AutoBackup
Logout
IntroductionDashboard overviewBasic flow
Configuration
Account onboardingSetupPolicyNotification groupsTags
Usage
Operations on resourcesAzure Native VMsSnapshotRestoreAPIDisaster Recovery
Technical documentation
Backup processEncryptionAccounts scanningHooks
Firewall settingsManaging API keysManaging users

Encryption of resources

This section describes how AWS resources encryption mechanism works and how to configure KMS keys in order for this to work properly.

Encrypting resources during replication to the VAULT account depends on KMS keys created in the VAULT account. These keys should be shared to the PROTECTED account using KMS keys policies. Resources' encrypted snapshots can't be replicated to the VAULT account without re-encrypting using KMS keys defined in the VAULT account. The alias of keys used for re-encryption is specified in the backup setup definition in Replicas encryption KMS key ARN or alias field. Plase note that KMS keys are defined separately for each region. So, you must create KMS keys in each region to which you want to replicate your resources' snapshots and all of these keys must have the same alias.

For example, let's say you have a Replicas encryption KMS key ARN or alias field set to "very_secret_key" value. And you have 2 encrypted EBS volumes. You want to replicate one of them to the eu-west-1 region and the second one to the eu-central-1. Their snapshots in the PROTECTED account will be encrypted using the same KMS key which was used for encrypting original volumes, but their replicas will be re-encrypted using keys defined in the VAULT account. In this example, those keys must be created in the eu-west-1 and eu-central-1 regions and both of them must have "very_secret_key" alias.

In order for replication with encryption to work you must do the following:

  • In the VAULT account, for each region to which you want to replicate encrypted resources' snapshots, create custom KMS key to encrypt backups during replication process.
  • Allow KMS keys to be used by IAM roles from both the VAULT account (BackupIAMRole) and from the PROTECTED account (SourceIAMRole).

In general AutoBackup supports KMS keys in multiple ways:

  • If protected resources are unencrypted you can encrypt them during replication process using VAULT KMS key
  • If protected resources are encrypted using PROTECTED key you can re-encrypt them using VAULT key during the replication process
  • If protected resources are encrypted using VAULT key you can just replicate them using a key from VAULT account

Allowing KMS keys to be used by IAM roles

To replicate snapshots encrypted using the KMS key, the role created in your VAULT account must have permissions to use the key. It requires a modfication of the key policy. In order to allow a KMS key to be used by IAM role defined in the VAULT account, go to the detailed view of the KMS key. In the Key Users section find your role and add it to the list. To allow the key to be also used by a role defined in the PROTECTED account, use Add External Account option in the Key Users section and provide the id of the PROTECTED account.

You can also allow KMS key to be used by the IAM roles by modifying the key policy directly. Example KMS key policy is shown below:

{
  "Version": "2012-10-17",
  "Id": "example-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::VAULT_ACCOUNT_ID:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::VAULT_ACCOUNT_ID:user/key_administrator@example.com"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::VAULT_ACCOUNT_ID:role/VAULT_ROLE_NAME",
          "arn:aws:iam::PROTECTED_ACCOUNT_ID:root"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::VAULT_ACCOUNT_ID:role/VAULT_ROLE_NAME",
          "arn:aws:iam::PROTECTED_ACCOUNT_ID:root"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

Using different keys for encrypting resources in PROTECTED account and VAULT account

When resources' snapshots replicas in the VAULT account are meant to be encrypted using different keys than for resources in the PROTECTED account, then the IAM role you've defined for the VAULT account must be allowed to use the encryption key in the PROTECTED account. You can grant an access to that key by modifying the encryption key policy.