This article provides an overview of different restore scenarios.
Scenario 1: Retain original encryption settings
To retain the original encryption settings (such as the source bucket’s KMS key or default SSE-S3 encryption), we recommend that you select the Restore to original location option and leave the Encryption Settings blank in the Advanced Settings.
When no encryption key is specified, the restore process automatically applies the same encryption configuration that was used in the source S3 bucket.
Scenario 2: Restore with a cross-account KMS key
When performing a restore of an AWS S3 bucket, there may be situations where you want to encrypt the restored data using a KMS key that resides in a different AWS account from where the data is being restored. For example,
You're restoring an S3 bucket to AWS Account A
You choose a KMS key from AWS Account B in the Encryption Settings
You want the restored data to be encrypted using this external KMS key
In this case, perform the following steps to ensure that the restore works correctly.
Onboard the AWS account: If the KMS key you want to use is not yet available, you may need to first onboard that AWS account into your AWS Workloads Management Console. For more information, see Create an AWS Access Role.
Update the KMS key policy: When using a KMS key from a different account (Account B) than the restore target (Account A), you must add the Role ARN of Account A to the key policy of the KMS key in Account B.
Additional role for cloud restores: If you are restoring data from Druva Cloud backups, you also need to add the Data Role ARN to the KMS key policy in Account B.
Locate the required Role ARNs: To find the necessary Role ARNs, navigate to AWS Identity and Access Management (IAM) > Roles, and check for these roles:
cloudranger-orchestration-<ACCOUNT ID>cloudranger-ec2-data-<ACCOUNT ID>
After performing the above steps, go to the AWS Workloads Management Console and select the KMS key available in the cross-account.
For more information on managing key policies, please refer to the AWS documentation on key policies.
Scenario 3: Use a different KMS Key from the same AWS account during restore
If you choose to use a different KMS key within the same AWS account as the restore target (i.e., the AWS account where you are restoring the S3 bucket), you can do so directly in the Encryption Settings during the restore process.
In this case, no additional configuration or policy changes are required because the restore role already has the necessary permissions within the same AWS account.
The restore will proceed seamlessly using the selected KMS key to encrypt the restored data.
This simplifies the process compared to using a KMS key from a different AWS account, where cross-account permissions and policies must be updated.
Encryption key selection and AWS region limitations in S3 Restore
When restoring an AWS S3 bucket, you can choose encryption settings, including KMS keys to encrypt the restored data. However, due to AWS restrictions:
KMS keys cannot be used across different AWS regions. AWS does not support selecting a KMS key from one region to encrypt data in another region.
Because of this, Druva automatically selects the AWS region for encryption keys to match the region chosen in the restore location—whether you restore to the original region or an alternate one.
This ensures that the selected KMS key is valid and compatible with the region where the data is being restored.
Understanding encryption behavior in S3 restores
When restoring S3 buckets, encryption behavior depends on two key factors:
The AWS region of the selected restore location
Whether a KMS key is explicitly selected during the restore process
AWS region limitations on KMS keys
KMS keys are region-specific—they cannot be used across AWS regions.
Therefore, when you select a restore location (either original or alternate region), Druva will only allow or apply KMS keys from the same region.
The KMS key selection is automatically restricted to match the region chosen for restore to ensure AWS compatibility.
What happens when no KMS key is selected?
The restore behavior depends on the restore location:
1. Restore to Original Location (Same bucket and region):
If no KMS key is selected, Druva restores the S3 objects using their original encryption keys.
This maintains the same encryption settings that were present at the time of backup (including SSE-KMS or SSE-S3).
2. Restore to Alternate Location (Different bucket or region):
If no KMS key is selected, objects are restored using the default SSE-S3 key of the target AWS account and region.
This means encryption is still applied, but with Amazon-managed keys (SSE-S3) in the new location.