When restoring your RDS airgap backups, you can select the KMS key to encrypt data at the time of restore.
Only Symmetric keys are supported when restoring your RDS resources.
You can select a Customer Managed Key (CMK) or the default AWS Managed Key (AMK).
We recommend using a Customer Managed Key, if available.
Customer Managed Keys provide better access control, key rotation, and policies, while AWS Managed Keys are simpler to use but have limited flexibility.
π Note
βIf selecting an AMK for restore encryption, do note that the restored instance cannot be backed up to Airgap Cloud Storage.
AWS Managed Keys are not supported when selecting a KMS key that is in a different account than the restore target. In such cases, you can only select a CMK key.
You can restore non-airgapped RDS snapshots across accounts only if the original backups were encrypted with Customer Managed Keys (CMKs). Non-airgapped snapshots that were encrypted with AMKs cannot be restored to a different AWS Account. Cross-region restores within the same account are fully supported.
Selecting a KMS Key is mandatory when restoring RDS airgap backups.
For non-airgapped RDS snapshots, selecting a KMS key is mandatory when the recovery points were originally encrypted. In the case of unencrypted recovery points that are not airgapped, the KMS key selection will remain optional.
Scenario 1: Restore with a different KMS key from the same AWS Account
You can select a different KMS key within the same AWS Account as the restore target (Account A from the previous example), you can proceed with no additional configuration or key policy changes. The restore proceeds seamlessly with the selected KMS Key.
Scenario 2: Restore with a cross-account KMS key
When performing a restore of an RDS database or cluster, you may choose to encrypt the restored data using a KMS key that is in a different account than the one the instance is restored to.
For example:
You are restoring the RDS database or cluster to AWS Account A
The KMS key resides in a different AWS Account (Account B)
You want the restored data to be encrypted using this external KMS key
If the KMS key you want to use is not available to select, you will need to first onboard that AWS account into your AWS Workloads management console. To proceed with the restore with a cross-account KMS key, you will need to Onboard the AWS account: For more information, see Create an AWS Access Role.
Encryption keys and AWS Region limitations
When restoring an RDS database or cluster, you can choose encryption settings, including KMS keys to encrypt the restored data. However, do note the following AWS Region-level limitations:
KMS keys are region-specific and cannot be used across different AWS Regions. AWS does not support selecting a KMS key from one Region to encrypt data in another target Region.
Druva automatically selects the AWS Region for encryption keys to match the Region chosen in the restore location, irrespective of whether this differs from the source Region. This ensures that the selected KMS key is valid and compatible with the region where the data is being restored.
β
RDS Restore Encryption FAQs
Can I restore my RDS resource across AWS Accounts
Can I restore my RDS resource across AWS Accounts
Yes, you can restore your RDS resources to a different AWS Account than the Account where the original instance resides.
Can I restore my RDS resource to a different AWS Region
Can I restore my RDS resource to a different AWS Region
Yes, you can restore your RDS resources across AWS Regions.
Does Druva support Asymmetric KMS keys when encrypting restored RDS resources?
Does Druva support Asymmetric KMS keys when encrypting restored RDS resources?
No, Druva only supports Symmetric keys to encrypt restoring RDS resources. This is the default AWS behavior when encrypting RDS resources. For more information, refer to the AWS documentation.
What types of KMS keys does Druva support to encrypt a restored RDS resource?
What types of KMS keys does Druva support to encrypt a restored RDS resource?
You can choose to encrypt a restored RDS resource with Customer Managed Keys (CMK) or the default AWS Managed Keys (AMK).
AWS Managed Keys are not supported when selecting a KMS key that is in a different account than the restore target. In such cases, you will need to only select a Customer Managed Key.