How do I resolve an Amazon RDS instance or Aurora cluster that’s in an inaccessible encryption state?

4 minute read

I want to resolve an Amazon Relational Database Service (Amazon RDS) DB instance or Amazon Aurora DB cluster that’s in an inaccessible encryption state.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Important: It's best practice to turn on backups for encrypted Amazon RDS instances and Aurora clusters. For more information, see Determining whether encryption is turned on for a DB instance and Determining whether encryption is turned on for a DB cluster.

Inaccessible-encryption-credentials-recoverable state

Your Amazon RDS DB instance or Aurora DB cluster must be able to access the AWS Key Management Service (AWS KMS) encryption key. If the instance or cluster can't access the AWS KMS encryption key, then the cluster or instance enters an inaccessible-encryption-credentials-recoverable state.

To resolve the inaccessible-encryption-credentials-recoverable state, take the following actions:

Confirm that the AWS Account that has the AWS KMS key is active.
Note: If the account is suspended, then reactivate the suspended account.
Confirm that you turned on the AWS KMS key.
Check if the AWS KMS key is scheduled for deletion. If the key is scheduled for deletion, then cancel the scheduled key deletion.
Use AWS CloudShell to restart your DB instance or cluster. Or, run one of the following AWS CLI commands to restart your Amazon RDS or Aurora instance or cluster.
To restart your Amazon RDS DB instance, run the jstart-db-instance command:
```
aws rds start-db-instance --db-instance-identifier example-instance
```
Note: Replace example-instance with the name of your Amazon RDS instance.

To restart your Aurora DB cluster, run the start-db-cluster command:
```
aws rds start-db-cluster --db-cluster-identifier example-cluster
```
Note: Replace example-cluster with your Aurora cluster name.

Inaccessible-encryption-credentials state

If the Amazon RDS instance or Aurora cluster doesn't recover in 7 days, then the instance or cluster moves to the terminal inaccessible-encryption-credentials state.

Because you can't stop DB instances with read replicas, cross-Region read replicas, and in-region read replicas, these instances bypass the recoverable state. When the Amazon RDS instance can't access the AWS KMS key after 2 hours, the instances then directly transition to the terminal inaccessible-encryption-credentials state.

To resolve the inaccessible-encryption-credentials state, perform a snapshot restore as a new Amazon RDS instance or Aurora cluster. Or, perform a point in time recovery (PITR) to a specified time period for the new Amazon RDS instance or Aurora cluster.

Note: You must have the AWS KMS key available to perform the snapshot restore or PITR. If you deleted or lost the AWS KMS key, then you can't recover the data.

If you can't delete the DB instance or cluster that's in the inaccessible-encryption-credential state, then use the AWS CLI to turn off deletion protection.

For an Amazon RDS instance, run the modify-db-instance command:

aws rds modify-db-instance --db-instance-identifier example-instance --no-deletion-protection

Note: Replace example-instance with the name of your instance.

For an Aurora cluster, run the modify-db-cluster command:

aws rds modify-db-cluster --db-cluster-identifier example-cluster --no-deletion-protection

Note: Replace example-cluster with the name of your cluster.

To delete an Amazon RDS DB instance or Aurora DB cluster that's in the inaccessible-encryption-credentials state, run the following AWS CLI commands.

For an Amazon RDS instance, run the delete-db-instance command:

aws rds delete-db-instance --db-instance-identifier example-instance --skip-final-snapshot

Note: Replace example-instance with the name of your Amazon RDS instance.

For an Aurora cluster, run the following delete-db-cluster command:

aws rds delete-db-cluster --db-cluster-identifier example-cluster --skip-final-snapshot

Note: Replace example-cluster with your Amazon Aurora cluster name.

If your Amazon RDS instance or Aurora cluster doesn't delete after you run the preceding commands, then contact AWS Support.

Related information

Encrypting Amazon RDS resources

Encrypting Aurora resources

Topics: Analytics Migration & Modernization Database
Tags: Amazon Relational Database Service Amazon Aurora
Language: English

Relevant content

RDS Aurora instance in 'Inaccessible-encryption-credentials-recoverable' state, cannot be restarted.
Paolo Niccolo
asked 2 years ago
Amazon RDS Instances "Inaccessible-encryption-credentials" Status
Ruddy
asked a year ago
RDS Instance in Inaccessible-encryption-credentials-recoverable Status - Need Recovery Assistance
Alex
asked 5 months ago
After AWS account reactivate, I'm not able to access my AWS RDS
rePost-User-5831727
asked 10 months ago
How do i migrate RDS encrypted cluster to another aws account
rePost-User-9145123
asked 3 years ago
How do I troubleshoot an Amazon RDS DB instance that's stuck in the incompatible-parameters state?
AWS OFFICIALUpdated 5 months ago
How do I encrypt Amazon RDS snapshots using a KMS key?
AWS OFFICIALUpdated 4 years ago
How do I resolve issues with an Amazon RDS DB in an incompatible network state?
AWS OFFICIALUpdated 2 years ago
How do I update my SSL/TLS certificate for an Amazon RDS DB instance or Aurora DB cluster?
AWS OFFICIALUpdated 2 months ago
Troubleshooting Ongoing "Idle In Transaction" Alerts in Amazon Aurora PostgreSQL
EXPERT
Sai Chethan Singu
published 5 months ago