DR copy of encrypted snapshot to another region may fail with Copy failed due to an AWS limitation regarding default encryption key error

Cross-region DR copy of encrypted snapshot may fail with "Copy failed due to an AWS limitation regarding default encryption key” error


DR of encrypted snapshots may fail with the following error in the Backup log:
Error - <DR Policy>, copy snapshot failed (in Backup account) due to an AWS limitation regarding default encryption key source <source region>, target <target region>, snapshot <cpm-snapshot-name>, KMS alias: <alias name>

This is due to an AWS limitation when using the default AWS-generated CMK to copy snapshots across regions.

 

To resolve this issue:

Using the AWS console, manually perform a copy of the desired snapshot from source region to target (DR) region.

Once the snapshot copy has completed in AWS; allow the CPM DR policy to run as scheduled, or run immediately by using the "Run ASAP" button.

The DR copy should now be successful.