Ensure that your Amazon Backup vaults are using AWS KMS Customer Master Keys instead of AWS managed-keys (i.e. default encryption keys) for encrypting your backup data in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements. Amazon Backup is a fully managed service that creates, restores and deletes backups on your behalf. A backup vault is a container used to organize AWS backups. You can use backup vaults to set the AWS KMS encryption key that is used to encrypt your backups and to control access to your backups. The KMS encryption key that is configured for a backup vault applies only to the backups created for certain resource types such as Amazon EFS file systems. This adds another layer of protection for your backups. The backups taken for all other resource types are configured using the key that is used to encrypt the source resource.
When you use your own AWS KMS Customer Master Keys (CMKs) to protect the backups created with Amazon Backup service, you have full control over who can use the encryption keys to access your backups. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Backup data.
To determine the encryption configuration of your Amazon Backup vaults, perform the following actions:
To encrypt your backup data using your own AWS KMS Customer Master Keys, you have to re-create the non-compliant AWS Backup vaults with the required encryption configuration. To re-create your backup vaults and enable data-at-rest encryption using your own KMS CMKs, perform the following actions: