chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

Encryption is a vital component of data protection and security, ensuring that sensitive information remains safe and access is properly managed. Organizations leverage backups for data preservation, redundancy, and compliance, and encryption significantly enhances these efforts for comprehensive data safeguarding.

Across various industries, AWS Backup is utilized for centralized and automated data protection across AWS services and hybrid workloads. With AWS Backup, users can create backups and independently encrypt all supported AWS resources. The service also facilitates cross-account backups, allowing secure copying of backups between AWS accounts within an organization, making centralized backup management straightforward.

Understanding how AWS Backup manages encryption is crucial for successfully copying encrypted backups across accounts, especially since some AWS services utilize their own encryption rather than relying on AWS Backup’s independent encryption. For cross-account copies to function smoothly when dealing with a data source that lacks AWS Backup encryption support, both the data source and the destination backup vault must be encrypted using a customer-managed AWS Key Management Service (AWS KMS) key. Additionally, this customer-managed KMS key must be shared with the service-linked role in the destination account.

In this blog, we will explore how encryption operates within AWS Backup by comparing Amazon DynamoDB, which supports independent encryption, with Amazon RDS, which does not, through three distinct cross-account copy scenarios. By understanding the encryption background within AWS Backup and the various scenarios we will discuss, you can gain insights into how AWS Backup can help you maintain data security and compliance through encryption. Furthermore, we will demonstrate how to successfully copy encrypted backups across accounts, irrespective of the encryption method employed.

AWS Backup Encryption Background

AWS Backup’s independent encryption means that encryption is managed by the AWS Backup vault. The backup is encrypted using the AWS KMS key associated with the vault, while AWS Backup handles the secure transfer to the destination vault without needing to share the source account’s AWS KMS key with the destination account.

Conversely, for AWS services that lack independent encryption support, AWS Backup resorts to using the data source key for encryption instead of the KMS key for the backup vault. In cross-account copying, the data source must be encrypted with a customer-managed key, which must be shared with the service-linked role “AWSServiceRoleForBackup” in the destination account. The destination AWS Backup vault must also be encrypted with the customer-managed KMS key for the copy job to succeed. For more details on permissions required for cross-account copying of backups relying on service-dependent encryption, refer to the blog “Create and share encrypted backup across accounts and Regions using AWS Backup.”

AWS Backup Encryption Scenarios

In the following scenarios, we will analyze AWS Backup’s support for independent encryption in Amazon DynamoDB and its advanced features, compared to Amazon RDS, which does not support independent encryption in AWS Backup. Each scenario will illustrate how AWS Backup encrypts the DynamoDB table and RDS instance.

We will be using AWS management account (A) based in the us-east-2 (Ohio) Region and copying the backup to AWS account (B) in the same region.

Scenario 1:

The source backup vault and destination vault are encrypted using a customer-managed key while the data store is encrypted with an AWS-managed KMS key.

  • Initiate a copy job from AWS management account (A) to central AWS backup account (B) and verify the copy job status for both the DynamoDB table and the Amazon RDS instance.

Scenario 2:

The source backup vault is encrypted with a customer-managed KMS key, the destination vault with an AWS-managed KMS key, and the data store with a customer-managed KMS key.

  • Review the KMS key policy of the customer-managed key used by the DynamoDB table, perform the copy job, and check the job status for both resources.

Scenario 3:

The source backup vault is encrypted with an AWS-managed KMS key, the destination vault with a customer-managed KMS key, and the data store with a customer-managed KMS key.

  • Adjust the KMS key policy of the customer-managed key associated with the RDS instance, execute the copy job, and verify the job status.

Prerequisites

All AWS accounts utilizing AWS Backup must be part of AWS Organizations, including a delegated administration account. For further guidance, please refer to the documentation on setting up an organization. Ensure that AWS Backup’s cross-account backup feature is enabled, as detailed in the documentation. Additionally, enable AWS Backup’s advanced features for DynamoDB, create a backup vault, and use a customer-managed key or Amazon-managed KMS key to encrypt the Backup vault in both the AWS management account (A) and the central AWS backup account (B). Set the access policy on the backup vault in the central AWS backup account (B) to allow the default service role [AWSBackupDefaultServiceRole] to perform CopyIntoBackupVault.

In the AWS management account (A), create one DynamoDB table encrypted with a customer-managed KMS key and another encrypted with an Amazon-managed KMS key. Similarly, create an RDS instance encrypted with a customer-managed KMS key and another one encrypted with an Amazon-managed KMS key.

For our walkthrough, we will utilize two accounts: 82XXXX68953 as the AWS management account (A) and 24XXXX475648 as the central AWS backup account (B), both belonging to the same organization. The resources we have deployed include:

In AWS management account (A):

  • DynamoDB table [source-user-table] encrypted with a customer-managed KMS key [sourceCmkKey-DynamoDb].
  • DynamoDB table [source-table-aws-managed-encrypted] using an Amazon-managed KMS key.
  • RDS instance [source-rds-cmk-encrypted] encrypted with a customer-managed KMS key [sourceCmkKey-rds].
  • RDS instance [source-rds-aws-managed] using an Amazon-managed KMS key.
  • AWS Backup vault [Crossaccount_copy_source_vault] encrypted with a customer-managed KMS key [sourceCmkKey-BackupVault].
  • AWS Backup vault [Crossaccount_copy_source_vault_aws_managed_key] encrypted with an Amazon-managed KMS key.

In the central AWS backup account (B):

  • AWS Backup vault [Crossaccount_copy_destination_vault] encrypted with a customer-managed KMS key [destinationCmkKey-BackupVault].
  • AWS Backup vault [Crossaccount_copy_destination_vault_aws_managedkey] encrypted with an Amazon-managed KMS key.

For more insights on workforce management and benefits, check out this excellent resource. You can also find additional information on workplace challenges and solutions in another blog post linked here.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *