Backup Encryption
Architecture
Encrypt backup data across AWS services:
- AWS Backup vault encryption
- EBS snapshots with customer-managed keys
- RDS snapshots with database encryption keys
- S3 replication with multi-region keys
When to Use
This pattern is ideal when you need:
- Consistent encryption policy across all backups
- Cross-account backup sharing with encryption
- Long deletion windows for key protection
- Separation between production and backup encryption keys
Implementation
Backup Vault Encryption
module "backup_key" {
source = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
version = "1.0.0"
alias = "alias/backup-encryption"
description = "Encryption key for AWS Backup vaults"
deletion_window_in_days = 30 # Maximum protection
}
resource "aws_backup_vault" "encrypted" {
name = "encrypted-backup-vault"
kms_key_arn = module.backup_key.key_arn
}
Cross-Account Sharing
Share encrypted backups with disaster recovery accounts:
resource "aws_backup_vault_policy" "cross_account" {
backup_vault_name = aws_backup_vault.encrypted.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::DR_ACCOUNT_ID:root"
}
Action = [
"backup:CopyIntoBackupVault"
]
Resource = "*"
}
]
})
}
Considerations
- Use maximum deletion window (30 days) for backup keys
- Enable key rotation for long-lived backup keys
- Consider multi-region keys for disaster recovery
- Document key recovery procedures