Cross-account DR backup of encrypted snapshots of Aurora cluster may fail with the“No matching KMS alias error

Cross-account DR backup of encrypted snapshots of Aurora cluster (RDS) may fail with the “No matching KMS alias” error

DR of encrypted snapshots of AuroraDB cluster (DRS) may fail with the “No matching KMS alias” error in the Backup log:
Error - Aurora DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source <source_region>, target <terget_region>, RDS snapshot cpm-policy-9-db0-2018-11-15-11-55, KMS alias: alias/someKMSkey)
If the above error is found then you need to check this points:

1) You have a matching KMS key with the same alias created for each of DR Account
2) You have added tags cpm_dr_encryption_key to all of the instances in the DB cluster. More information about this can be found in the below KB article
3) You have added external user for each of the KMS keys and added all necessary permissions.
Minimal KMS key policy is:
DR account ID 222222222222 (external):
{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::222222222222:root"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::222222222222:root"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListAliases",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}