Skip to main content

AWS Backup Vault Encryption

Overview

This check verifies that AWS Backup vaults are encrypted at rest using AWS KMS. Backup vaults store recovery points (backups) of your AWS resources. Without encryption, these recovery points are stored without cryptographic protection.

Risk

Unencrypted backup vaults can expose your recovery points if:

  • Storage infrastructure is compromised
  • AWS credentials are leaked or stolen
  • Cross-account access is misconfigured

This could lead to data exfiltration, compliance violations, and loss of confidential business information. Encryption also provides integrity assurance and supports forensic investigations.

Remediation Steps

Prerequisites

  • Access to the AWS Console with permissions to create backup vaults
  • A KMS key to use for encryption (or permission to create one)
Required IAM permissions

To create encrypted backup vaults, you need these permissions:

  • backup:CreateBackupVault
  • backup:DescribeBackupVault
  • backup:DeleteBackupVault (if migrating from unencrypted vault)
  • kms:DescribeKey
  • kms:CreateGrant
  • kms:GenerateDataKey

Important Note

AWS Backup vaults cannot be modified after creation. If you have an unencrypted vault, you must:

  1. Create a new vault with encryption enabled
  2. Update your backup plans to use the new vault
  3. Delete the old unencrypted vault (after migrating recovery points if needed)

AWS Console Method

Step 1: Create a new encrypted backup vault

  1. Open the AWS Backup console
  2. In the left navigation, click Backup vaults
  3. Click Create backup vault
  4. Enter a Backup vault name (e.g., my-encrypted-vault)
  5. Under Encryption key, choose one of:
    • AWS managed key - Uses the default aws/backup key (simplest option)
    • Choose a key - Select a customer-managed KMS key (recommended for production)
  6. Add tags if desired
  7. Click Create backup vault

Step 2: Update backup plans to use the new vault

  1. In the left navigation, click Backup plans
  2. Select the backup plan using the unencrypted vault
  3. Click Edit on the backup rule
  4. Under Backup vault, select your new encrypted vault
  5. Click Save backup rule

Step 3: (Optional) Delete the unencrypted vault

  1. Go back to Backup vaults
  2. Select the old unencrypted vault
  3. Delete any recovery points if no longer needed (or copy them to the new vault first)
  4. Click Delete on the vault
AWS CLI (optional)

Create a new encrypted backup vault with AWS-managed key:

aws backup create-backup-vault \
    --backup-vault-name my-encrypted-vault \
    --region us-east-1

Note: When you omit --encryption-key-arn, AWS Backup uses the default AWS-managed key (aws/backup).

Create a backup vault with a customer-managed KMS key:

aws backup create-backup-vault \
    --backup-vault-name my-encrypted-vault \
    --encryption-key-arn arn:aws:kms:us-east-1:<account-id>:key/<key-id> \
    --region us-east-1

List existing backup vaults and check encryption:

aws backup list-backup-vaults \
    --region us-east-1 \
    --query 'BackupVaultList[*].{Name:BackupVaultName,EncryptionKey:EncryptionKeyArn}'

Describe a specific vault to verify encryption:

aws backup describe-backup-vault \
    --backup-vault-name my-encrypted-vault \
    --region us-east-1 \
    --query '{VaultName:BackupVaultName,EncryptionKeyArn:EncryptionKeyArn}'

Replace:

  • <account-id> with your 12-digit AWS account ID
  • <key-id> with your KMS key ID
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Backup vault with KMS encryption

Parameters:
  BackupVaultName:
    Type: String
    Description: Name of the backup vault
    Default: encrypted-backup-vault

  UseCustomerManagedKey:
    Type: String
    Default: 'true'
    AllowedValues:
      - 'true'
      - 'false'
    Description: Use customer-managed KMS key (true) or AWS-managed key (false)

Conditions:
  CreateKmsKey: !Equals [!Ref UseCustomerManagedKey, 'true']

Resources:
  BackupKmsKey:
    Type: AWS::KMS::Key
    Condition: CreateKmsKey
    Properties:
      Description: KMS key for AWS Backup vault encryption
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'
          - Sid: Allow Backup Service
            Effect: Allow
            Principal:
              Service: backup.amazonaws.com
            Action:
              - 'kms:Encrypt'
              - 'kms:Decrypt'
              - 'kms:ReEncrypt*'
              - 'kms:GenerateDataKey*'
              - 'kms:DescribeKey'
            Resource: '*'

  BackupKmsKeyAlias:
    Type: AWS::KMS::Alias
    Condition: CreateKmsKey
    Properties:
      AliasName: !Sub 'alias/backup-${BackupVaultName}'
      TargetKeyId: !Ref BackupKmsKey

