DR of encrypted snapshots may fail with the “No matching KMS alias” error
DR of encrypted snapshots may fail with the following error
in the Backup log:
ERROR:
start_copy_region(.\cpmserver\cpm\dr_volume.py:<line number>)
Volume DR copy snapshot failed (in Backup account). No matching KMS alias on
target region (source <source region>), target <targetregion, snapshot
snap-1234567890abcdefg, KMS alias: alias/aws/ebs)
If the above error is found, you need to create a KMS alias
in the target region.
Please login into EC2 console using your Backup account's
credentials and go to the target region's Encryption keys section in IAM
Does it show no encryption keys, like in the picture below?
Or maybe an encryption key appears, but it's missing an alias, and only its description says what it applies to?
If the key
with the "aws/ebs" alias doesn't appear, then the key is missing.
You can create it by manually creating a new 1GB encrypted volume in the target
region.
You don't have to actually create the volume. As soon as you select the
"Encrypt this volume" option, the "aws/ebs" key will be
created automatically.
At this point, you can cancel volume creation and run the backup again.
If the key does exist, and yet DR fails with "no matching KMS alias"
error, then this is likely a permissions issue.
Please make sure that the account has the required permissions per the KB
below:
Related Articles
Cross-account DR backup of encrypted snapshots of Aurora cluster (RDS) may fail with the “No matching KMS alias” error
DR of encrypted snapshots of AuroraDB cluster (DRS) may fail with the “No matching KMS alias” error in the Backup log: Error - Aurora DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source <source_region>, target ...Cross region copy of RDS snapshots may fail with error: RDS DR copy snapshot failed (in Backup account). No matching KMS alias in target region
Issue: The Following error may appear in the CPM Server logs: ERROR: start_copy_region(dr_rds.py:301) RDS DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source EU (Frankfurt), target Asia Pacific (Singapore), RDS ...Cross-region DR copy of encrypted snapshot may fail with "Copy failed due to an AWS limitation regarding default encryption key” error
DR of encrypted snapshots may fail with the following error in the Backup log: Error - <DR Policy>, copy snapshot failed (in Backup account) due to an AWS limitation regarding default encryption key source <source region>, target <target region>, ...DR may fail with "Error: No KMS info for region" and "failed getting kms aliases"
The following error may appear in the Backup Log: Error - Failed looking for source KMS (region US West (Oregon), snapshot snap-xxxxxxxx). Error: No KMS info for region us-west-2 (No KMS) This error may appear in cpm_server.log: ERROR: ...EBS/RDS DR & Recovery with KMS key
When copying cross account an EBS/RDS Volume encrypted with custom KMS, a KMS key should also be available in the other account. There are 2 ways that CPM uses for checking KMS key - Alias & Tag KMS Tag When using custom tag, you are telling CPM to ...