DR of encrypted snapshots may fail with the following error
in the Backup log:
Volume DR copy snapshot failed (in Backup account). No matching KMS alias on
target region (source <source region>), target <targetregion, snapshot
snap-1234567890abcdefg, KMS alias: alias/aws/ebs)
If the above error is found, you need to create a KMS alias
in the target region.
Please login into EC2 console using your Backup account's
credentials and go to the target region's Encryption keys section in IAM
Does it show no encryption keys, like in the picture below?
Or maybe an encryption key appears, but it's missing an alias, and only its description says what it applies to?
If the key
with the "aws/ebs" alias doesn't appear, then the key is missing.
You can create it by manually creating a new 1GB encrypted volume in the target
You don't have to actually create the volume. As soon as you select the
"Encrypt this volume" option, the "aws/ebs" key will be
At this point, you can cancel volume creation and run the backup again.
If the key does exist, and yet DR fails with "no matching KMS alias"
error, then this is likely a permissions issue.
Please make sure that the account has the required permissions per the KB