Cross-Region RDS DR may fail with "Copy failed due to an AWS limitation regarding default encryption key”

RDS DR of encrypted snapshots between different regions may fail with the following error in the Backup log:

Error - RDS DR, copy snapshot failed (to DR account) due to an AWS limitation regarding default encryption key (source US East (Virginia), target US East (Ohio), snapshot cpm-policy-8-db0-2025-10-26-14-18, KMS alias: alias/aws/rds)

This occurs because AWS does not allow you to copy RDS snapshots encrypted with the default aws/rds encryption key between regions.

It is necessary to use a non-default KMS key for database encryption on the target side by adding a "cpm_dr_encryption_key" tag to the DB instance you want to backup:

The tag’s “key” = cpm_dr_encryption_key

The tag’s “value” = The full arn of the encryption key you want to use in the target region.

As a result, the snapshots in the target DR region will be encrypted with the non-default KMS key you specified in the tag.

This article discusses using custom encryption keys: CPM supports custom encryption keys for DR

Related Articles
EBS/RDS DR & Recovery with KMS key
When copying cross account an EBS/RDS Volume encrypted with custom KMS, a KMS key should also be available in the other account. There are 2 ways that CPM uses for checking KMS key - Alias & Tag KMS Tag When using custom tag, you are telling CPM to ...
Cross-Account and Cross-Region DR of an encrypted RDS database may fail
If cross-region and cross-account backup of an encrypted RDS database is successful, but fails in the cross-region cross-account DR copy, you may see the following error in the cpm logs: ERROR: start_copy_region(dr_rds.py:381) RDS DR copy_snapshot ...
Cross region copy of RDS snapshots may fail with error: RDS DR copy snapshot failed (in Backup account). No matching KMS alias in target region
Issue: The Following error may appear in the CPM Server logs: ERROR: start_copy_region(dr_rds.py:301) RDS DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source EU (Frankfurt), target Asia Pacific (Singapore), RDS ...
Cross-account DR backup of encrypted snapshots of Aurora cluster (RDS) may fail with the “No matching KMS alias” error
DR of encrypted snapshots of AuroraDB cluster (DRS) may fail with the “No matching KMS alias” error in the Backup log: Error - Aurora DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source <source_region>, target ...
How to use custom KMS encryption keys for cross-region & cross-account DR
This Article explains how to perform DR backups for resources using custom KMS key encryption If you perform cross-region DR or cross-account but to a different region, you will need to have a custom KMS key for each region with the same alias name, ...

Cross-Region RDS DR may fail with "Copy failed due to an AWS limitation regarding default encryption key”

Cross-Region RDS DR may fail with "Copy failed due to an AWS limitation regarding default encryption key”

Related Articles

EBS/RDS DR & Recovery with KMS key

Cross-Account and Cross-Region DR of an encrypted RDS database may fail

Cross region copy of RDS snapshots may fail with error: RDS DR copy snapshot failed (in Backup account). No matching KMS alias in target region

Cross-account DR backup of encrypted snapshots of Aurora cluster (RDS) may fail with the “No matching KMS alias” error

How to use custom KMS encryption keys for cross-region & cross-account DR