RDS encryption - Switch from KMS AWS Managed Key to Customer Managed Key


Hello, I'm working with a customer who has encrypted their RDS instances with KMS AWS Managed Key. Now, due to the need to use AWS Backup with cross-account backup they need to switch from AWS Managed key to Customer Managed key. What is the AWS recommended procedure to perform the switch also considering that the customer has a retention policy for production backup of 31 days and of course they don't want to loose existing backup ? Thanks in advance, Enrico

1 Answer

As described in the following AWS blog, Customer Managed key is used to encrypt the backup vault.
Cross-accounting can be set up by sharing that Customer Managed key with the destination account.

profile picture
answered 10 months ago
  • The issue is that the customer has 31 days of RDS snapshots encrypted with AWS Managed Key and need to convert them to snapshots encrypted with Customer Managed Key before to copy them to the destination account in order to avoid losing any previous backup (retention policy for this customer is 31 days). The customer is asking for the recommended procedure to make conversion and copy to the destination account.

  • It would be a good idea to include a setting to copy from the existing backup vault to a backup vault encrypted with a customer-managed key, and from there to other accounts.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions