Operational Defect Database
BugZero found this defect 1413 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb3057
How to work with Amazon EBS encryption using Veeam Backup for AWS
Last update date:
8/28/2023
Affected products:
Veeam Backup for AWS
Affected releases:
6a
Fixed releases:
No fixed releases provided.
Description:
Challenge
You want to backup or restore instances with encrypted volumes. You receive one of the following related errors while working with encrypted volumes: Encrypted snapshots with EBS default key cannot be shared The default encryption key in the <name> region of your service account is aws/ebs. Snapshots encrypted with aws/ebs cannot be shared User arn:aws:sts::<AccountId>:role/<RoleName> is not authorized to use resource arn:aws:kms:<RegionName>:<AccountId>:key/<keyID> (Actions: kms:<ActionName>)
Solution
To perform backup, snapshot replication, or a restore to an S3 Repository using Customer Master Keys (CMKs), IAM Roles must be allowed to use Encryption Keys involved in the task. Veeam recommends to use Key Policies to control access to customer master keys. Veeam Backup for AWS will check for the existence of necessary permissions in the Key Policies of the Encryption Keys for IAM Roles used in the task. If that verification fails, an error message will be displayed in the session log detailing missing permissions and for which IAM Roles in the Key Policy.The following sections of this article document which permissions are needed and how to add them. Permissions Required for Cryptographic Operations How to allow an IAM Role to use the CMK Default Encryption Key of the region and how to change it
Common Errors
Encrypted snapshots with EBS default key cannot be shared This error occurs during a Cross-Account Backup or Snapshot Replication when one or more volumes of the source instance are encrypted using the default AWS KMS encryption key (aws/ebs alias). One possible solution is to re-encrypt the source volume using a custom key. You cannot change the CMK associated with an existing snapshot or volume. However, you can associate a different CMK during a snapshot copy or volume creation operation so that the resulting resource is encrypted by the new CMK.For more information about Snapshot sharing, see AWS Documentation Another option is to deploy workers in the production account to avoid having to share resources encrypted with the default AWS KMS encryption key.
