Subscribe to RSS feed  Follow @jackvamvas - Twitter

*Use the Comments section for questions Links



Independent AWS Backup Encryption

16 August,2023 by Rambler

Independent AWS encryption refers to the process of encrypting using  a AWS KMS (AWS Key Management Service) key associated with the AWS backup vault.  Not all AWS DBMS types are supported in the Independent encryption process when using AWS Backup 

It's important to be aware of Independent encryption as it has implications about how you will restore a backup copy. This applies to both a Single Region and Multi Region setup .

DynamoDB is supported with Independent encryption. You can see this in action by checking a backup copy in the Backup Vault 

If you're using Amazon DynamoDB after enabling Advanced DynamoDB backup  then "DynamoDB backups are always encrypted. The AWS KMS encryption key for DynamoDB backups is configured in the AWS Backup vault that the DynamoDB backups are stored in"

To check status of whether  Advanced DynamoDB is configured    use :

aws backup describe-region-settings

For more details on how to interpret the output - use the information provided on Advanced DynamoDB backup


Some AWS services support their own encryption and not independent encryption by AWS Backup

AWS Backup’s independent encryption means encryption is handled by the AWS Backup vault. 

Aurora   ==> Independent encryption not supported 

RDS     ==> Independent encryption not supported 

DynamoDB  ==> Independent encryption supported 

As an added note - regardless of the DBMS encryption state when it is backed up into the Vault , the Copy process enforces an Encryption key for the copy (repliction process) 

In the AWS Backup Developer documentation there is a passage detailing process :

Encryption for backup copies
When you use AWS Backup to copy your backups across accounts or Regions, AWS Backup automatically
encrypts those copies, even if the original backup is unencrypted. AWS Backup encrypts your copy using
the target vault's KMS key.

This is important - because if you are attempting to restore a database into another Region the key must be available to be able to restore.   

You need to build this logic into the architecture of the backup & recovery process






Author: Rambler (


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment on Independent AWS Backup Encryption