How to work with Amazon EBS encryption using Veeam Backup for AWS

Challenge

• You want to backup or restore instances with encrypted volumes.
• You receive one of the following errors while working with encrypted volumes:

1. Encrypted snapshots with EBS default key cannot be shared
2. The default encryption key in the <name> region of your service account is aws/ebs. Snapshots encrypted with aws/ebs cannot be shared
3. User arn:aws:sts::<AccountId>:role/<RoleName> is not authorized to use resource arn:aws:kms:<RegionName>:<AccountId>:key/<keyID> (Actions: kms:<ActionName>)

Solution

To perform a backup to S3 Repository, a snapshot replication or a restore using Customer Master Keys (CMKs), you need to allow IAM Roles to use Encryption Keys involved in the task. 
We recommend to use Key Policies to control access to customer master keys.
Veeam Backup for AWS will check for the existence of necessary permissions in the Key Policies of the Encryption Keys, for IAM Roles used in the task.
If the verification fails, you will see an error message in the session log, informing you of missing permissions and for which IAM Roles in the Key Policy.

These topics will help you understand how and what permissions you need to add.

• The set of permissions required for cryptographic operations
• How to allow an IAM Role to use the CMK
• Default Encryption Key of the region and how to change it

The set of permissions required for cryptographic operations

This is the set of permissions that should be given to an IAM Role via a Key Policy to perform cryptographic operations. 

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"

It’s the set that AWS gives the user of the Key by default. This means that if you add an IAM Role to the Key Policy using Default View, the awarded permissions will be enough. 
But if you want to add an IAM Role using Policy View (to add an IAM Role from another account, in any case you need to use Policy View), then you will need to add them manually. 
Here is the policy view example:

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: <accountid>:role/<rolename>"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: <accountid>:role/<rolename>""
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

 

How to allow an IAM Role to use the CMK

To allow an IAM Role to use the CMK, you need to add the Role as the Key User to the Key Policy. There are two ways to do this:

• Using the AWS Management Console default view
• Using the AWS Management Console policy view

Using the AWS Management Console default view

1. Open the AWS Key Management Service (AWS KMS) console.
2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
3. To view the Encryption Keys in your account that you create and manage, in the navigation pane choose Customer managed keys.
4. In the list of CMKs, choose the Alias or Key ID of the CMK that you want to edit
5. To add Key Users, use the controls in the Key users section of the page.

The set of permissions that AWS gives to the Key User by default will be enough to work with the CMK in Veeam Backup for AWS.

Note: You cannot add an IAM Role from another account using Default Policy view.
 

Using the AWS Management Console policy view

1. Open the AWS Key Management Service (AWS KMS) console.
2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
3. To view the Encryption Keys in your account that you create and manage, in the navigation pane choose Customer managed keys.
4. In the list of CMKs, choose the Alias or Key ID of the CMK that you want to edit.
5. In the Key Policy section, you might see the Key Policy document. This is Policy View.
   Or, if you created the CMK in the AWS Management Console, you will see the Default View with sections for Key Administrators, Key Deletion, and Key Users. To see the key policy document, choose Switch to policy view.
6. Click Edit to start editing. After making changes, click Save.

The set of required permissions can be found in section The set of permissions required for cryptographic operations
 

Default Encryption Key of the region and how to change it

In some cryptographic operations, Veeam Backup for AWS is forced to use a Default Encryption Key in one of your regions to encrypt resources (for example, when you replicate encrypted snapshots without choosing a target key or you restore data from S3 repository between accounts). 

The Default Encryption Key in the region is the key that will encrypt all your resources, which must be encrypted, unless you explicitly specify the encryption key. (for example, when you create a volume from a shared encrypted snapshot without specifying a target key, it will be encrypted with the default key of the region). For more information about Default Encryption Key and creating resources from encrypted sources, see AWS Documentation.

How to change a Default Encryption Key in the region

1. Open the Amazon Console at https://console.aws.amazon.com/ec2/. 
2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
3. Choose EBS Encryption in the Account attributes section.
4. Click Manage and select the new Default Encryption key from the drop-down list.
5. Finish editing by clicking Update EBS Encryption.

Error: Encrypted snapshots with EBS default key cannot be shared

This error occurs in the case of a Cross-Account Backup or Snapshot Replication, when one or more volumes of the source instance are encrypted using the default AWS KMS encryption key (aws/ebs alias). 
The only possible solution here is to re-encrypt the source volume using a custom key.
You cannot change the CMK that is associated with an existing snapshot or volume. However, you can associate a different CMK during a snapshot copy or volume creation operation so that the resulting resource is encrypted by the new CMK.

For more information about Snapshot sharing, see AWS Documentation

 
Error: The default encryption key in the <name> region of your service account is aws/ebs. Snapshots encrypted with aws/ebs cannot be shared.

This error occurs in cases where the snapshot that we are going to encrypt with the Default Encryption Key of the region should be shared, but the Default Encryption Key of the region is the default AWS KMS encryption key (aws/ebs alias).
It happens, because AWS does not allow to share snapshots that are encrypted using the default AWS KMS encryption key (aws/ebs alias).
To solve this problem, you need to change the Default Encryption Key in the desired region. 
How to change the Default Encryption Key of the region, you can find in section Default Encryption Key

For more information about snapshot sharing, see AWS Documentation
 

Error: User arn:aws:sts::<AccountId>:role/<RoleName> is not authorized to use resource arn:aws:kms:<RegionName>:<AccountId>:key/<keyID> (Actions: kms:<ActionName>)

This error occurs if, at the time the task was started, we found that one of the IAM Roles does not have any permissions to one of the Encryption Keys. 
To solve it, you need to add the missing permissions for the IAM Role to the Key Policy. 
How to do this, you can find in section How to allow an IAM Role to use the CMK
The error indicates the missing permissions, IAM Role and Encryption Key identifiers.