Cross region copy of RDS snapshots may fail with error: RDS DR copy snapshot failed (in Backup account). No matching KMS alias in target region

Cross region copy of RDS snapshots may fail with error: RDS DR copy snapshot failed (in Backup account). No matching KMS alias in target region

Issue:

The Following error may appear in the CPM Server logs:

ERROR:  start_copy_region(dr_rds.py:301) RDS DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source EU (Frankfurt), target Asia Pacific (Singapore), RDS snapshot cpm-policy-RDS-daily, KMS alias: alias/ec2-prod-rds-custom-kms-key.


The error message above is stating that the RDS Database snapshot that is located in EU (Frankfurt) has been encrypted  but cpm is unable to locate an alias for the key that was used to encrypt it (ec2-prod-rds-custom-kms-key) in the target region Asia Pacific (Singapore) where it is attempting to copy the snapshot for DR purposes.


Solution:

If the above error is found, you will need to create an alias for the referenced key in your error message,  in the target region(s) for the DR Copy. 

To Create an alias for the key in the target Region, follow the steps below. 

1.  login to the EC2 Console using your backup account's credentials, then go to Services, choose KMS. 



2. For the region, choose the AWS region from the drop down menu that you want to place the alias in.



3.  Choose the Create key button.

  



4. In the Alias Field, type the alias that you found in the error message that you received in your CPM log files. 

“ec2-prod-rds-kms-key” is our example, but you will of course use your own key name that you are creating the alias for. It must match exactly. 

Then add a description and expand “Advanced options”.


5.  Under the Advanced Options Please select “KMS” in the Key Material Origin field, then click “Next step” in the bottom right.


  



6. Add any desired tags then click on next step button in the bottom right.
  


7.  Use the check boxes to select which IAM users and/or roles can administer this alias. 



  

8. Choose Next Step.


9. Choose the IAM users and roles that can use this key. These are your key users so you will need to add the IAM role or IAM user that is used for the CPM instance within in AWS,  in order to be able to use the key to encrypt and decrypt the snapshot when the backup and copy occurs cross region.


  





10.  In the Preview key policy, screen hit the Finish button at the bottom of the screen.



  

11.  You will get a confirmation message that the key was generated.


  




12. Now you will need to enable the Key alias. Select it using the checkbox then choose Actions and choose enable.


  


13. You will get a confirmation the key alias was successfully enabled.


  


14.. Now test the policy with the RDS DB in it again and it should be successful if the alias has been created in all regions needed.


Tip: If the key alias does exist, and yet DR fails with "no matching KMS alias" error, then this is likely a permissions issue. Please make sure that the account has the required permissions per the KB below:

https://support.n2ws.com/portal/kb/articles/what-are-the-required-minimal-aws-permissions-roles-for-cpm-operation