Cross Account and Cross region DR of encrypted RDS may fail
If
cross region and cross account of encrypted RDS is successful in 3 copies
(local backup, cross region in the same account and same region cross account)
but it fails in the cross region cross account backup, although the KMS key
exists, please search a print like the following one in the logs:
ERROR:
start_copy_region(dr_rds.py:381) RDS DR copy_snapshot failed from region
EU (Frankfurt) to region EU (Frankfurt). snapshot cpm-policy-11-db0-2018-4-12-23-0,
policy MyPolicy (to DR account). Exception The source snapshot KMS key
[arn:aws:kms:eu-central-1:123456789012:key/fdf5c33f-d9ba-4baf-99e3-456c1d45675b]
does not exist, is not enabled or you do not have permissions to access it.
If you face this issue, please make sure that the
DR account is listed as a "Key user" for the source encryption key in
the local region of the "backup" account. If it's not, use "Add
External Account" to add it:
DR account must have
access to the backup account's key, otherwise it won't be able to re-encrypt
the snapshot.
Related Articles
Cross-region and cross-account DR of an encrypted RDS cluster may fail in v2.6
Encrypted cluster RDS backups (Cross-region & cross-account) DR might fail. You may see the following in the logs Error - RDS DR copy snapshot failed for region US East (Ohio), snapshot Snapshotname (to DR account). Reason: Encrypted source snapshot: ...Cross-Region recovery of encrypted RDS may fail
Cross-Region recovery of encrypted RDS may fail with following error in the Recovery Log: Reason: Must specify new KMS key for cross region encrypted snapshot copy If you found the above error, please upgrade to the latest 2.X.X. version to resolve ...Replication of RDS snapshots may fail with "Cross region snapshot copy is not supported for TDE encrypted snapshots"
================================================================================================= As of June 13 2007, AWS has fixed this issue: ...Cross region copy of RDS snapshots may fail with error: RDS DR copy snapshot failed (in Backup account). No matching KMS alias in target region
Issue: The Following error may appear in the CPM Server logs: ERROR: start_copy_region(dr_rds.py:301) RDS DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source EU (Frankfurt), target Asia Pacific ...Cross-Region DR RDS backup may fail with "Copy failed due to an AWS limitation regarding default encryption key” error
RDS DR backup of encrypted snapshots between different regions may fail with the following error in the Backup log: Error - RDS DR, copy snapshot failed (to DR account) due to an AWS limitation regarding default encryption key (source US East (Ohio), ...