How do I resolve an Amazon RDS instance or Amazon Aurora cluster that’s in an inaccessible encryption state?

3 minute read
0

I want to resolve an Amazon Relational Database Service (Amazon RDS) instance or Amazon Aurora cluster that’s in an inaccessible encryption state.

Short description

An Amazon RDS instance or Amazon Aurora cluster enters an inaccessible-encryption-credentials-recoverable state when it can't access the AWS Key Management Service (AWS KMS) encryption key. This occurs when the AWS KMS key is no longer activated or the AWS account has been suspended and reactivated.

If the Amazon RDS instance or Amazon Aurora cluster isn't recovered in seven days, then the instance or cluster transitions to the terminal state inaccessible-encryption-credentials.

You can use one of two methods to recover a cluster in this terminal state: You can restore the cluster from a backup or you can perform a point in time recovery (PITR). Each of these methods requires that the AWS KMS key is already activated. If the AWS KMS key is deleted or lost, then the data is unrecoverable.

Note: To safeguard against data loss, it's a best practice to turn on backups for encrypted Amazon RDS instances and Amazon Aurora clusters. For more information, see Determining whether encryption is turned on for a DB instance and Determining whether encryption is turned on for a DB cluster.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Inaccessible-encryption-credentials-recoverable state

To resolve the inaccessible-encryption-credentials-recoverable state, complete the following steps:

  1. Confirm that the AWS account that holds the AWS KMS key is active. If the account is suspended, then reactivate the suspended account.

  2. Confirm that the AWS KMS key is turned on. If the AWS KMS key is turned off, then turn on the key.

  3. Check if the AWS KMS key is scheduled for deletion. If the key is scheduled for deletion, then cancel the scheduled key deletion.

  4. Restart your Amazon RDS instance or Amazon Aurora cluster:

    To restart your Amazon RDS instance, run the following start-db-instance command:

    aws rds start-db-instance --db-instance-identifier example-instance

    Note: Replace example-instance with your Amazon RDS instance name.

    To restart your Amazon Aurora cluster, run the following start-db-cluster command:

    aws rds start-db-cluster --db-cluster-identifier example-cluster

    Note: Replace example-cluster with your Amazon Aurora cluster name.

  5. (Optional) To restart your Amazon RDS instance or Amazon Aurora cluster, use AWS CloudShell.

Inaccessible-encryption-credentials state

To resolve the inaccessible-encryption-credentials state, perform a snapshot restore as a new Amazon RDS instance or Amazon Aurora cluster. Or, perform a PITR to a specified time period for the new Amazon RDS instance or Amazon Aurora cluster.

Delete an Amazon RDS instance or Amazon Aurora cluster that's in the inaccessible-encryption-credentials state

To delete an Amazon RDS instance or Amazon Aurora cluster that's in the inaccessible-encryption-credentials state, run the following AWS CLI commands:

To delete an Amazon RDS instance, run the following delete-db-instance command:

aws rds delete-db-instance --db-instance-identifier example-instance --skip-final-snapshot

Note: Replace example-instance with your Amazon RDS instance name.

To delete an Amazon Aurora cluster, run the following delete-db-cluster command:

aws rds delete-db-cluster --db-cluster-identifier example-cluster --skip-final-snapshot

Note: Replace example-cluster with your Amazon Aurora cluster name.

If your Amazon RDS instance or Amazon Aurora cluster doesn't delete after you run the preceding commands, then contact AWS Support.

Related information

Encrypting Amazon RDS resources

Encrypting Amazon Aurora resources