Cross Account and Cross region DR of encrypted RDS may fail

Cross-Account and Cross-Region DR of an encrypted RDS database may fail

If cross-region and cross-account backup of an encrypted RDS database is successful,  but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs:

ERROR:  start_copy_region(  RDS DR copy_snapshot failed from region EU (Frankfurt) to region EU (Frankfurt). snapshot cpm-policy-11-db0-2018-4-12-23-0, policy MyPolicy (to DR account). Exception The source snapshot KMS key [arn:aws:kms:eu-central-1:123456789012:key/fdf5c33f-d9ba-4baf-99e3-456c1d45675b] does not exist, is not enabled or you do not have permissions to access it.

If you face this issue, please make sure the DR account is added to the key in KMS under "Other AWS accounts":

The DR account must have access to the key or it won't be able to re-encrypt the snapshot.

For additional information,  please see this AWS documentation: