Skip to main content
Druva Documentation

AWS configuration to enable cross-region copy of encrypted snapshots

 

This article applies to:

  • Product edition: CloudRanger

Overview

This procedure enables you to perform the cross-region copy of the encrypted snapshots from the source to the destination region using CloudRanger. You may require to perform to perform this for encrypted volumes. In such cases, you need to configure another encryption key in the destination regions. You can also configure a backup policy in CloudRanger to perform the AWS cross-region bakcups.

The procedures described below provide steps for AWS configuration on the source and destination regions.

The configuration explained using below regions:

  • Origin Region: US East (N. Virginia)
  • Destination Region: US East (Ohio)

You can substitute the regions to suite your requirement. the

Change the key policy of the encryption key in the origin region

  1. Sign in to the AWS Management Console and open the IAM Service console.
  2. Select Encryption keys section on the left.
  3. Change the AWS Region to US East (N. Virginia) with the region selector in the upper-left corner of the page.

    CRAWSMgmtConsole1.png
  4. Click on the key Alias currently being used to encrypt the EC2 volumes and open the key properties.

    CRAWSMgmtConsole2.png
  5. Scroll down to the Key Users and click Add.

    CRAWSMgmtConsole3.png
  6. Select all the CloudRanger roles associated with the cloud formation stack and click Attach. All the roles must get displayed under Key Users after addition.

    CRAWSMgmtConsole4.png

    After the properties of the source region encryption key are configured, you need to perform the same on the destination region.

Change the key policy for the encryption key in the destination region

  1. Log in to the IAM Service console.
  2. Select Encryption keys section on the left.
  3. Change the AWS Region to US East (Ohio) using the region selector in the upper-left corner of the page.

    CRAWSMgmtConsole5.png
  4. Click the key alias required to encrypt the backup copies and open the key properties.

    CRAWSMgmtConsole2.png
  5. Scroll down to the Key Users and click Add.

    CRAWSMgmtConsole3.png
  6. Select all the CloudRanger roles associated with the cloud formation stack and click Attach. All the roles must get displayed under Key Users after addition.

    CRAWSMgmtConsole4.png

Copy your backups to additional AWS regions

A backup policy will automatically generate a backup in the origin AWS region (US East (N. Virginia). To save an extra copy to another AWS region (US East (Ohio)) , use the below functionality to create copies in up to two additional AWS regions.

  1. Select the ADVANCED option from the main backup policy section.
  2. Select the checkbox and the destination AWS region(s) from the dropdown menu, where the additional backup copies will be saved.
    CRAWSMgmtConsole6.png
  3. Select the correct destination key for the respective selected region.

This saves the additional copies to the specified regions and ensures retention of the snapshots or AMIs on your additional region, as outlined in the backup policy.