N2W Software

            Cross-account DR backup of encrypted snapshots of Aurora cluster (RDS) may fail with the “No matching KMS alias” error

            DR of encrypted snapshots of AuroraDB cluster (DRS) may fail with the “No matching KMS alias” error in the Backup log:
            Error - Aurora DR copy snapshot failed (in Backup account). No matching KMS alias on target region (source <source_region>, target <terget_region>, RDS snapshot cpm-policy-9-db0-2018-11-15-11-55, KMS alias: alias/someKMSkey)
            If the above error is found then you need to check this points:

            1) You have a KMS key created for each of DR Account
            2) You have added tags cpm_dr_encryption_key to all of the instances in the DB cluster.
            3) You have added external user for each of the KMS keys and added all necessary permissions.
            Minimal KMS key policy is:
            DR account ID 222222222222 (external):
            {
              "Version": "2012-10-17",
              "Id": "key-consolepolicy-3",
              "Statement": [
                {
                  "Sid": "Allow use of the key",
                  "Effect": "Allow",
                  "Principal": {
                    "AWS": [
                      "arn:aws:iam::222222222222:root"
                    ]
                  },
                  "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                  ],
                  "Resource": "*"
                },
                {
                  "Sid": "Allow attachment of persistent resources",
                  "Effect": "Allow",
                  "Principal": {
                    "AWS": [
                      "arn:aws:iam::222222222222:root"
                    ]
                  },
                  "Action": [
                    "kms:CreateGrant",
                    "kms:ListAliases",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                  ],
                  "Resource": "*",
                  "Condition": {
                    "Bool": {
                      "kms:GrantIsForAWSResource": "true"
                    }
                  }
                }
              ]
            }



            Helpful?  
            Help us to make this article better
            0 0