Backing up KMS Keys
I am using a few custom KMS keys to encrypt data in S3 and RDS.
Assume that the account was compromised, and a bad actor deleted the KMS keys. I know the keys can be recovered during the scheduled deletion period for the moment let's assume that if I am unable to recover the account before the scheduled deletion period expired, I will completely lose the KMS key. Any data encrypted using this key would be unrecoverable.
I want to know if there is a way to backup KMS keys let's say to another AWS account. Or is there any other way to prevent this situation?
I know this is an edge case but any guidance in this matter is highly appreciated.
Thanks
- 최신
- 최다 투표
- 가장 많은 댓글
I don’t believe there is away to recover KMS keys. However if this is a concern, what you can do is some of the following:-
- create CW alerts when KMS keys are scheduled for deletion and review
- create SCP policies to prevent KMS key deletion
- Replicate S3 data to another bucket in another account
- Utilise aws backup and backup objects to a vault
Gary
Yes, SCPs will be a workable solution for this. Thanks
Hi I have a query regarding this In case of a whole aws region lost, what would happen our records in KMS, Certificate Manager and Route 53?
- Will we able to use them from another region even the regions we created them is lost? or they will be lost together with region?
- Since we can't backup KMS keys, what would be the action to mitigate the risk of loosing whole region?
Hello All,
Is there any new development to this question? We need to backup the kms keys that encrypt our backups, what are our options?
Abhineet
관련 콘텐츠
AWS 공식업데이트됨 일 년 전
Hi Bisina, I'm a PM at HYCU. We offer a script-free backup for KMS that allows you to restore keys, policies, aliases, tags, and even key rotations. You can customize policies, store them in S3, and restore them when needed. I'm happy to provide a trial for you to check this out.