AWS Storage Blog

Encrypt AWS Backup logically air-gapped vaults with customer-managed keys

Organizations in regulated industries often mandate control over encryption keys when storing data in the cloud to meet compliance requirements. Although AWS Backup logically air-gapped vault provides secure, isolated backup storage, these customers have needed the ability to use their own AWS Key Management Service (AWS KMS) customer-managed keys (CMKs) to provide greater control of their backup data at rest.

Today, we’re announcing support for CMKs in AWS Backup logically air-gapped vault. You can use this new capability to maintain full control over your encryption keys while benefiting from the security and compliance advantages of air-gapped backup storage.

In this post, we walk you through configuring CMKs with logically air-gapped vault and demonstrate how this feature helps you meet compliance requirements. Furthermore, we discuss additional controls needed to ensure that your setup is secure and protected.

What’s new?

AWS Backup logically air-gapped vault now supports both AWS-owned keys (AOK) and AWS KMS CMKs. This gives you multiple ways to manage your backup encryption.

Choosing the right key management option:

  • AOKs remain our recommended approach for most use cases due to their integrated functionality and robust security.
  • CMKs are designed for organizations with specific governance requirements or regulatory compliance standards.

Key capabilities of CMK support:

CMK support addresses three critical customer requirements:

  • Complete key lifecycle control: Manage key access, rotation, and retirement schedules according to your policies.
  • Enhanced audit visibility: Track all key operations through comprehensive AWS CloudTrail.
  • Streamlined compliance integration: Seamlessly incorporate backup encryption into existing monitoring and compliance workflows.

Architecture and components

Core Architecture

A central key vault account is a security strategy where encryption keys are centrally managed and shared across multiple accounts, enhancing security and compliance. This approach can be implemented either within the same AWS Organizations for streamlined governance or across different organizations for enhanced isolation. Unlike traditional KMS strategies that provision and manage keys locally within individual accounts, the central key vault model consolidates key management, monitoring, and permission boundaries in a dedicated account.

architecture diagram for aws backup cmk implementation

Figure 1: Using CMKs with AWS Backup logically air-gapped vault in a multi-account architecture

This architecture maintains the fundamental security principles that make logically air-gapped vaults resilient against data loss and ransomware events. Your backups remain stored in service-owned accounts, physically isolated from your workloads, and protected by the Write-Once-Read-Many (WORM) model. This multi-layered approach ensures backup security and recoverability, even during account compromise scenarios.

AWS Backup logically air-gapped vault integrates with Multi-party approval for AWS Organizations, enhancing security without compromising operational agility. This allows organizations to recover using the backup copies stored in the AWS Backup logically air-gapped vault. The key vault account managed CMKs can then be shared with either the forensics account or the recovery account for integrity validation and restore.

Key Management Options

When creating an AWS Backup logically air-gapped vault, you can now specify an AWS KMS CMK for encryption. This CMK can be sourced from the following options:

  • Your current account: For streamlined management within a single AWS account
  • A designated key vault account: For centralized key management, which can be provisioned in the same AWS Organization or a different Organization (recommended for enhanced security isolation)

This integration enables you to maintain complete control over your backup encryption keys while preserving all the robust security benefits of logical air-gapping. Services in other accounts can reference and use the centrally stored keys to encrypt and decrypt their data, enabling secure sharing of customer-managed keys (CMKs) with workload accounts where backups are created and managed.

The feature supports symmetric customer-managed keys and enables key reuse across multiple vaults. Although the encryption key cannot be changed after vault creation, AWS KMS automatic key rotation is fully supported, providing continuous updates to the key’s backing material without service interruption. Combined with comprehensive audit capabilities and granular AWS Identity and Access Management (IAM) policies, organizations gain the flexibility to tailor their backup encryption strategy to meet specific security and compliance requirements.

When using CMKs, customers should follow the best practices discussed in the following section to provision architecture constructs to cater to various aspects of a resilient recovery strategy.

