Cross Account and Cross region DR of encrypted RDS may fail
If
cross region and cross account of encrypted RDS is successful in 3 copies
(local backup, cross region in the same account and same region cross account)
but it fails in the cross region cross account backup, although the KMS key
exists, please search a print like the following one in the logs:
ERROR:
start_copy_region(dr_rds.py:381) RDS DR copy_snapshot failed from region
EU (Frankfurt) to region EU (Frankfurt). snapshot cpm-policy-11-db0-2018-4-12-23-0,
policy MyPolicy (to DR account). Exception The source snapshot KMS key
[arn:aws:kms:eu-central-1:123456789012:key/fdf5c33f-d9ba-4baf-99e3-456c1d45675b]
does not exist, is not enabled or you do not have permissions to access it.
If you face this issue, please make sure that the
DR account is listed as a "Key user" for the source encryption key in
the local region of the "backup" account. If it's not, use "Add
External Account" to add it:
DR account must have
access to the backup account's key, otherwise it won't be able to re-encrypt
the snapshot.