Cross-Account and Cross-Region DR of an encrypted RDS database may fail
If
cross-region and cross-account backup of an encrypted RDS database is successful, but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs:
ERROR:
start_copy_region(dr_rds.py:381) RDS DR copy_snapshot failed from region
EU (Frankfurt) to region EU (Frankfurt). snapshot cpm-policy-11-db0-2018-4-12-23-0,
policy MyPolicy (to DR account). Exception The source snapshot KMS key
[arn:aws:kms:eu-central-1:123456789012:key/fdf5c33f-d9ba-4baf-99e3-456c1d45675b]
does not exist, is not enabled or you do not have permissions to access it.
If you face this issue, please make sure the
DR account is added to the key in KMS under "Other AWS accounts":
The DR account must have
access to the key or it won't be able to re-encrypt
the snapshot.
For additional information, please see this AWS documentation: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
Related Articles
Cross region copy of RDS snapshots may fail with error: RDS DR copy snapshot failed (in Backup account). No matching KMS alias in target region
Issue: The Following error may appear in the CPM Server logs: ERROR: start_copy_region(dr_rds.py:301) RDS DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source EU (Frankfurt), target Asia Pacific (Singapore), RDS ...Cross-Region DR RDS backup may fail with "Copy failed due to an AWS limitation regarding default encryption key” error
RDS DR backup of encrypted snapshots between different regions may fail with the following error in the Backup log: Error - RDS DR, copy snapshot failed (to DR account) due to an AWS limitation regarding default encryption key (source US East (Ohio), ...RDS Cross Region DR fails with Exception: Cannot copy more than 5 snapshots across regions
You may see the following errors in the CPM logs when cross region RDS DR copies fail to successfully copy to the DR region. ERROR: cpm_copy_dbsnapshot(aws_rds_utils.py:217) Exception: Cannot copy more than 5 snapshots across regions ...Cross-account DR backup of encrypted snapshots of Aurora cluster (RDS) may fail with the “No matching KMS alias” error
DR of encrypted snapshots of AuroraDB cluster (DRS) may fail with the “No matching KMS alias” error in the Backup log: Error - Aurora DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source <source_region>, target ...Recovery of a cross-account DR copy of encrypted RDS snapshots
There is a limitation for restoring encrypted RDS snapshots from a DR AWS account. This is an AWS limitation, as described in this link . "Sharing an unencrypted manual DB snapshot enables authorized AWS accounts to directly restore a DB instance ...