To support the usage of a custom encryption key for DR, you will need to perform the following:
In the account where the custom key resides:
Go to KMS and browse to the key you wish to share.
Go to the "Other AWS accounts" at the bottom of the page and click "Add other AWS accounts".
Add the id of the DR account you wish to share the key with.
Go to the volume you wish to copy to DR account and/or region and add the following tag:
The tag’s “key” = cpm_dr_encryption_key
The tag’s “value” = The full arn of the encryption key you shared in item #1. For example- arn:aws:kms:us-east-1:123456789101:key/2eaadfb1-b630-4aef-9d90-2d0fb2061e05
If you perform cross-region DR, you will need to have a key for each region as AWS does not allow sharing encryption keys across regions. The tag’s “key” should include the region where the key is, for example- Ohio key tag will be: key = cpm_dr_encryption_key:us-east-2 , value = arn:aws:kms:us-east-1:123456789101:key/2eaadfb1-b630-4aef-9d90-2d0fb2061e05
Reference feature number – N2WS-777. Added in 2.3.0d. Added RDS feature support in 2.4.0