AWS aws-backup documentation change
Summary
Added documentation about customer-managed KMS key support for logically air-gapped vaults, including encryption key type visibility, updated CLI examples, and detailed key policy requirements for cross-account operations.
Security assessment
The changes introduce documentation about encryption key management options (including customer-managed KMS keys) and detailed security policies required for cross-account operations. While this enhances security transparency and control, there's no evidence of addressing a specific existing vulnerability.
Diff
diff --git a/aws-backup/latest/devguide/logicallyairgappedvault.md b/aws-backup/latest/devguide/logicallyairgappedvault.md index 091fa1e6c..59e287e60 100644 --- a//aws-backup/latest/devguide/logicallyairgappedvault.md +++ b//aws-backup/latest/devguide/logicallyairgappedvault.md @@ -5 +5 @@ -Overview of logically air-gapped vaultsUse case for logically air-gapped vaultsCompare and contrast with a standard backup vaultCreate a logically air-gapped vaultView logically air-gapped vault detailsCopy to a logically air-gapped vaultShare a logically air-gapped vaultRestore a backup from a logically air-gapped vaultDelete a logically air-gapped vaultAdditional programmatic options for logically air-gapped vaultsTroubleshoot a logically air-gapped vault issue +Overview of logically air-gapped vaultsUse case for logically air-gapped vaultsCompare and contrast with a standard backup vaultCreate a logically air-gapped vaultView logically air-gapped vault detailsCopy to a logically air-gapped vaultShare a logically air-gapped vaultRestore a backup from a logically air-gapped vaultDelete a logically air-gapped vaultAdditional programmatic options for logically air-gapped vaultsUnderstanding encryption key types for logically air-gapped vaultsTroubleshoot a logically air-gapped vault issue @@ -13 +13 @@ AWS Backup offers a secondary type of vault which can store copies of backups in -Logically air-gapped vaults come equipped with additional protection features; each vault is encrypted with an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt), and each vault is equipped with [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html)'s compliance mode. +Logically air-gapped vaults come equipped with additional protection features; each vault is encrypted with either an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) (default) or optionally with a customer-managed KMS key, and each vault is equipped with [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html)'s compliance mode. The encryption key type information is visible through AWS Backup APIs and console for transparency and compliance reporting. @@ -15 +15 @@ Logically air-gapped vaults come equipped with additional protection features; e -You can integrate your logically air-gapped vaults with [Multi-party approval](./multipartyapproval.html) to enable recovery of backups in the vaults even if the vault-owning account is inaccessible, which helps to maintain business continuity. Further more, you can choose to integrate with [AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) (RAM) to share a logically air-gapped vault with other AWS accounts (including accounts in other organizations) so that the backups stored within the vault can be restored from an account with which the vault is shared, if needed for data loss recovery or [restore testing](./restore-testing.html). As part of this added security, a logically air-gapped vault stores its backups in an AWS Backup service owned account (which results in backups shown as shared outside your organization in modify attribute items in AWS CloudTrail logs). +You can integrate your logically air-gapped vaults with [Multi-party approval](./multipartyapproval.html) (MPA) to enable recovery of backups in the vaults even if the vault-owning account is inaccessible, which helps to maintain business continuity. Further more, you can choose to integrate with [AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) (RAM) to share a logically air-gapped vault with other AWS accounts (including accounts in other organizations) so that the backups stored within the vault can be restored from an account with which the vault is shared, if needed for data loss recovery or [restore testing](./restore-testing.html). As part of this added security, a logically air-gapped vault stores its backups in an AWS Backup service owned account (which results in backups shown as shared outside your organization in modify attribute items in AWS CloudTrail logs). @@ -44,0 +45,2 @@ When copying Amazon EC2 backups to a logically air-gapped vault, AWS Backup enfo + * Understanding encryption key types for logically air-gapped vaults + @@ -58 +60 @@ A logically air-gapped vault is a secondary vault that serves as part of a data - * Comes encrypted with an AWS owned key + * By default offers encryption with an AWS owned key. Optionally you can provide a customer managed key @@ -60 +62 @@ A logically air-gapped vault is a secondary vault that serves as part of a data - * Contains backups which, through AWS RAM, can be shared with and restored from a different account than the one that created the backup + * Contains