How do I restore a KMS-encrypted back up file to RDS for SQL Server from an on-premises environment?

3 minute read
0

I want to restore an AWS Key Management Service (AWS KMS)-encrypted backup file from an on-premises environment to an Amazon Relational Database Service (Amazon RDS) for Microsoft SQL Server instance. I want to use the native backup and restore feature.

Short description

AWS KMS encryption securely encrypts a Microsoft SQL Server backup file in RDS for SQL Server with an AWS KMS key. You can restore the encrypted backups to RDS SQL server instances only within the same AWS account.

Prerequisites:

Resolution

  1. Specify the @kms_master_key_arn AWS KMS key parameter to start the client-side encryption on the native backup:

    exec msdb.dbo.rds_backup_database @source_db_name='database-name',
    @s3_arn_to_backup_to='arn:aws:s3:::bucket-name/Filename.bak',
    @kms_master_key_arn='arn:aws:kms:us-east-1:account-id:key/xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx1';
  2. Restore the AWS KMS encrypted backup in another RDS for SQL Server instance in the same AWS Region and account. In the following command, specify the same AWS KMS key that you used to encrypt the backup:

    exec msdb.dbo.rds_restore_database @restore_db_name='database-name',
    @s3_arn_to_restore_from='arn:aws:s3:::bucket-name/Filename.bak',
    @kms_master_key_arn='arn:aws:kms:us-east-1:account-id:key/xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx1';

Restore an AWS KMS encrypted backup in another Region under the same account

  1. Create a multi-Region primary key. For the key type, choose Symmetric key.

  2. Create replica keys for the destination Region.

  3. Specify the @kms_master_key_arn AWS KMS key parameter in Region A to start an encrypted native backup:

    exec msdb.dbo.rds_backup_database @source_db_name='database-name', 
    @s3_arn_to_backup_to='arn:aws:s3:::bucket-name/Filename.bak',
    @kms_master_key_arn='arn:aws:kms:us-east-1:account-id:key/xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx2';
  4. Copy the backup file to the S3 bucket in the same Region. Amazon RDS doesn't support cross-Region buckets.

  5. Restore the AWS KMS encrypted backup in Region B. Specify the same AWS KMS key ID that you used to encrypt the backup:

    exec msdb.dbo.rds_restore_database ;@restore_db_name='database-name',
    @s3_arn_to_restore_from='arn:aws:s3:::bucket-name/Filename.bak',
    @kms_master_key_arn='arn:aws:kms:us-east-2:account-id:key/xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx2';

    Note: Replace us-east-2 with your AWS KMS key's Region.

Restore an AWS KMS encrypted backup across accounts, across Regions, or in an on-premises environment

The following three scenarios require a workaround to restore the backup:

  • Cross account: You must restore the AWS KMS encrypted database backup in the same Region but under a different account. You can't share AWS KMS keys across accounts in Amazon RDS. For example, you can't encrypt a backup in account A with AWS KMS key K1, and then restore the backup in account B with the same key.
  • Cross account and cross Region: You must restore the AWS KMS encrypted database backup in a different Region and in a different account. You can't share AWS KMS keys across accounts or use buckets across Regions in Amazon RDS.
  • On premises: You must restore the AWS KMS encrypted database backup in an on-premises environment. The AWS KMS key details is an external entity. Before you restore, you must decrypt the AWS KMS encrypted files.

For a solution for these limitations, see the Export from Amazon RDS for SQL Server section in Client-side encryption and decryption of Microsoft SQL Server backups for use with Amazon RDS.

Related information

Migrate TDE-enabled SQL Server databases to Amazon RDS for SQL Server

How do I restore an encrypted backup file or encrypted Microsoft Azure backup in RDS for SQL Server from an on-premises environment?

2 Comments

This article states that we can't encrypt a native backup from RDS in one account, then restore in another account with the same KMS key. Isn't that the whole point of sharing the KMS key to other accounts? Am I missing something here?

We use native backups of our prod databases for both refreshing our non-prod (different account) and for data retention. If I can't use the shared KMS key for restore to RDS in our non-prod environment, that would force me to have an unencrypted backup, copy it to my non-prod environment, restore that, then encrypt my prod backups in S3 at a file level.

Michael
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago