Step 5. Enable Encryption

[This step applies only if you have selected the Restore to new location, or with different settings option at the Restore Mode step of the wizard]

At the Encryption step of the wizard, choose whether the restored RDS resources must be encrypted with AWS KMS keys:

  • If you do not want to encrypt the RDS resources or want to apply the existing encryption scheme, select the Use original encryption scheme option.
  • If you want to encrypt the RDS resources, select the Restore as encrypted instance option and choose the necessary KMS key from the Encryption key list.

For a KMS key to be displayed in the list of available encryption keys, it must be stored in the AWS Region selected at step 4 and the IAM role specified for the restore operation must have permissions to the key.  For more information on KMS keys, see AWS Documentation.


If you plan to restore an unencrypted Aurora provisioned DB cluster to an Aurora Serverless DB cluster, and you select the Use original encryption scheme option, mind that Veeam Backup for AWS will encrypt the newly created Aurora Serverless DB cluster with the default KMS key in the target AWS Region. For more information on Aurora Serverless, see AWS Documentation.

Restoring RDS Resources