backups which, through AWS RAM or MPA, can be shared with and restored from a different account than the one that created the backup @@ -101 +103 @@ Billing | Storage and data transfer charges for resources fully managed by AWS B -[Security](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html) | Can optionally be encrypted with a key (customer managed or AWS managed) Can optionally use a vault lock in compliance or governance mode | Is encrypted with an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) Is always locked with a [ vault lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html) in compliance mode +[Security](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html) | Can optionally be encrypted with a key (customer managed or AWS managed) Can optionally use a vault lock in compliance or governance mode | Can be encrypted with an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) or a customer managed key Is always locked with a [ vault lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html) in compliance mode Encryption key type information is preserved and visible when vaults are shared through AWS RAM or MPA @@ -125 +127,3 @@ Console - 6. Set the **Minimum retention period**. + 6. _(Optional)_ Choose an encryption key. You can select a customer-managed KMS key for additional control over encryption, or use the default AWS-owned key (recommended). + + 7. Set the **Minimum retention period**. @@ -131 +135 @@ The minimum value allowed is `7` days. Values for months and years meet this min - 7. Set the **Maximum retention period**. + 8. Set the **Maximum retention period**. @@ -135 +139 @@ This value (in days, months, or years) is the longest amount of time a backup ca - 8. _(Optional)_ Add tags that will help you search for and identify your logically air-gapped vault. For example, you could add a `BackupType:Financial` tag. + 9. _(Optional)_ Add tags that will help you search for and identify your logically air-gapped vault. For example, you could add a `BackupType:Financial` tag. @@ -137 +141 @@ This value (in days, months, or years) is the longest amount of time a backup ca - 9. Select **Create vault**. + 10. Select **Create vault**. @@ -139 +143 @@ This value (in days, months, or years) is the longest amount of time a backup ca - 10. Review the settings. If all settings show as you intended, select **Create logically air-gapped vault**. + 11. Review the settings. If all settings show as you intended, select **Create logically air-gapped vault**. @@ -141 +145 @@ This value (in days, months, or years) is the longest amount of time a backup ca - 11. The console will take you to the details page of your new vault. Verify the vault details are as expected. + 12. The console will take you to the details page of your new vault. Verify the vault details are as expected. @@ -143 +147 @@ This value (in days, months, or years) is the longest amount of time a backup ca - 12. Select **Vaults** to view vaults in your account. Your logically air-gapped vault will be displayed. The KMS key will be available approximately 1 to 3 minutes after the vault creation. Refresh the page to see the associated key. Once the key is visible, the vault is in an available state and can be used. + 13. Select **Vaults** to view vaults in your account. Your logically air-gapped vault will be displayed. The KMS key will be available approximately 1 to 3 minutes after the vault creation. Refresh the page to see the associated key. Once the key is visible, the vault is in an available state and can be used. @@ -162,0 +167 @@ Use the CLI command [`create-logically-air-gapped-backup-vault`](https://awscli. + --encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 // _optional_ @@ -164,0 +170,2 @@ Use the CLI command [`create-logically-air-gapped-backup-vault`](https://awscli. +The optional `--encryption-key-arn` parameter allows you to specify a customer-managed KMS key for vault encryption. If not provided, the vault will use an AWS-owned key. + @@ -174,0 +182,11 @@ Example CLI command to create a logically air-gapped vault: +Example CLI command to create a logically air-gapped vault with customer-managed encryption: + + + aws backup create-logically-air-gapped-backup-vault + --region us-east-1 + --backup-vault-name sampleName + --min-retention-days 7 + --max-retention-days 35 + --encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 + --creator-request-id 123456789012-34567-8901 // optional + @@ -194 +212 @@ Console -Details display depending on account type: Accounts which own a vault can view account sharing; accounts which do not own a vault will not be able to view account sharing. +Details display depending on account type: Accounts which own a vault can view account sharing; accounts which do not own a vault will not be able to view account sharing. For shared vaults, the encryption key type (AWS-owned or customer-managed KMS key) is displayed in the vault summary. @@ -217,0 +236 @@ Example of response: + "EncryptionKeyType": "AWS_OWNED_KMS_KEY", @@ -236 +255 @@ When you copy a backup of a [fully managed resource type](./backup-feature-avail -When you copy a backup of other resource types (ones [not fully managed](./backup-feature-availability.html#features-by-resource)), both