Cross-Region RDS DR may fail with "Copy failed due to an AWS limitation regarding default encryption key”
RDS DR of encrypted snapshots between different regions may fail with the following error in the Backup log:
Error - RDS DR, copy snapshot failed (to DR account) due to an AWS
limitation regarding default encryption key (source US East (Virginia),
target US East (Ohio), snapshot cpm-policy-8-db0-2025-10-26-14-18, KMS
alias: alias/aws/rds)
This occurs because AWS does not allow you to copy RDS snapshots encrypted with the default aws/rds encryption key between regions.
It is necessary to use a non-default KMS key for database encryption on the target side by adding a "cpm_dr_encryption_key" tag to the DB instance you want to backup:
The tag’s “key” = cpm_dr_encryption_key
The tag’s “value” = The full arn of the encryption key you want to use in the target region.
As a result, the snapshots in the target DR region will be encrypted with the non-default KMS key you specified in the tag.