  BackupVault:
    Type: AWS::Backup::BackupVault
    Properties:
      BackupVaultName: !Ref BackupVaultName
      EncryptionKeyArn: !If
        - CreateKmsKey
        - !GetAtt BackupKmsKey.Arn
        - !Ref AWS::NoValue

Outputs:
  BackupVaultName:
    Description: Name of the backup vault
    Value: !Ref BackupVault

  BackupVaultArn:
    Description: ARN of the backup vault
    Value: !GetAtt BackupVault.BackupVaultArn

  KmsKeyArn:
    Condition: CreateKmsKey
    Description: ARN of the KMS key used for encryption
    Value: !GetAtt BackupKmsKey.Arn

Deploy with:

aws cloudformation deploy \
    --template-file backup-vault.yaml \
    --stack-name encrypted-backup-vault \
    --parameter-overrides \
        BackupVaultName=my-encrypted-vault \
        UseCustomerManagedKey=true \
    --region us-east-1
Terraform (optional)
# variables.tf
variable "backup_vault_name" {
  description = "Name of the AWS Backup vault"
  type        = string
  default     = "encrypted-backup-vault"
}

variable "use_customer_managed_key" {
  description = "Use customer-managed KMS key instead of AWS-managed key"
  type        = bool
  default     = true
}

# main.tf
resource "aws_kms_key" "backup" {
  count                   = var.use_customer_managed_key ? 1 : 0
  description             = "KMS key for AWS Backup vault encryption"
  deletion_window_in_days = 7
  enable_key_rotation     = true

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow Backup Service"
        Effect = "Allow"
        Principal = {
          Service = "backup.amazonaws.com"
        }
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:DescribeKey"
        ]
        Resource = "*"
      }
    ]
  })

  tags = {
    Purpose = "AWS Backup vault encryption"
  }
}

resource "aws_kms_alias" "backup" {
  count         = var.use_customer_managed_key ? 1 : 0
  name          = "alias/backup-${var.backup_vault_name}"
  target_key_id = aws_kms_key.backup[0].key_id
}

data "aws_caller_identity" "current" {}

resource "aws_backup_vault" "main" {
  name        = var.backup_vault_name
  kms_key_arn = var.use_customer_managed_key ? aws_kms_key.backup[0].arn : null

  tags = {
    Environment = "production"
  }
}

# outputs.tf
output "backup_vault_name" {
  description = "Name of the backup vault"
  value       = aws_backup_vault.main.name
}

output "backup_vault_arn" {
  description = "ARN of the backup vault"
  value       = aws_backup_vault.main.arn
}

output "kms_key_arn" {
  description = "ARN of the KMS key (if customer-managed key enabled)"
  value       = var.use_customer_managed_key ? aws_kms_key.backup[0].arn : null
}

Deploy with:

terraform init
terraform apply \
    -var="backup_vault_name=my-encrypted-vault" \
    -var="use_customer_managed_key=true"

Verification

After creating your encrypted vault, verify the encryption:

  1. Go to the AWS Backup Vaults console
  2. Click on your vault name
  3. Under Encryption key, confirm a KMS key ARN is displayed
CLI verification
aws backup describe-backup-vault \
    --backup-vault-name my-encrypted-vault \
    --query '{VaultName:BackupVaultName,EncryptionKeyArn:EncryptionKeyArn}' \
    --region us-east-1

Expected output:

{
    "VaultName": "my-encrypted-vault",
    "EncryptionKeyArn": "arn:aws:kms:us-east-1:123456789012:key/..."
}

Re-run the Prowler check:

prowler aws --checks backup_vaults_encrypted

Additional Resources

Notes

  • Vaults cannot be modified after creation: Unlike many AWS resources, backup vault encryption cannot be changed. You must create a new vault if you need different encryption settings.
  • Default vault: AWS creates a "Default" vault automatically. Check if this vault is encrypted and create a replacement if needed.
  • AWS-managed vs customer-managed keys: AWS-managed keys (aws/backup) are simpler but offer less control. Customer-managed keys allow key rotation policies, cross-account sharing, and granular access control.
  • KMS key permissions: Ensure your KMS key policy grants the AWS Backup service permission to use the key.
  • Recovery point migration: Before deleting an unencrypted vault, consider whether you need to retain existing recovery points. You can copy them to the new encrypted vault using AWS Backup's copy feature.
  • Cost considerations: Customer-managed KMS keys incur monthly charges and per-request fees. AWS-managed keys have no additional cost beyond standard AWS Backup pricing.