RDS DR backup of encrypted snapshots between different regions may fail with the following error in the Backup log:
Error - RDS DR, copy snapshot failed (to DR account) due to an AWS
limitation regarding default encryption key (source US East (Ohio),
target US East (Ohio), snapshot cpm-policy-8-db0-2018-10-26-14-18, KMS
This happens because it is not allowed by AWS to copy RDS snapshots within encryption from another account with using default encryption key.
The only way to proceed with encrypted backups to another region is using non-default KMS key for database encryption on the target side.
It is necessary to create a new KMS key at the a target region and add the "cpm_dr_encryption_key" tag to the DB instance you want to backup:
The tag’s “key” = cpm_dr_encryption_key
The tag’s “value” = The full arn of the encryption key you shared from the target region.
You also can use any of the KMS existing keys at the target region.
As the result, the snapshots at the remote region will be encrypted within the remote key.
Step by step plan explained in the article about encryption keys support: