Make sure to opt in to cross-account backup.The target account in which you will copy the encrypted snapshots.The source account where you have a KMS key encrypted EBS volume.Prerequisitesįor this walkthrough, you need two AWS accounts present in the same AWS Organization. Also, make sure this vault is shared with the different account using vault policy. + Before you proceed with step 3, make sure you have a backup vault encrypted using a customer managed key created in the destination account. Verify the KMS key that the recovery point created from the backup job will use.Copy the encrypted snapshots to the target account, which would re-encrypt them using the target vault account’s AWS KMS encryption keys in the target Region +.Give the target account access to the customer managed AWS Key Management Service (AWS KMS) encryption key used by the source account EBS volume.In the source account, create a backup of a customer managed key encrypted EBS volume.
The following diagram illustrates the solution discussed in this blog post, wherein I use an encrypted Amazon EBS volume. If your resources are encrypted with a customer managed key, you must share the customer managed key used to encrypt the resources in the source account, with the destination account. The AWS Backup service-linked role is AWSServiceRoleForBackup.ĪWS Backup uses the source role to share/unshare and list tags from the source recovery point and uses the destination role to copy backup and monitor copy operation.
Therefore, to perform cross-account backups, you must use KMS key encrypted vaults instead of using your default backup vault.įor Amazon EFS, you can perform cross-account backups using any Amazon EFS backup vault because AWS Backup independently manages the encryption for each Amazon EFS backup vault. The default vault is encrypted using SMKs. When your resources like Amazon EC2, Amazon EBS, Amazon RDS (including Aurora clusters), and AWS Storage Gateway volumes are encrypted, cross-account copy can only be performed if they are encrypted by AWS KMS keys, with an exception for Amazon EFS backups.
#Veeam backup encryption how to
Lastly, I discuss how to address common errors you may experience when performing a cross-account copy. Once the backup is created in the source account’s Region, I perform a one-time copy of the backup to another Region and account. Then, I verify the AWS Key Management Service (AWS KMS) keys used to encrypt the backups.
In this blog post, I walk through the process of creating a backup of encrypted Amazon EBS volumes. This helps you to meet your security, compliance, and business continuity requirements. AWS Backup can also make your backups available to your organization across accounts and across AWS Regions. With the release of the cross-account backup feature, you can copy your encrypted backups for Amazon EC2 instances, Amazon EBS volumes, Amazon RDS databases (including Amazon Aurora clusters), AWS Storage Gateway volumes, and Amazon EFS file systems between accounts. Additionally, backing up encrypted data is also important, even across geographical regions or administrative accounts.ĪWS Backup enables you to centralize and automate data protection across AWS services and accounts. Creating backups of data resources is often another critical component of a secure and resilient architecture. Enterprises and organizations in more security-conscious industries often protect their data through encryption, restricting data access to those with the necessary permissions and improving their security posture.