Best Practices & Operations

Implementing secure backup encryption strategies with AWS Backup logically air-gapped vaults requires careful consideration of operational processes, security governance frameworks, and monitoring practices. The following sections cover security controls, monitoring and alerting, and operational procedures to help organizations establish robust, scalable, and compliant backup encryption strategies that align with enterprise security frameworks and regulatory requirements.

Security Controls

Comprehensive security controls for vault encryption go beyond basic key policies. Many enterprises adopt centralized encryption management approaches, creating dedicated key vault accounts to separate encryption operations from workload accounts and establish clear boundaries for sensitive key operations. Effective protection necessitates layering multiple security controls to create a robust defense-in-depth strategy.

The following four security controls provide comprehensive protection through multi-layered access controls:

  • Service Control Policies (SCPs) enforce organization-wide restrictions, such as requiring MFA for sensitive operations like PutKeyPolicy, DisableKey, or ScheduleKeyDeletion across all accounts.
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyKMSAdminOpsWithoutMFA",
         "Effect":"Deny",
         "Action":[
            "kms:PutKeyPolicy",
            "kms:DisableKey",
            "kms:ScheduleKeyDeletion"
         ],
         "Resource":"*",
         "Condition":{
            "BoolIfExists":{
               "aws:MultiFactorAuthPresent":"false"
            }
         }
      }
   ]
}
  • Resource Control Policies (RCPs) apply guardrails directly at the resource level, preventing unauthorized cross-account access and mitigating the confused deputy problem where AWS services might be manipulated into using permissions inappropriately across accounts. Combined with AWS KMS grants, RCPs ensure that only authorized services gain temporary access to your keys. The same restrictions applied through SCPs can be implemented through RCPs, with the advantage that they apply to specific principals and are enforced directly on the CMKs.
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyDestructiveKMSOperations",
         "Effect":"Deny",
         "Principal":"*",
         "Action":[
            "kms:PutKeyPolicy",
            "kms:DisableKey",
            "kms:ScheduleKeyDeletion",
            "kms:DeleteAlias",
            "kms:UpdateKeyDescription",
            "kms:CancelKeyDeletion"
         ],
         "Resource":"*",
         "Condition":{
            "BoolIfExists":{
               "aws:MultiFactorAuthPresent":"false"
            }
         }
      }
   ]
}
  • Permission boundaries define maximum privileges for IAM roles, preventing administrators or automation from escalating access beyond approved limits.
  • IAM and key policies provide granular access control at the identity and resource levels respectively.

This layered approach ensures that even if one control is misconfigured, others remain in place to protect your AWS KMS keys and logically air-gapped backups. Each layer addresses different risks: SCPs enforce global organizational rules, RCPs constrain resource usage, permission boundaries contain role privileges, and key policies define specific key access. This creates comprehensive protection for your backup encryption strategy. For detailed implementation guidance, refer to the AWS KMS access control glossary documentation for deeper insights into individual security control mechanisms.

Monitoring and alerting

Effective monitoring of AWS KMS key usage requires implementing comprehensive observability across multiple AWS services. AWS KMS integrates with Amazon CloudWatch, AWS CloudTrail, and Amazon EventBridge to provide real-time visibility into key operations, usage patterns, and potential security events. This multi-layered monitoring approach enables organizations to detect anomalies, track compliance metrics, and maintain detailed audit trails for regulatory requirements. Key monitoring strategies include:

  • CloudWatch Alerts for unusual key activity, such as failed operations or attempts to schedule key deletion
  • CloudTrail Log Analysis for sensitive API calls including PutKeyPolicy, DisableKey or ScheduleKeyDeletion
  • Automated Event Processing through EventBridge to trigger immediate responses to critical key management events
  • SIEM Integration for centralized security monitoring and correlation with other enterprise security events

