CPM supports custom encryption keys for DR
To support the usage of a custom encryption key for DR, you will need to perform the following:
In the account where the custom key resides:
- Go to KMS and browse to the key you wish to share.
- Go to the "Other AWS accounts" at the bottom of the page and click "Add other AWS accounts".
- Add the id of the DR account you wish to share the key with.
Go to the volume you wish to copy to DR account and/or region and add the following tag:
- The tag’s “key” = cpm_dr_encryption_key
- The tag’s “value” = The full arn of the encryption key you shared in item #1. For example- arn:aws:kms:us-east-1:123456789101:key/2eaadfb1-b630-4aef-9d90-2d0fb2061e05
- If you perform cross-region DR, you will need to have a key for each region as AWS does not allow sharing encryption keys across regions.
The tag’s “key” should include the region where the key is, for example- Ohio key tag will be: key = cpm_dr_encryption_key:us-east-2 , value = arn:aws:kms:us-east-1:123456789101:key/2eaadfb1-b630-4aef-9d90-2d0fb2061e05
In order to use this functionality for AMI DR, you need to tag the instance.
Reference feature number – N2WS-777. Added in 2.3.0d. Added RDS feature support in 2.4.0