Theo Ekelmans - Tuesday, March 6, 2018 2:34 AM
Seems like over kill to me, I could agree with the point if the actual database backups were stored in the same location but I assume your backups are on premise? Providing you access S3 as a service using a suitable API and encrypt your traffic with SSL when uploading where is the risk? When stored at rest in S3 you can enable encryption as well as other security measures. Yes there are stories of data leaks from S3 but almost every single one has been down to mis-configuration rather than being hacked.
The keys are only of any use if you have access to the backup media and unless you combine your own network with amazons using direct connect or a VPN then those encryption certificates are useless to anyone without the actual media.
MCITP SQL 2005, MCSA SQL 2012