For example, you can create a CloudWatch metric filter to automatically detect and alert on key deletion attempts:

aws logs put-metric-filter \
--log-group-name "CloudTrail/Logs" \
--filter-name "KMSKeyDeletion" \
--metric-transformations \
metricName="KMSKeyPendingDeletion",metricNamespace="Custom/KMS",metricValue=1 \
--filter-pattern '{ ($.eventSource = "kms.amazonaws.com") && ($.eventName = "ScheduleKeyDeletion") }'

Additionally, monitor sensitive operations like DisableKey, PutKeyPolicy, and RevokeGrant, which can significantly impact key availability and permissions. Route these events to EventBridge or your SIEM platform to enable automated alerting and remediation workflows. For comprehensive implementation guidance, refer to the AWS KMS monitoring documentation.

Operational Procedures

Effective key management extends beyond initial setup to encompass ongoing operational considerations that ensure long-term security and compliance. AWS KMS provides automatic annual key rotation, which updates the cryptographic material while retaining the same key ID. For most organizations, this standard rotation frequency is sufficient given that AWS KMS keys are protected by FIPS 140-3 Level 3 validated hardware security modules, and more frequent rotation provides minimal additional security benefits.

Key operational considerations include:

  • Key Rotation Management: Organizations with compliance requirements mandating shorter rotation intervals can implement manual rotation processes in addition to automatic rotation
  • Governance and Auditing: Tag keys with rotation requirements and compliance metadata to streamline audit processes and policy enforcement
  • Lifecycle Management: Establish clear procedures for key creation, usage monitoring, and retirement aligned with data retention policies
  • Access Review Processes: Implement regular reviews of key permissions and cross-account sharing arrangements to maintain least-privilege access
  • Disaster Recovery Testing: Validate key availability and backup restoration procedures as part of regular DR exercises

These operational procedures ensure that your backup encryption strategy remains effective and compliant as your organization scales and regulatory requirements evolve.

Implementation Guide

Policy configurations

Your AWS KMS key policy serves as the foundational security control for your backup encryption strategy. Following the principle of least privilege, we recommend structuring your key policies with distinct roles that separate administrative operations, usage permissions, and deletion capabilities. This role-based approach ensures that no single entity has excessive permissions while maintaining operational flexibility.

The following policy statements must be applied to your CMK based on your specific use case and required operations with your logically air-gapped vault:

Creating an AWS Backup logically air-gapped vault using CMK

When creating a logically air-gapped vault, you must apply the AWS-managed policy AWSBackupFullAccess to your account role. This policy includes Allow actions that enable AWS Backup to interact with AWS KMS for grant creation on AWS KMS keys during backup, copy, and storage operations. Furthermore, you must ensure that the CMK key policy includes specific necessary permissions to share with the account where the logically air-gapped vault resides.

{  
    "Sid": "Allow use of the key to create a logically air-gapped vault",  
    "Effect": "Allow",  
    "Principal": {  
        "AWS": "arn:aws:iam::[account-id]:role/TheRoleToAccessAccount"  
    },  
    "Action": [  
        "kms:CreateGrant",  
        "kms:DescribeKey"  
    ],  
    "Resource": "*",  
   "Condition": {  
        "StringLike": {  
            "kms:ViaService": "backup.*.amazonaws.com"  
        }  
   }  
}

Copying or restoring within the same-account using a CMK

During same-account copy or restore operations, AWS Backup assumes a customer-defined copy role such as AWSBackupDefaultServiceRole or a custom role that you specify. This role requires specific permissions to interact with your CMK for both encryption operations and grant management.

