- Newest
- Most votes
- Most comments
there seems to be some confusion here. please note when we create a dms endpoint with kms key that kms key is used to encrypt the connection parameters for the endpoint and not used to connect to the source or target. connection level encryption is provided with ssl or tls and doesnt need to kms to decrypt the source or target storage.
i also understand that it works with provisioned dms and fails with custom kms key (not using aws/dms) for serverless dms. Let me know if it helps. You can always use aws/dms to encrypt the connection parameters for the endpoint.
you seem to be hitting the limitation as mentioned at https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Serverless.Limitations.html
AWS DMS serverless doesn't support using AWS customer managed keys. AWS DMS serverless only supports using the default DMS key.
Thanks for responding. I had seen that limitation, I thought thats related to DMS Serverless Replication not able to encrypt data being replicated in - transit using custom kms key. Was hoping since custom kms key is only being access to decrypt the data from source RDS, its still feasible using the serverless replication.
Is above understanding correct or does the limitation is for any interaction with custom kms key whether its to decrypt from source RDS or to encrypt data in transit
Relevant content
- asked 2 years ago
- Accepted Answerasked 3 years ago
- Accepted Answerasked 3 years ago
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 6 months ago
thanks, there was a gap in my understanding, this is resovled now using just default kms key