How to use custom KMS encryption keys for cross-region & cross-account DR

How to use custom KMS encryption keys for cross-region & cross-account DR

This Article explains how to perform DR backups for resources using custom KMS key encryption

Info
If you perform cross-region DR or cross-account but to a different region, you will need to have a custom KMS key for each region with the same alias name, as AWS does not allow sharing encryption keys across regions
Alert
You must have Cross-region backups enabled if you wish to perform cross-account backups with encrypted RDS databases/encrypted EBS volumes
Steps:

1) In the source account where the custom key resides:
  1. Go to KMS and browse to the key you wish to share.
  2. Go to  the "Other AWS accounts" at the bottom of the page and click "Add other AWS accounts".
  3. Add the AWS account ID of the DR account you wish to share the key with.
2) In the destination DR account in the same region:
  1. Go to KMS and create a new KMS key with matching alias as the source account
  2. Go to  the "Other AWS accounts" at the bottom of the page and click "Add other AWS accounts".
  3. Add the AWS account ID of the source AWS account where your resource lives..
Notes
If you are performing cross-account backups to different region, you also need to create a custom KMS key in that region aswell using the same steps in step 2
3) Go to the volume or RDS you wish to copy to DR account and/or region and add the following tag:

For cross account backups to the same region perform the steps below:

Notes
The example below is using eu-west-2 as this is the same region as where my resource lives but in my DR account
    1. The tag’s “key” = "cpm_dr_encryption_key:eu-west-2"
    2. The tag’s “value” = The full arn of the encryption key you shared in item #1. For example- arn:aws:kms:eu-west-2:619071328628:key/38f9bfe8-c98d-430f-8009-9bfc86666edd
For cross account backups to a different region perform the steps below:

Notes
The example below is using eu-west-1 as this is what DR region i have configured on the N2WS policy
    1. Add an additional tag, with the tag’s “key” including the region where you are copying the backup to in the destination account. For example - If you want to copy your backups to the Ireland region in the destination account then use the following tag key - "cpm_dr_encryption_key:eu-west-1"
    2.  The tags "value" should be the custom KMS key arn from the destination accounts DR region. For example i'm copying my backups to Ireland in my DR account so my tag value is as follows - "arn:aws:kms:eu-west-1:619071328628:key/9c297211-44b5-437c-8d3d-43df25a4ca48"
This is the resulting tags attached to my RDS instance:



Info
What happens if N2WS cannot find a matching KMS key in target region or account?

If a matching encryption key is not found with an alias or with custom tags, the behaviour of the backup depends on the setting in the Encryption Key Detection list in the Security tab of the General Settings screen:


The setting options for the encryption key detection are:
  1. Use Default Key – If the encryption key is not matched, the default encryption key is used.
  2. Strict – DR encryption key must match, either with an alias or a custom tag.
  3. Use Default Key & Alert – Use the default key and send an alert.
For more details on this topic see this section of the CPM User Guide.