{
   "Sid":"Allow use of the key for copy",
   "Effect":"Allow",
   "Principal":{
      "AWS":"arn:aws:iam::[source-account-id]:role/service-role/AWSBackupDefaultServiceRole"[
         "Source copy role"
      ]
   },
   "Action":[
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
   ],
   "Resource":"*",
   "Condition":{
      "StringLike":{
         "kms:ViaService":"backup.*.amazonaws.com"
      }
   }
},
{
   "Sid":"Allow AWS Backup to create grant on the key for copy",
   "Effect":"Allow",
   "Principal":{
      "AWS":"arn:aws:iam::[source-account-id]:role/service-role/AWSBackupDefaultServiceRole"[
         "Source copy role"
      ]
   },
   "Action":[
      "kms:CreateGrant"
   ],
   "Resource":"*",
   "Condition":{
      "Bool":{
         "kms:GrantIsForAWSResource":"true"
      },
      "StringLike":{
         "kms:ViaService":"backup.*.amazonaws.com"
      }
   }
}

Copying or restoring cross-account using a CMK

When copying or restoring between accounts, or from a recovery account through AWS Resource Access Manager (AWS RAM) or Multi-party approval, the CMK must trust both the recovery account’s service role and the destination account’s service-linked role (SLR). This cross-account trust enables secure key operations across organizational boundaries.

{
   "Sid":"Allow use of the key for copy/restore from a recovery account",
   "Effect":"Allow",
   "Principal":{
      "AWS":[
         "arn:aws:iam::[recovery-account-id]:role/service-role/AWSBackupDefaultServiceRole",
         [
            "Recovery account copy/restore role"
         ]"arn:aws:iam::[destination-account-id]:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup"
      ][
         "Destination SLR"
      ]
   },
   "Action":[
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
   ],
   "Resource":"*"
},
{
   "Sid":"Allow AWS Backup to create grant on the key for copy",
   "Effect":"Allow",
   "Principal":{
      "AWS":[
         "arn:aws:iam::[recovery-account-id]:role/service-role/AWSBackupDefaultServiceRole"[
            "Recovery account copy/restore role"
         ]"arn:aws:iam::[destination-account-id]:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup"
      ],
      [
         "Destination SLR"
      ]
   },
   "Action":[
      "kms:CreateGrant"
   ],
   "Resource":"*",
   "Condition":{
      "Bool":{
         "kms:GrantIsForAWSResource":"true"
      }
   }
}

These policy statements implement least-privilege service access by restricting principals per operation and ensuring that all grants are explicitly for AWS resources through kms:GrantIsForAWSResource. The recovery-account-id refers to the source account in normal cross-account and cross-Region restore scenarios, while it represents the restore account when using AWS RAM or Multi-party approval shares. Depending on your specific use case, you can apply a combined policy that accommodates multiple scenarios.

API & Console Implementation

Having established the necessary policy configurations for secure key management, we now shift our focus to practical implementation. These enhancements provide organizations with greater control over their backup encryption strategy through:

  • Enhanced Vault Creation: The ability to specify a CMK using EncryptionKeyArn when creating AWS Backup logically air-gapped vaults. 
  • Encryption Visibility: The addition ofEncryptionKeyType in API responses to indicate whether a vault uses an AWS Backup service-owned key by default or a customer-managed key.

This section focuses on the specific APIs that have been modified to support these CMK capabilities. For comprehensive coverage of all AWS Backup APIs, refer to the AWS Backup API Reference documentation.

Create an AWS Backup logically air-gapped vault with CMK

To create a logically air-gapped vault with a CMK, you can use the ‘CreateLogicallyAirGappedBackupVault’ API. This API necessitates specifying both ‘MinRetentionDays’ and ‘MaxRetentionDays’ parameters, because AWS Backup logically air-gapped vault is a vault locked in compliance mode.

To support CMK, we’ve added an optional EncryptionKeyArn field to the API input. If you don’t provide an EncryptionKeyArn, then AWS Backup creates the AWS Backup logically air-gapped vault using an AWS Backup service owned key by default.

Vault creation is asynchronous, so the vault will likely be in a CREATING state initially.

