Cross Account and Cross region DR of encrypted RDS may fail

Cross Account and Cross region DR of encrypted RDS may fail

If cross region and cross account of encrypted RDS is successful in 3 copies (local backup, cross region in the same account and same region cross account) but it fails in the cross region cross account backup, although the KMS key exists, please search a print like the following one in the logs:

ERROR:  start_copy_region(dr_rds.py:381)  RDS DR copy_snapshot failed from region EU (Frankfurt) to region EU (Frankfurt). snapshot cpm-policy-11-db0-2018-4-12-23-0, policy MyPolicy (to DR account). Exception The source snapshot KMS key [arn:aws:kms:eu-central-1:123456789012:key/fdf5c33f-d9ba-4baf-99e3-456c1d45675b] does not exist, is not enabled or you do not have permissions to access it.

 

If you face this issue, please make sure that the DR account is listed as a "Key user" for the source encryption key in the local region of the "backup" account. If it's not, use "Add External Account" to add it:

DR account must have access to the backup account's key, otherwise it won't be able to re-encrypt the snapshot.