Veeam Support Knowledge Base
How to work with Amazon EBS encryption using Veeam Backup for AWS

How to work with Amazon EBS encryption using Veeam Backup for AWS

KB ID:	3057
Product:	Veeam Backup for AWS \| 1.0 \| 2.0 \| 3.0 \| 4.0 \| 5.0 \| 5a \| 6.0 \| 6a \| 7.0
Published:	2020-07-07
Last Modified:	2023-08-28

By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please try again later.

Challenge

You want to backup or restore instances with encrypted volumes.
You receive one of the following related errors while working with encrypted volumes:

Encrypted snapshots with EBS default key cannot be shared

The default encryption key in the <name> region of your service account is aws/ebs. Snapshots encrypted with aws/ebs cannot be shared

User arn:aws:sts::<AccountId>:role/<RoleName> is not authorized to use resource arn:aws:kms:<RegionName>:<AccountId>:key/<keyID> (Actions: kms:<ActionName>)

Solution

To perform backup, snapshot replication, or a restore to an S3 Repository using Customer Master Keys (CMKs), IAM Roles must be allowed to use Encryption Keys involved in the task.

Veeam recommends to use Key Policies to control access to customer master keys.

Veeam Backup for AWS will check for the existence of necessary permissions in the Key Policies of the Encryption Keys for IAM Roles used in the task. If that verification fails, an error message will be displayed in the session log detailing missing permissions and for which IAM Roles in the Key Policy.

The following sections of this article document which permissions are needed and how to add them.

Permissions Required for Cryptographic Operations
How to allow an IAM Role to use the CMK
Default Encryption Key of the region and how to change it

Permissions Required for Cryptographic Operations

This is the set of permissions that should be given to an IAM Role via a Key Policy to perform cryptographic operations.

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"

It’s the set that AWS gives the user of the Key by default. This means that if you add an IAM Role to the Key Policy using Default View, the awarded permissions will be enough.

But if you want to add an IAM Role using Policy View (to add an IAM Role from another account, in any case you need to use Policy View), then you will need to add them manually.

Here is the policy view example:

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: <accountid>:role/<rolename>"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: <accountid>:role/<rolename>"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

How to allow an IAM Role to use the CMK

To allow an IAM Role to use the CMK, you need to add the Role as the Key User to the Key Policy. There are two ways to do this:

Method 1: Using the AWS Management Console default view

Open the AWS Key Management Service (AWS KMS) console.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
To view the Encryption Keys in your account that you create and manage, in the navigation pane choose Customer managed keys.
In the list of CMKs, choose the Alias or Key ID of the CMK that you want to edit
To add Key Users, use the controls in the Key users section of the page.

The set of permissions that AWS gives to the Key User by default will be enough to work with the CMK in Veeam Backup for AWS.

Note: You cannot add an IAM Role from another account using Default Policy view.

Method 2: Using the AWS Management Console policy view

Open the AWS Key Management Service (AWS KMS) console.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
To view the Encryption Keys in your account that you create and manage, in the navigation pane choose Customer managed keys.
In the list of CMKs, choose the Alias or Key ID of the CMK that you want to edit.
In the Key Policy section, you might see the Key Policy document. This is Policy View.
Or, if you created the CMK in the AWS Management Console, you will see the Default View with sections for Key Administrators, Key Deletion, and Key Users. To see the key policy document, choose Switch to policy view.
Click Edit to start editing. After making changes, click Save.

The set of required permissions can be found in section The set of permissions required for cryptographic operations

Default Encryption Key of the region and how to change it

In some cryptographic operations, Veeam Backup for AWS is forced to use a Default Encryption Key in one of your regions to encrypt resources (for example, when you replicate encrypted snapshots without choosing a target key or you restore data from an S3 repository between accounts).

The Default Encryption Key in the region is the key that will encrypt all your resources which must be encrypted unless you explicitly specify the encryption key. (for example, when you create a volume from a shared encrypted snapshot without specifying a target key, it will be encrypted with the region's default key). For more information about Default Encryption Key and creating resources from encrypted sources, see AWS Documentation.

How to change a Default Encryption Key in the region:

Open the Amazon Console at https://console.aws.amazon.com/ec2/.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
Choose EBS Encryption in the Account attributes section.
Click Manage and select the new Default Encryption key from the drop-down list.
Finish editing by clicking Update EBS Encryption.

Common Errors

Encrypted snapshots with EBS default key cannot be shared

This error occurs during a Cross-Account Backup or Snapshot Replication when one or more volumes of the source instance are encrypted using the default AWS KMS encryption key (aws/ebs alias).

One possible solution is to re-encrypt the source volume using a custom key.

You cannot change the CMK associated with an existing snapshot or volume. However, you can associate a different CMK during a snapshot copy or volume creation operation so that the resulting resource is encrypted by the new CMK.

For more information about Snapshot sharing, see AWS Documentation

Another option is to deploy workers in the production account to avoid having to share resources encrypted with the default AWS KMS encryption key.

The default encryption key in the <name> region of your service account is aws/ebs. Snapshots encrypted with aws/ebs cannot be shared.

This error occurs in situations where the snapshot that Veeam is going to encrypt with the Default Encryption Key of the region should be shared, but the Default Encryption Key of the region is the default AWS KMS encryption key (aws/ebs alias).

This happens because AWS does not allow sharing encrypted snapshots using the default AWS KMS encryption key (aws/ebs alias).

To resolve this issue, change the Default Encryption Key in the desired region or deploy workers in the production account to avoid sharing resources encrypted with the default AWS KMS encryption key.

User arn:aws:sts::<AccountId>:role/<RoleName> is not authorized to use resource arn:aws:kms:<RegionName>:<AccountId>:key/<keyID> (Actions: kms:<ActionName>)

This error occurs when Veeam detects that one of the IAM Roles has no permissions to one of the Encryption Keys.

To resolve it, you must add the missing permissions for the IAM Role to the Key Policy.

Review the section: How to allow an IAM Role to use the CMK.

The error indicates the missing permissions, IAM Role, and Encryption Key identifiers.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.