The following is an example using the AWS Command Line Interface (AWS CLI):

aws backup create-logically-air-gapped-backup-vault
--region us-east-1
--backup-vault-name ExampleLAGVault
--encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab
--min-retention-days 7
--max-retention-days 35
--creator-request-id 12312873218-13213-1321

The command returns a response similar to the following:

{

"BackupVaultName": "ExampleLAGVault",
"BackupVaultArn": "arn:aws:backup:us-east-1:123456789012:backup-vault:ExampleLAGVault",
"CreationDate": "2025-09-25T14:03:49.412000-07:00",
"VaultState": "CREATING"

}

Similarly, you can create an AWS Backup logically air-gapped vault with CMK in console using the example in the following figure.

creating an AWS Backup logically air-gapped vault with CMK encryption

Figure 2: Creating an AWS Backup logically air-gapped vault with CMK encryption

Describe an AWS Backup logically air-gapped vault

You can use the ‘DescribeBackupVault’ API to view the attributes and state of your AWS Backup logically air-gapped vault. The response includes an EncryptionKeyType field that indicates whether the vault is encrypted using an AOK or a CMK.

The following shows how to describe an AWS Backup logically air-gapped vault using the AWS CLI:

aws backup describe-backup-vault --backup-vault-name <AWS Backup logically air-gapped vault name>

The command returns detailed information about the vault, including its encryption configuration:

{
  BackupVaultName:"ExampleLAGVault",
  BackupVaultArn:"arn:aws:backup:us-east-1:123456789012:backup-vault:ExampleLAGVault",
  VaultType:"LOGICALLY_AIR_GAPPED_BACKUP_VAULT",
  VaultState:"AVAILABLE",
  EncryptionKeyArn:"arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
  CreationDate:"2025-09-25T14:03:49.412000-07:00",
  CreatorRequestId:"86eacd7f-6f0e-4aed-8be6-20e1f8a28c1f",
  NumberOfRecoveryPoints:0,
  Locked:true,
  MinRetentionDays:7,
  MaxRetentionDays:35,
  LockDate:"2025-09-25T14:03:49.412000-07:00",
  EncryptionKeyType:"CUSTOMER_MANAGED_KMS_KEY"
}

Similarly, in console you can go to Vaults and search your AWS Backup logically air-gapped vault by name and observe the CMK encryption key.

an AWS Backup logically air-gapped vault with an encryption key

A logically air-gapped vault with an CMK encryption key

List AWS Backup vaults

You can use the ‘ListBackupVaults’ API to view all vaults in your account. The response includes the EncryptionKeyType field for each vault, indicating whether it uses an AOK or a CMK.

The following shows how to list all backup vaults using the AWS CLI:

aws backup list-backup-vaults

The command returns a list of vaults with their configurations. The EncryptionKeyType field in the response shows either CUSTOMER_MANAGED_KMS_KEY or AWS_OWNED_KMS_KEY for each vault.

{
  BackupVaultList:[
    {
      BackupVaultName:"Default",
      BackupVaultArn:"arn:aws:backup:us-east-1:123456789012:backup-vault:Default",
      VaultType:"BACKUP_VAULT",
      CreationDate:"2020-11-05T14:15:22.329000-08:00",
      EncryptionKeyArn:"arn:aws:kms:us-east-1:123456789012:key/9493c201-1d02-4d2a-943a-650fee1c949e",
      CreatorRequestId:"Default",
      NumberOfRecoveryPoints:41358,
      Locked:false
    },
    {
      BackupVaultName:"ExampleLAGVault",
      BackupVaultArn:"arn:aws:backup:us-east-1:974288443796:backup-vault:ExampleLAGVault",
      VaultType:"LOGICALLY_AIR_GAPPED_BACKUP_VAULT",
      VaultState:"AVAILABLE",
      CreationDate:"2025-09-25T14:21:01.166000-07:00",
      EncryptionKeyArn:"arn:aws:kms:us-east-1:974288443796:key/96b4d755-8228-44c5-8e23-7bf29017653a",
      CreatorRequestId:"8f5528ff-4ed8-408c-855c-5f89388330f7",
      NumberOfRecoveryPoints:2,
      Locked:true,
      MinRetentionDays:7,
      MaxRetentionDays:35,
      LockDate:"2025-09-25T14:21:01.166000-07:00",
      EncryptionKeyType:"CUSTOMER_MANAGED_KMS_KEY"
    }
  ]
}

