To support the usage of a custom encryption key for DR, you will need to perform the following-
- In the account where the custom key resides:
- Go to IAM and browse to the key you wish to share.
- Go to Key Users -> External Accounts and click the Add External Account.
- Add the id of the DR account you wish to share the key with.
- Go to the volume you wish to copy to DR account and/or region and add the following tag:
- The tag’s “key” = cpm_dr_encryption_key
- The tag’s “value” = The full arn of the encryption key you shared in item #1. For example- arn:aws:kms:us-east-1:123456789101:key/2eaadfb1-b630-4aef-9d90-2d0fb2061e05
- If you perform cross-region DR, you will need to have a key for each region as AWS does not allow sharing encryption keys across regions.
The tag’s “key” should include the region where the key is, for example- Ohio key tag will be: key = cpm_dr_encryption_key:us-east-2 , value = arn:aws:kms:us-east-1:123456789101:key/2eaadfb1-b630-4aef-9d90-2d0fb2061e05
Please note that if no full arn key is used, you will receive this error messages in the logs during DR backup:
DR encountered an internal problem and failed and the below exception appears in the logs:
ERROR: dr_function(dr.py:145) DR function encountered an exception
Traceback (most recent call last):
File "./cpmserver/cpm/dr.py", line 143, in dr_function
File "./cpmserver/cpm/dr.py", line 203, in dr_function_inner
File "./cpmserver/cpm/dr_volume.py", line 142, in start_copy
File "./cpmserver/cpm/dr_volume.py", line 121, in prepare_specific_encryption_keys
File "./common/aws_utils.py", line 928, in prepare_specific_encryption_keys_from_tags
File "./common/aws_utils.py", line 896, in add_encryption_key
File "./common/aws_utils.py", line 882, in encryption_key_hint
IndexError: list index out of range
Reference feature number – N2WS-777. Added in 2.3.0d. Added RDS feature support in 2.4.0