Cross-Account and Cross-Region DR of an encrypted RDS database may fail
If
cross-region and cross-account backup of an encrypted RDS database is successful, but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs:
ERROR:
start_copy_region(dr_rds.py:381) RDS DR copy_snapshot failed from region
EU (Frankfurt) to region EU (Frankfurt). snapshot cpm-policy-11-db0-2018-4-12-23-0,
policy MyPolicy (to DR account). Exception The source snapshot KMS key
[arn:aws:kms:eu-central-1:123456789012:key/fdf5c33f-d9ba-4baf-99e3-456c1d45675b]
does not exist, is not enabled or you do not have permissions to access it.
If you face this issue, please make sure the
DR account is added to the key in KMS under "Other AWS accounts":
The DR account must have
access to the key or it won't be able to re-encrypt
the snapshot.
For additional information, please see this AWS documentation: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
Related Articles
Cross-region and cross-account DR of an encrypted RDS cluster may fail in v2.6
Encrypted cluster RDS backups (Cross-region & cross-account) DR might fail. You may see the following in the logs Error - RDS DR copy snapshot failed for region US East (Ohio), snapshot Snapshotname (to DR account). Reason: Encrypted source snapshot: ...Cross region copy of RDS snapshots may fail with error: RDS DR copy snapshot failed (in Backup account). No matching KMS alias in target region
Issue: The Following error may appear in the CPM Server logs: ERROR: start_copy_region(dr_rds.py:301) RDS DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source EU (Frankfurt), target Asia Pacific (Singapore), RDS ...Replication of RDS snapshots may fail with "Cross region snapshot copy is not supported for TDE encrypted snapshots"
================================================================================================= As of June 13 2007, AWS has fixed this issue: ...Cross-Region recovery of encrypted RDS may fail
Cross-Region recovery of encrypted RDS may fail with following error in the Recovery Log: Reason: Must specify new KMS key for cross region encrypted snapshot copy If you found the above error, please upgrade to the latest 2.X.X. version to resolve ...Cross-Region DR RDS backup may fail with "Copy failed due to an AWS limitation regarding default encryption key” error
RDS DR backup of encrypted snapshots between different regions may fail with the following error in the Backup log: Error - RDS DR, copy snapshot failed (to DR account) due to an AWS limitation regarding default encryption key (source US East (Ohio), ...