August 16th 2023

Independent AWS encryption refers to the process of encrypting using a AWS KMS (AWS Key Management Service) key associated with the Aws Backup vault. Not all AWS DBMS types are supported in the Independent encryption process when using AWS Backup

Master Your Gaming Skills with Luna C…
The Advantages Of Playing Online Casi…
How Long Does the Tapo C100 Store Vid…
Yailin la Mas Viral Biography, Age, S…
Mastering The Art Of Saltwater Fishin…

It's important to be aware of Independent encryption as it has implications about how you will restore a backup copy. This applies to both a Single Region and Multi Region setup .

DynamoDB is supported with Independent encryption. You can see this in action by checking a backup copy in the Backup Vault

If you're using Amazon DynamoDB after enabling Advanced DynamoDB backup then "DynamoDB backups are always encrypted. The AWS KMS encryption key for DynamoDB backups is configured in the AWS Backup vault that the DynamoDB backups are stored in"

To check status of whether Advanced DynamoDB is configured use :

aws backup describe-region-settings

For more details on how to interpret the output - use the information provided on Advanced DynamoDB backup

Some AWS services support their own encryption and not independent encryption by AWS Backup

AWS Backup’s independent encryption means encryption is handled by the AWS Backup vault.

Aurora ==> Independent encryption not supported

RDS ==> Independent encryption not supported

DynamoDB ==> Independent encryption supported

As an added note - regardless of the DBMS encryption state when it is backed up into the Vault , the Copy process enforces an Encryption key for the copy (repliction process)

In the AWS Backup Developer documentation there is a passage detailing process :

Encryption for backup copies
When you use AWS Backup to copy your backups across accounts or Regions, AWS Backup automatically
encrypts those copies, even if the original backup is unencrypted. AWS Backup encrypts your copy using
the target vault's KMS key.

This is important - because if you are attempting to restore a database into another Region the key must be available to be able to restore.

You need to build this logic into the architecture of the backup & recovery process

This post first appeared on Dba-ninja.com, please read the originial post: here