28 June,2023 by Rambler
Using AWS Backup cross-region copy replication requires some extra details to complete the steps successfully/
The scope for this post is RDS . I will also add details about Aurora & DynamoDB
1) AWS Backup will re-encrypt your copy using the customer managed key of your destination vault... AWS Backup encrypts your copy using the target vault's KMS key.
2) AWS Backup currently does not support Independent Encryption for RDS , Aurora or DynamoDB (unless using DynamoDB with AWS Backup advanced features - DynamoDB backups are always encrypted. The AWS KMS encryption key for DynamoDB backups is configured in the AWS Backup vault that the DynamoDB backups are stored in.) .
Independent encryption is defined as AWS Backup automatically encrypts your backups with the KMS key of your AWS Backup vault, instead of using the same encryption key as your source resource.
*****RDS*******
For our code examples , using a Single Account with Multi Region setup. AWS Backup is configured to replicate from Region 1 to Region 2.
The RDS Instance in Region1 awr-restore-test-instance is Encryption Enabled with a customer managed key , which is created and configured at the RDS level during the IaC process.
STEP 1 : Region1
--Extract the EncryptionKeyArn from the Region 1 backup copy
aws backup list-recovery-points-by-backup-vault --backup-vault-name TRV-Backup-Vault --query "RecoveryPoints[?contains(ResourceArn,'myRDSInstance')].EncryptionKeyArn"
arn:aws:kms:us-east-1:xxxxxxxxxxxxxx:1234
aws rds describe-db-instances --db-instance-identifier awr-restore-test-instance --query "DBInstances[].KmsKeyId"
arn:aws:kms:us-east-1:xxxxxxxxxxxxxx:1234
STEP 2 : ==> AWS Backup Copy Replication
STEP 3 : Restore the Replicated Copy in Region 2
Region 2
List out the replicated copy that with Region 1 as source . You'll notice the Encryption Key has changed from the Encryption Key set at Region1 . Although RDS is not supported in Independant Encryption , AWS Backup re-encrypt your copy using the customer managed key of your destination vault. AWS Backup encrypts your copy using the target vault's KMS key.
aws backup list-recovery-points-by-backup-vault --backup-vault-name TRV-Backup-Vault --query "RecoveryPoints[?contains(ResourceArn,'myRDSInstance')].EncryptionKeyArn" --region Region2
arn:aws:kms:Region-2:xxxxxxxxxxxxxx:4567
Grab details of the KMS Key - which mataches the Key-ID of the Backup Vault Key ID
arn:aws:kms:Region-2:xxxxxxxxxxxxxx:4567
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |