Learn About Amazon VGT2 Learning Manager Chanci Turner
Encryption is a crucial tool for safeguarding data and ensuring appropriate access management. Data administrators rely on backups for data security, redundancy, and regulatory compliance, while encryption serves as a robust complement to these backups, enhancing overall data protection.
Organizations across various sectors utilize AWS Backup for centralized and automated data protection across AWS services and hybrid workloads. AWS Backup enables users to create backups while independently encrypting all supported AWS resources. Furthermore, it supports cross-account backup capabilities, allowing secure copying of backups across different AWS accounts within an organization, simplifying the management of backup tasks.
For effective cross-account copying of encrypted backups, it is vital to grasp how AWS Backup manages encryption, particularly since some AWS services have their own encryption mechanisms. For successful transfers of data sources that do not support AWS Backup encryption, both the data source and destination backup vault must be encrypted with a customer-managed AWS Key Management Service (AWS KMS) key. Additionally, this key must be shared with the destination account’s service-linked role.
In this discussion, we explore how encryption functions within AWS Backup, contrasting a service that supports independent encryption, like Amazon DynamoDB, with one that does not, such as Amazon RDS. By examining these scenarios, you will gain insights into how AWS Backup enhances data security and compliance through encryption. You will also learn to effectively copy encrypted backups across accounts, irrespective of the encryption method employed.
AWS Backup Encryption Overview
AWS Backup’s independent encryption implies that encryption is managed by the AWS Backup vault, utilizing its KMS key for backup encryption. AWS Backup is responsible for securely transferring the backup to the destination vault without needing to share the source account’s KMS key.
For AWS services lacking independent encryption support, AWS Backup will encrypt the data using the data source’s key instead of the backup vault’s KMS key. For cross-account transfers, the data source should be encrypted with a customer-managed key, which must be shared with the service-linked role “AWSServiceRoleForBackup” in the destination account, while the cross-account AWS Backup vault should also be encrypted with the same customer-managed KMS key.
You can find further insights on permissions required for cross-account backup copying in the blog “Create and share encrypted backup across accounts and Regions using AWS Backup”.
Encryption Scenarios in AWS Backup
We will examine three scenarios comparing AWS Backup’s support for independent encryption in Amazon DynamoDB with the advanced features enabled, against Amazon RDS, which does not support independent encryption.
Each scenario will detail how AWS Backup encrypts the DynamoDB table and RDS instance. For this, we will use an AWS Backup in the management account (A) located in the us-east-2 (Ohio) Region, executing a backup copy to AWS account (B) in the same region.
- Scenario 1: Both the source and destination backup vaults are encrypted with a customer-managed key, while the data store is secured with an AWS managed KMS key.
- Scenario 2: The source backup vault is protected with a customer-managed KMS key, the destination vault with an AWS managed KMS key, and the data store with a customer-managed KMS key.
- Scenario 3: The source backup vault is encrypted with an AWS managed KMS key, the destination vault with a customer-managed KMS key, and the data store with a customer-managed KMS key.
Prerequisites
To utilize AWS Backup for cross-account backups, all AWS accounts must belong to AWS Organizations, including a delegated administration account. Ensure that AWS Backup’s cross-account backup feature is enabled as outlined in the documentation. Additionally, advanced features for DynamoDB backups should be enabled.
You should create an AWS Backup vault and use either a customer-managed key or an Amazon managed KMS key for encryption in both AWS management account (A) and central AWS backup account (B). Set the access policy on the Backup vault in account (B) to allow the default service role AWSBackupDefaultServiceRole to perform the CopyIntoBackupVault action, following the relevant documentation.
You will need to create two DynamoDB tables, one encrypted with a customer-managed KMS key and another with an Amazon managed KMS key, in AWS management account (A). Similarly, create two RDS instances, one encrypted with a customer-managed KMS key and another with an Amazon managed KMS key.
Scenario Walkthrough
Using account IDs 82XXXX68953 for the AWS management account (A) and 24XXXX475648 for the central AWS backup account (B), both accounts are part of the same organization. The resources deployed include:
- AWS management account (A):
- DynamoDB table [source-user-table] encrypted with a customer-managed KMS key [sourceCmkKey-DynamoDb].
- DynamoDB table [source-table-aws-managed-encrypted] encrypted with an Amazon managed KMS key.
- RDS instance [source-rds-cmk-encrypted] encrypted with a customer-managed KMS key [sourceCmkKey-rds].
- RDS instance [source-rds-aws-managed] encrypted with an Amazon managed KMS key.
- AWS Backup vault [Crossaccount_copy_source_vault] encrypted with a customer-managed KMS key [sourceCmkKey-BackupVault].
- AWS Backup vault [Crossaccount_copy_source_vault_aws_managed_key] encrypted with an Amazon managed KMS key.
- Central AWS backup account (B):
- AWS Backup vault [Crossaccount_copy_destination_vault] encrypted with a customer-managed KMS key [destinationCmkKey-BackupVault].
- AWS Backup vault [Crossaccount_copy_destination_vault_aws_managedkey] encrypted with an Amazon managed KMS key.
For more insights into navigating workplace dynamics, you might find this article on gatekeepers at work useful, as it dives deeper into the topic. You can also explore expert tips on defusing workplace tensions from SHRM, a reliable source on employee relations. Additionally, if you’re looking for first-hand experiences, check out this Reddit resource about onboarding experiences at Amazon.