Overview
This article explains the relationship between Druva storage credentials stored in AWS Parameter Store, KMS keys, and the impact of accidental deletion. Understanding these relationships is crucial for maintaining data security and backup accessibility.
Understanding the Components
Druva Storage Credentials in Parameter Store
Location: AWS Systems Manager Parameter Store
Type: SecureString parameters
Naming: Typically prefixed with "Druva-ClientCredential-"
Purpose: Authentication for CloudRanger operations
Parameter Store + KMS Key Relationship
When you store a SecureString parameter in AWS Systems Manager Parameter Store, the following process occurs:
1. Encryption Process
The parameter value is encrypted using a KMS key(default AWS managed KMS)
2. Decryption Process
When the parameter is retrieved, Parameter Store uses the same KMS key to decrypt it
The KMS key must be available and accessible for decryption to succeed
Critical Relationships and Dependencies
Parameter Store Credentials vs. Backup Encryption Keys
Important Distinction:
Parameter Store credentials are used for authentication and access
Backup encryption KMS keys are used for actual data encryption
For AWS Backups Encrypted Using KMS Keys
Key Requirements:
When customer data is encrypted using a specific KMS key, that same KMS key is required to decrypt the data later (e.g., during restore operations)
The KMS keys used to encrypt backups are created by the customer, not by Druva
These encryption keys are separate from the Parameter Store authentication credentials
Impact of Accidental Deletion
Scenario 1: Deleting Parameter Store Credentials
What Happens:
CloudRanger loses authentication credentials for the AWS account
New backup operations may fail
Existing backups remain intact and accessible
No data loss occurs
Resolution: Simple Recovery Process:
Navigate to the CloudRanger console
Create new storage credentials
New parameters will be automatically created in AWS Parameter Store
Operations resume normally
Scenario 2: Deleting KMS Keys Used for Parameter Store
What Happens:
SecureString parameters become unrecoverable
Parameter Store cannot decrypt the credential values
Authentication to AWS services fails
Resolution:
Recreate storage credentials through CloudRanger console
New credentials will use available KMS keys for encryption
When you store a SecureString parameter in AWS Systems Manager Parameter Store, here’s what happens:
Encryption:
The value is encrypted using a KMS key. default AWS-managed KMS key (aws/ssm)
Decryption:
When the parameter is retrieved , Parameter Store uses the same KMS key to decrypt it.
What Happens If the KMS Key Is Deleted?
The SecureString becomes unrecoverable.
For AWS Backup that are encrypted using KMS Keys
When a customer’s data is encrypted using a specific KMS KEY, that same KMS KEY is required to decrypt the data later (e.g., during a restore).
If you delete the KMS key, the encrypted backups cannot be decrypted.
Under no circumstances should the customer delete KMS KEYS that was used to encrypt a backup.
The KMS KEYS used to encrypt backups are created by the customer and not Druva.
As explained earlier, If the customer accidentally deletes their client credential on AWS, they can just go to the CloudRanger console and create a new one. This will be available automatically in their AWS account.