Issue:
The Following error may appear in the CPM Server logs:
ERROR: start_copy_region(dr_rds.py:301) RDS DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source EU (Frankfurt), target Asia Pacific (Singapore), RDS snapshot cpm-policy-RDS-daily, KMS alias: alias/ec2-prod-rds-custom-kms-key.
The error message above is stating that the RDS Database snapshot that is located in EU (Frankfurt) has been encrypted but cpm is unable to locate an alias for the key that was used to encrypt it (ec2-prod-rds-custom-kms-key) in the target region Asia Pacific (Singapore) where it is attempting to copy the snapshot for DR purposes.
Solution:
1. login to the EC2 Console using your backup account's credentials, then go to Services, choose KMS.
2. For the region, choose the AWS region from the drop down menu that you want to place the alias in.
4. In the Alias Field, type the alias that you found in the error message that you received in your CPM log files.
“ec2-prod-rds-kms-key” is our example, but you will of course use your own key name that you are creating the alias for. It must match exactly.
Then add a description and expand “Advanced options”.
5. Under the Advanced Options Please select “KMS” in the Key Material Origin field, then click “Next step” in the bottom right.
7. Use the check boxes to select which IAM users and/or roles can administer this alias.
9. Choose the IAM users and roles that can use this key. These are your key users so you will need to add the IAM role or IAM user that is used for the CPM instance within in AWS, in order to be able to use the key to encrypt and decrypt the snapshot when the backup and copy occurs cross region.
10. In the Preview key policy, screen hit the Finish button at the bottom of the screen.
11. You will get a confirmation message that the key was generated.
12. Now you will need to enable the Key alias. Select it using the checkbox then choose Actions and choose enable.
13. You will get a confirmation the key alias was successfully enabled.
Tip: If the key alias does exist, and yet DR fails with "no matching KMS alias" error, then this is likely a permissions issue. Please make sure that the account has the required permissions per the KB below: