Help us improve AWS re:Post! We're interested in understanding how you use re:Post and its impact on your AWS journey. Please take a moment to complete our brief 3-question survey
RDS encryption - Switch from KMS AWS Managed Key to Customer Managed Key
Hello, I'm working with a customer who has encrypted their RDS instances with KMS AWS Managed Key. Now, due to the need to use AWS Backup with cross-account backup they need to switch from AWS Managed key to Customer Managed key. What is the AWS recommended procedure to perform the switch also considering that the customer has a retention policy for production backup of 31 days and of course they don't want to loose existing backup ? Thanks in advance, Enrico
- Newest
- Most votes
- Most comments
As described in the following AWS blog, Customer Managed key is used to encrypt the backup vault.
Cross-accounting can be set up by sharing that Customer Managed key with the destination account.
https://aws.amazon.com/jp/blogs/storage/protecting-encrypted-amazon-rds-instances-with-cross-account-and-cross-region-backups/
Relevant content
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 8 months ago
The issue is that the customer has 31 days of RDS snapshots encrypted with AWS Managed Key and need to convert them to snapshots encrypted with Customer Managed Key before to copy them to the destination account in order to avoid losing any previous backup (retention policy for this customer is 31 days). The customer is asking for the recommended procedure to make conversion and copy to the destination account.
It would be a good idea to include a setting to copy from the existing backup vault to a backup vault encrypted with a customer-managed key, and from there to other accounts.
this does not answer the op's question :(