Encrypted Snapshot may fail DR with the “Given key ID is not accessible” error

Encrypted Snapshot may fail DR with the “Given key ID is not accessible” error


Problem: DR copy may fail with errors like “Given key ID is not accessible”

The following error may be printed in the CPM Backup log and the CPM Server log:

Error - Volume DR copy snapshot failed for region US East (Ohio) (in DR account), snapshot                 snap-11111111111111111 (status: error). Error: Given key ID is not accessible

The following error may be printed in the Amazon CloudTrail log in JSON Format:

User: arn:aws:sts::222222222222:assumed-role/aaaa.CPM-Service-Backups-Role/CPM-assumed-prod is not authorized to perform: kms:CreateGrant on resource: arn:aws:kms:us-east-2:123456789012:key/111abcde-f123-12g3-1234-1hijklmn2o34

This is a sample of how this event would look in CloudTrail:


Cause: This may be caused by user/role permissions policy lacking the required permissions, and/or this user not being listed as a “key user” for that key.  

Solution: Correct the user/role permissions policy and/or add the user as a “key user” to that key.