Operational Defect Database

BugZero found this defect 1384 days ago.

Veeam | kb3057

How to work with Amazon EBS encryption using Veeam Backup for AWS

Last update date:


Affected products:

Veeam Backup for AWS

Affected releases:


Fixed releases:

No fixed releases provided.



You want to backup or restore instances with encrypted volumes. You receive one of the following related errors while working with encrypted volumes: Encrypted snapshots with EBS default key cannot be shared The default encryption key in the <name> region of your service account is aws/ebs. Snapshots encrypted with aws/ebs cannot be shared User arn:aws:sts::<AccountId>:role/<RoleName> is not authorized to use resource arn:aws:kms:<RegionName>:<AccountId>:key/<keyID> (Actions: kms:<ActionName>)


To perform backup, snapshot replication, or a restore to an S3 Repository using Customer Master Keys (CMKs), IAM Roles must be allowed to use Encryption Keys involved in the task. Veeam recommends to use Key Policies to control access to customer master keys. Veeam Backup for AWS will check for the existence of necessary permissions in the Key Policies of the Encryption Keys for IAM Roles used in the task. If that verification fails, an error message will be displayed in the session log detailing missing permissions and for which IAM Roles in the Key Policy.The following sections of this article document which permissions are needed and how to add them. Permissions Required for Cryptographic Operations How to allow an IAM Role to use the CMK Default Encryption Key of the region and how to change it

Common Errors

Encrypted snapshots with EBS default key cannot be shared This error occurs during a Cross-Account Backup or Snapshot Replication when one or more volumes of the source instance are encrypted using the default AWS KMS encryption key (aws/ebs alias). One possible solution is to re-encrypt the source volume using a custom key. You cannot change the CMK associated with an existing snapshot or volume. However, you can associate a different CMK during a snapshot copy or volume creation operation so that the resulting resource is encrypted by the new CMK.For more information about Snapshot sharing, see AWS Documentation Another option is to deploy workers in the production account to avoid having to share resources encrypted with the default AWS KMS encryption key.

Additional Resources / Links


BugZero® Risk Score

What's this?

Coming soon




Do you know how much operational outages are costing you?

Understand the cost to your business and how BugZero can help you reduce those costs.

Have you ever...

had your data corrupted from a