Article ID: 62686
Article Type: Troubleshooting
Last Modified:
When Amazon EBS encryption for new volumes is enabled for an AWS region, backups and full instance restores that use resources from a service account might fail.
When Amazon EBS encryption for new volumes is enabled for an AWS region, backups and full instance restores that use resources from a service account might fail.
If Amazon EBS encryption for new volumes is enabled for an AWS region in your AWS account, all new EBS volumes created in your account for that region are encrypted, including volumes that are created during backups. As a result, those volumes cannot be modified by the backup process, and the backup fails. Volume encryption also prevents snapshots from being shared across accounts. As a result, full VM restores that are performed using resources from a separate service account fail.
Applicable to: Feature Release 11.21 and below
To enable backups to complete successfully, on the access node (VSA proxy) that is used to perform the backup, you can configure the bAllowAWSModifyBackupVolume additional setting and set the value to 0. This setting enables backups to complete without attempting to modify the volumes that are created as part of the backup. To prevent the errors for backups and restores that are caused by default encryption settings, you can disable the Amazon setting in your account:
Applicable to: Feature Release 11.22 and later
Backups:
Full VM Restores:
Verify that the KMS key from the admin account is shared with the tenant account.