Subscribe to RSS feed  Follow @jackvamvas - Twitter

*Use the Comments section for questions Links



Creating backup copies across AWS Regions

28 June,2023 by Rambler

Using AWS Backup cross-region copy replication requires some extra details to complete the steps successfully/

The scope for this post is RDS . I will also add details about Aurora & DynamoDB

1) AWS Backup will re-encrypt your copy using the customer managed key of your destination vault... AWS Backup encrypts your copy using the target vault's KMS key.

2) AWS Backup currently  does not support Independent Encryption for RDS , Aurora or DynamoDB (unless using DynamoDB with AWS Backup advanced features - DynamoDB backups are always encrypted. The AWS KMS encryption key for DynamoDB backups is configured in the AWS Backup vault that the DynamoDB backups are stored in.) .

Independent encryption is defined as  AWS Backup automatically encrypts your backups with the KMS key of your AWS Backup vault, instead of using the same encryption key as your source resource. 



For our code examples , using a Single Account with Multi Region setup. AWS Backup is configured to replicate from Region 1 to Region 2.

The RDS Instance in Region1  awr-restore-test-instance  is Encryption Enabled with a customer managed key , which is created and configured at the RDS level during the IaC process.

STEP 1 : Region1 

--Extract the EncryptionKeyArn  from the Region 1 backup copy 

aws backup list-recovery-points-by-backup-vault --backup-vault-name TRV-Backup-Vault --query "RecoveryPoints[?contains(ResourceArn,'myRDSInstance')].EncryptionKeyArn"


aws rds describe-db-instances --db-instance-identifier awr-restore-test-instance --query "DBInstances[].KmsKeyId"



STEP 2 : ==> AWS Backup Copy Replication 


STEP 3 : Restore the Replicated Copy in Region 2 

Region 2 

List out the replicated copy that with Region 1 as source  . You'll notice the Encryption Key has changed from the Encryption Key set at Region1 . Although RDS is not supported in Independant Encryption , AWS Backup re-encrypt your copy using the customer managed key of your destination vault. AWS Backup encrypts your copy using the target vault's KMS key.

aws backup list-recovery-points-by-backup-vault --backup-vault-name TRV-Backup-Vault --query "RecoveryPoints[?contains(ResourceArn,'myRDSInstance')].EncryptionKeyArn" --region Region2


Grab details of the KMS Key - which mataches the Key-ID of the Backup Vault Key ID 



Author: Rambler (


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment on Creating backup copies across AWS Regions