Migrating Encrypted KMS Data Across Regions

  • Keys generated by KMS are only stored and used in the region in which they were created.

  • They cannot be transferred to another region.

  • During migration, services like EBS can change the CMK to the destination region.

  • If you have been using envelope encryption and have encrypted data with data-keys, then you will have to decrypt all those data before migrating to a different region.

  • Before, due to the limitation of KMS being region-specific, RDS used to only support the migration of unencrypted RDS snapshots across regions but now we can easily migrate even the encrypted RDS snapshots across regions.

Copying a RDS snapshot

  • If you delete a source snapshot before the target snapshot becomes available, the snapshot copy may fail.

  • If you copy an encrypted snapshot, the copy of the snapshot must also be encrypted.

  • If you copy an encrypted snapshot within the same Region, you can encrypt the copy with the same KMS CMK as the original snapshot, or you can specify a different KMS CMK.

  • If you copy an encrypted snapshot across Regions, you can't use the same KMS CMK for the copy as used for the source snapshot, because AWS KMS CMKs are Region-specific.

    • Instead, you must specify a AWS KMS CMK valid in the destination Region.

  • You can also encrypt a copy of an unencrypted snapshot.

    • This way, you can quickly add encryption to a previously unencrypted DB instance.

        1. Create a snapshot of your DB instance when you are ready to encrypt it.

        2. Then, create a copy of that snapshot and specify a KMS CMK to encrypt that snapshot copy.

        3. Restore an encrypted DB instance from the encrypted snapshot.

PreviousKMS Condition KeysNextKMS Encryption Context

Last updated

Was this helpful?