Best practices

Backup vault should be using Customer Master Keys

Risk Level

Informational (4)



AWS Backup is a fully-managed service that protects data across AWS services. We identified a Backup vault '{AwsBackupVault}' that uses an encrypted key that is not configured with AWS KMS Customer Master Keys (CMKs). The best practice is to use a customer-managed CMK in all supported AWS services
  • Recommended Mitigation

    In order to enhance security, it is recommended to use CMK. To encrypt backup data using AWS KMS Customer Master Keys, create a CMK key if one does not already exist. Then, create a backup vault with the CMK key as an encryption key.