMS key).