RDS encryption - Switch from KMS AWS Managed Key to Customer Managed Key
Hello, I'm working with a customer who has encrypted their RDS instances with KMS AWS Managed Key. Now, due to the need to use AWS Backup with cross-account backup they need to switch from AWS Managed key to Customer Managed key. What is the AWS recommended procedure to perform the switch also considering that the customer has a retention policy for production backup of 31 days and of course they don't want to loose existing backup ? Thanks in advance, Enrico
- 新しい順
- 投票が多い順
- コメントが多い順
As described in the following AWS blog, Customer Managed key is used to encrypt the backup vault.
Cross-accounting can be set up by sharing that Customer Managed key with the destination account.
https://aws.amazon.com/jp/blogs/storage/protecting-encrypted-amazon-rds-instances-with-cross-account-and-cross-region-backups/
関連するコンテンツ
AWS公式更新しました 1年前- AWS公式更新しました 1年前
The issue is that the customer has 31 days of RDS snapshots encrypted with AWS Managed Key and need to convert them to snapshots encrypted with Customer Managed Key before to copy them to the destination account in order to avoid losing any previous backup (retention policy for this customer is 31 days). The customer is asking for the recommended procedure to make conversion and copy to the destination account.
It would be a good idea to include a setting to copy from the existing backup vault to a backup vault encrypted with a customer-managed key, and from there to other accounts.