DR may fail with "Error: No KMS info for region" and "failed getting kms aliases"
The following error may appear in the Backup Log:
Error - Failed looking for source KMS (region US West (Oregon), snapshot snap-xxxxxxxx). Error: No KMS info for region us-west-2 (No KMS)
This error may appear in cpm_server.log:
ERROR: _get_kms_aliases(n2wsoftware\common\aws_utils.py:777) failed getting kms aliases in region US West (Oregon) (Backup account). Error: User: arn:aws:sts::111111111111:assumed-role/CPMRecovery/i-22222222 is not authorized to perform: kms:ListAliases (code AccessDeniedException)
ERROR: init(n2wsoftware\common\aws_utils.py:663) KMS init failed for region us-west-2'
This is a permissions issue - the user can't access the KMS aliases in both regions.
You need to add these roles:
"kms:ListKeys"
"kms:ListAliases"
Please see this article for the full list of required permissions: https://support.n2ws.com/portal/kb/articles/what-are-the-required-minimal-aws-permissions-roles-for-cpm-operation
For more details, please read chapter 10.6.2 "DR of Encrypted Volumes, AMIs and RDS Instances" in our User Guide:
https://www.n2ws.com/images/PDF/CPMUserGuide.pdf
Please note:
These permissions are needed even if you don't have any encrypted volumes, as some of the AMIs may be encrypted without you knowing it.