the backup and the resource it backed up must be encrypted with a customer managed key. AWS managed keys for the resource types are not supported for copies. +When you copy a backup of other resource types (ones [not fully managed](./backup-feature-availability.html#features-by-resource)), the backup must be encrypted with a customer managed key. AWS managed keys for the resource types are not supported for copies. @@ -297 +316 @@ For more information, see [ Copying a backup](https://docs.aws.amazon.com/aws-ba -You can use AWS Resource Access Manager (RAM) to share a logically air-gapped vault with other accounts you designate. +You can use AWS Resource Access Manager (RAM) to share a logically air-gapped vault with other accounts you designate. When sharing vaults, the encryption key type information (AWS-owned or customer-managed KMS key) is preserved and visible to accounts with which the vault is shared. @@ -474 +493 @@ To list just the logically air-gapped vaults, add the parameter -Include the parameter `by-shared` to filter the returned list of vaults to show only shared logically air-gapped vaults. +Include the parameter `by-shared` to filter the returned list of vaults to show only shared logically air-gapped vaults. The response will include encryption key type information for each shared vault. @@ -480,0 +500,273 @@ Include the parameter `by-shared` to filter the returned list of vaults to show +Example response showing encryption key type information: + + + { + "BackupVaultList": [ + { + "BackupVaultName": "shared-logically air-gapped-vault", + "BackupVaultArn": "arn:aws:backup:us-east-1:123456789012:backup-vault:shared-logically air-gapped-vault", + "VaultType": "LOGICALLY_AIR_GAPPED_BACKUP_VAULT", + "EncryptionKeyType": "AWS_OWNED_KMS_KEY", + "CreationDate": "2024-07-25T16:05:23.554000-07:00", + "Locked": true, + "MinRetentionDays": 7, + "MaxRetentionDays": 30 + } + ] + } + +## Understanding encryption key types for logically air-gapped vaults + +Logically air-gapped vaults support different encryption key types, and this information is visible through AWS Backup APIs and console. When vaults are shared through AWS RAM or MPA, the encryption key type information is preserved and made visible to accounts with which the vault is shared. This transparency helps you understand the encryption configuration of vaults and make informed decisions about backup and restore operations. + +### Encryption key type values + +The `EncryptionKeyType` field can have the following values: + + * `AWS_OWNED_KMS_KEY` \- The vault is encrypted with an AWS-owned key. This is the default encryption method for logically air-gapped vaults when no customer-managed key is specified. + + * `CUSTOMER_MANAGED_KMS_KEY` \- The vault is encrypted with a customer-managed KMS key that you control. This option provides additional control over encryption keys and access policies. + + + + +**Note:** You can only select an AWS KMS encryption key during vault creation. Once created, all backups contained in the vault will be encrypted with that key. You cannot change or migrate your vaults to use a different encryption key. + +### Key policy for CMK encrypted logically air-gapped vault creation + +When creating a logically air-gapped vault with a customer managed key, you must apply the AWS-managed policy `AWSBackupFullAccess` to your account role. This policy includes `Allow` actions that enable AWS Backup to interact with AWS KMS for grant creation on KMS keys during backup, copy, and storage operations. Additionally, you must ensure your customer managed key (if used) policy includes specific required permissions. + + * The CMK must be shared with the account where the logically air-gapped vault resides + + + + + + { + "Sid": "Allow use of the key to create a logically air-gapped vault", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::[account-id]:role/TheRoleToAccessAccount" + }, + "Action": [ + "kms:CreateGrant", + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": "backup.*.amazonaws.com" + } + } + } + +**Key policy for copy/restore** + +To prevent job failures, review your AWS KMS key policy to ensure it includes all required permissions and doesn't contain any deny statements that could block operations. The following conditions apply: + + * For all copy scenarios, the CMKs must be shared with the source copy role + + + + + + { + "Sid": "Allow use of the key for copy", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::[source-account-id]:role/service-role/AWSBackupDefaultServiceRole" //[Source copy role] + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": "backup.*.amazonaws.com" + } + } + }, + { + "Sid": "Allow AWS Backup to create grant on the key for copy", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::[source-account-id]:role/service-role/AWSBackupDefaultServiceRole" //[Source copy role] + }, + "Action": [ + "kms:CreateGrant" + ], + "Resource": "*", + "Condition": { + "Bool": { + "kms:GrantIsForAWSResource": "true" + }, + "StringLike": { + "kms:ViaService": "backup.*.amazonaws.com" + } + } + } + + * When copying from a CMK encrypted logically air-gapped vault to a backup vault, the CMK must also be shared with the destination account SLR + + + + + + {