1 Answer
- Newest
- Most votes
- Most comments
0
If you have changed the "default" KMS key on the bucket then thats it. Can you explain how you think its still using OLD key and not getting backed up now?
The IAM user used to access the Bucket will also need access to the KMS Key. Ensure the policy and IAM policy for the user matches the settings for the new KMS key vs the old one
Relevant content
- asked 2 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
On day 1 I can see the backup objects in my bucket. On 2nd day the kms key for the bucket has been updated(changed to new one) and then it doesnt put backup objects .In system logs of plugin I see the error saying the kms key is pending deletion(old key as that key has been destroyed via terraform and deployed new key).
The policy everything is same just destroyed the old key and deployed new key
Its likely that you have OLD data and even system backup state data in the S3 bucket encrypted with the OLD key. I would NOT delete the old key until you are 100% ALL data that was encrypted with OLD key has gone or been re-encrypted.
Unless the key has been compromised, I would not rush to delete key.
I suspect if you restore the OLD key but leave the bucket on the NEW key it will all start working.
Old objects will remain encrypted with OLD key. They do not get re-encyrpted!
Ya thanks, that worked as I deleted all the old objects which were encrypted with old key. Now it is getting backup.
Glad to help