When restoring your RDS airgap backups, you can select the KMS key to encrypt data at the time of restore.
Only Symmetric keys are supported when restoring your RDS resources.
You can select a Customer Managed Key (CMK) or the default AWS Managed Key (AMK).
We recommend using a Customer Managed Key, if available.
Customer Managed Keys provide better access control, key rotation, and policies, while AWS Managed Keys are simpler to use but have limited flexibility.
📝 Note
If selecting an AMK for restore encryption, do note that the restored instance cannot be backed up to Airgap Cloud Storage.
AWS Managed Keys are not supported when selecting a KMS key that is in a different account than the restore target. In such cases, you can only select a CMK key
Selecting a KMS Key is mandatory when restoring RDS airgap backups.
Scenario 1: Restore with a different KMS key from the same AWS Account
You can select a different KMS key within the same AWS Account as the restore target (Account A from the previous example), you can proceed with no additional configuration or key policy changes. The restore proceeds seamlessly with the selected KMS Key.
Scenario 2: Restore with a cross-account KMS key
When performing a restore of an RDS database or cluster, you may choose to encrypt the restored data using a KMS key that is in a different account than the one the instance is restored to.
For example:
You are restoring the RDS database or cluster to AWS Account A
The KMS key resides in a different AWS Account (Account B)
You want the restored data to be encrypted using this external KMS key
To proceed with the restore with a cross-account KMS key:
Onboard the AWS account: If the KMS key you want to use is not available to select, you will need to first onboard that AWS account into your AWS Workloads management console. For more information, see Create an AWS Access Role.
Additional role for cloud restores: If you are restoring data from Druva Cloud backups, you also need to add the Data Role ARN to the KMS key policy of Account B.
Locate the required Role ARNs: Navigate to AWS Identity and Access Management (IAM) > Roles, and then locate the following roles:
cloudranger-orchestration-<ACCOUNT ID>
cloudranger-ec2-data-<ACCOUNT ID>
For more information on managing key policies, refer to the AWS documentation.
Encryption keys and AWS Region limitations
When restoring an RDS database or cluster, you can choose encryption settings, including KMS keys to encrypt the restored data. However, do note the following AWS Region-level limitations:
KMS keys are region-specific and cannot be used across different AWS Regions. AWS does not support selecting a KMS key from one Region to encrypt data in another target Region.
Druva automatically selects the AWS Region for encryption keys to match the Region chosen in the restore location, irrespective of whether this differs from the source Region. This ensures that the selected KMS key is valid and compatible with the region where the data is being restored.
RDS Restore FAQs
Does Druva support Asymmetric KMS keys when encrypting restored RDS resources?
Does Druva support Asymmetric KMS keys when encrypting restored RDS resources?
No, Druva only supports Symmetric keys to encrypt restoring RDS resources. This is the default AWS behavior when encrypting RDS resources. For more information, refer to the AWS documentation.
What types of KMS keys does Druva support to encrypt a restored RDS resource?
What types of KMS keys does Druva support to encrypt a restored RDS resource?
You can choose to encrypt a restored RDS resource with Customer Managed Keys (CMK) or the default AWS Managed Keys (AMK).
AWS Managed Keys are not supported when selecting a KMS key that is in a different account than the restore target. In such cases, you will need to only select a Customer Managed Key.