Describe a recovery point

You can use the ‘DescribeRecoveryPoint’ API to view details of a specific recovery point. To describe a recovery point using the AWS CLI:

aws backup describe-recovery-point
--recovery-point-arn <Recoverypoint ARN>
--backup-vault-name <AWS Backup logically air-gapped vault name>

Replace <Recoverypoint ARN> with the Amazon Resource Name (ARN) of the recovery point you want to describe, and <AWS Backup logically air-gapped vault name> with the name of the vault containing the recovery point.

List recovery points by backup vault

You can use the ‘ListRecoveryPointsByBackupVault’ API to view all recovery points within a specific backup vault. To list recovery points in a vault using the AWS CLI:

aws backup list-recovery-points-by-backup-vault --backup-vault-name <AWS Backup logically air-gapped vault name>

Replace <AWS Backup logically air-gapped vault name> with the name of the vault containing the recovery point.

List recovery points by resource

You can also use the ‘ListRecoveryPointsByResource’ API to view all recovery points for a specific resource across backup vaults. To list recovery points for a resource using the AWS CLI:

aws backup list-recovery-points-by-resource
--resource-arn <Resource ARN >

Replace <Resource ARN> with the ARN of the resource want to describe.

The EncryptionKeyType field in the response of all of the preceding commands return either CUSTOMER_MANAGED_KMS_KEY or AWS_OWNED_KMS_KEY, indicating the type of encryption key used for the vault containing this recovery point.

Cleaning up

After you’ve created your logically air-gapped vault, you can clean up any resources to avoid unnecessary charges by following the steps in the Cleaning up backups section of the AWS Prescriptive Guidance.

Summary

In this post, we introduced CMK support for AWS Backup logically air-gapped vault. This enhancement builds upon the AWS Backup logically air-gapped vault’s core security features: immutable backup storage, automatic vault locking, and cross-account sharing capabilities. This is done while enabling organizations to maintain complete control over their encryption keys. This add-on is particularly valuable for regulated industries that must meet specific key management requirements while maintaining robust data protection.

Getting started with CMKs for AWS Backup logically air-gapped vault is direct through the AWS Backup console, API, or AWS CLI. Organizations can create new vaults with CMKs while preserving all security benefits of logical air-gapping.

To learn more about using CMKs with AWS Backup logically air-gapped vault, visit the AWS Backup product page and documentation.

TAGS: , , , ,
Desiree Brunner

Desiree Brunner

Desiree is a Security Solutions Architect at AWS specializing in enterprise security transformations. Her background is in data protection and security architecture, focused on a variety of security domains, including applied cryptography and regulatory compliance. She partners with enterprise customers to design and implement comprehensive security strategies that protect critical workloads while enabling business agility and innovation.

Mani Manasa Mylavarapu

Mani Manasa Mylavarapu

Mani Manasa Mylavarapu is an Engineering Manager at Amazon Web Services specializing in cloud security and data protection. She has played a key role in building enterprise-grade backup and encryption systems that safeguard customer data globally. Passionate about leadership and innovation, she combines deep technical expertise with a people-first approach to scaling secure, reliable cloud platforms.

Sabith Venkitachalapathy

Sabith Venkitachalapathy

Sabith Venkitachalapathy is an expert in designing AWS recovery resilience solutions, ensuring disaster recovery and high availability for critical workloads. Focused on Financial Services (FSI) and Healthcare and Life Sciences (HCLS), Sabith leverages AWS to tackle industry challenges and drive innovation. He shares practical insights to help organizations build resilient, secure cloud architectures.