DR of encrypted snapshots may fail with the No matching KMS alias error

DR of encrypted snapshots may fail with the “No matching KMS alias” error

DR of encrypted snapshots may fail with the following error in the Backup log:
ERROR:  start_copy_region(.\cpmserver\cpm\dr_volume.py:<line number>)  Volume DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source <source region>), target <targetregion, snapshot snap-1234567890abcdefg, KMS alias: alias/aws/ebs)

If the above error is found, you need to create a KMS alias in the target region.

Please login into EC2 console using your Backup account's credentials and go to the target region's Encryption keys section in IAM

Does it show no encryption keys, like in the picture below?
Or maybe an encryption key appears, but it's missing an alias, and only its description says what it applies to?


If the key  with the "aws/ebs" alias doesn't appear, then the key is missing.
You can create it by manually creating a new 1GB encrypted volume in the target region.
You don't have to actually create the volume. As soon as you select the "Encrypt this volume" option, the "aws/ebs" key will be created automatically.

At this point, you can cancel volume creation and run the backup again.

If the key does exist, and yet DR fails with "no matching KMS alias" error, then this is likely a permissions issue.
Please make sure that the account has the required permissions per the KB below: