"Target KMS key" error when trying to enable backup replication on an AWS RDS instance

pacoverflow

5/12/24, 8:42 PM

I created an RDS database instance using the AWS user interface, and I made sure that the "Backup replication" feature was enabled and I specified the ARN for a symmetric multi-region KMS key that I created for "encrypt and decrypt" usage. The database creation seemed to go successfully.

To my surprise, when I tried to modify the RDS instance, the "Enable replication in another AWS Region" box was still unchecked. So I checked the box, and entered the same ARN for the KMS key again. When I tried to submit the modification, I got the following error:

We're sorry, your request to modify DB instance rds-mysql-dev-1 has failed. The target KMS key [arn:aws:kms:us-west-2:REDACTED:key/mrk-REDACTED] does not exist, is not enabled or you do not have permissions to access it.

I double checked the KMS key and it is enabled. I thought perhaps I needed to add a role to the "Key users" section, so I added the AWSServiceRoleForRDS role. That seems like the only one that makes sense to be added. However, when I tried to modify the RDS instance again to enable backup replication with the same ARN, I got the same error as above.

Any idea what may be causing the error?

242

1 + 5

keys

amazon-web-services

amazon-rds

Tim

5/14/24, 8:32 AM

If the key exists, and is enabled, maybe you don't have access to the key in the other region. Check its key policy carefully, and check your IAM / SCP policies to see if they allow that use as well.

Tim

5/14/24, 7:45 PM

This AWS guide to RDS cross-region backups doesn't mention multi-region keys. Perhaps you should try the simpler solution. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReplicateBackups.html

Tim

5/15/24, 2:39 AM

Further reading, out of interest, finds that "You can use multi-Region keys with client-side encryption libraries, such as the AWS Encryption SDK, the DynamoDB Encryption Client, and Amazon S3 client-side encryption.". Suggest you follow the link above to AWS recommended process for RDS multi-region backups. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

pacoverflow

5/15/24, 5:32 PM

I found out that the key must be created in the region to which the backups are replicated. You cannot use a key that was created in the originating region.

Tim

5/15/24, 7:17 PM

Yep, KMS keys only exist in one region. Even the multi-region keys only really exist in one region. Suggest you answer your own question, so people don't come in to try to help, and to help others who have a similar problem in future :)

Score:2

Server

pacoverflow

5/15/24, 11:52 PM

So the problem is that I had created my symmetric multi-region KMS key in the same region in which I was creating the RDS database.

The KMS key needs to be created in the region where the backups will be replicated to. After I created a symmetric single-region KMS key in that region, I was able to modify the RDS instance to enable backup replication, and it also allowed me to select the new KMS key in the destination region. (Previously it only allowed me to enter an ARN because the destination region did not have any KMS keys defined.)

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: "Target KMS key" error when trying to enable backup replication on an AWS RDS instance

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.