AWS KMS Multi Region Keys : non-supported resources list

There isn't a comprehensive published list of all AWS resources that don't support KMS multi-Region keys. However, there are some notable limitations to be aware of:

1. Custom key stores do not support multi-Region keys. You cannot create multi-Region keys in AWS CloudHSM key stores or external key stores.

2. While multi-Region keys can be symmetric encryption KMS keys, asymmetric KMS keys, HMAC KMS keys, and keys with imported key material, not all AWS services support all these key types.

3. AWS services that integrate with AWS KMS for encryption at rest or digital signatures generally treat multi-Region keys as single-Region keys. This means they may re-wrap or re-encrypt data moved between Regions rather than leveraging the multi-Region capability.

Regarding your specific observation about AWS::ECS::Cluster ManagedStorageConfiguration not supporting multi-Region keys, this aligns with how some AWS services implement their KMS integration. Multi-Region keys are primarily designed for specific use cases like global data management, disaster recovery, and distributed signing applications where you need to encrypt in one Region and decrypt in another without making cross-Region calls.

If you're planning to use multi-Region keys with specific AWS services, I would recommend testing the integration first or consulting the service-specific documentation to confirm compatibility.
Sources
Key stores - AWS Key Management Service
Multi-Region keys in AWS KMS - AWS Key Management Service
Key type reference - AWS Key Management Service
Security considerations for multi-Region keys - AWS Key Management Service

Unfortunately, AWS doesn't currently maintain a comprehensive public list of all resources that don't support multi-Region keys. However, I can provide some guidance that should help you understand the current landscape.

Key Understanding:

Most AWS services that integrate with KMS for encryption at rest currently treat multi-Region keys as single-Region keys. This means they may re-wrap or re-encrypt data when moved between regions, even when using multi-Region keys.

Known Examples:

• Amazon S3 cross-region replication decrypts and re-encrypts data under the destination region's KMS key, even with multi-Region keys
• AWS ECS ManagedStorageConfiguration (as you mentioned)
• Most AWS managed services with cross-region data movement functionality

Important Constraints:

• AWS managed keys are always single-Region keys by design
• Custom key stores cannot create multi-Region keys
• Individual service configurations may have specific single-Region key requirements

Practical Recommendation:

Since AWS services generally treat multi-Region keys as single-Region keys for managed encryption, use single-Region keys for AWS service integrations unless you specifically need multi-Region capabilities for client-side encryption scenarios.

Multi-Region keys are most beneficial for:

• Client-side encryption libraries (AWS Encryption SDK, S3 client-side encryption)
• Cross-region application signing
• Disaster recovery scenarios with client-side encryption

For definitive guidance on specific services beyond ECS, I recommend opening a support case where service teams can provide authoritative answers.

Let me know if you need any clarification on this information.