AWS Disaster Recovery Plan: Safeguarding KMS, Certificate Manager, and Route 53 Data in the Event of a Region Failure ?

Question

In case of a whole aws region lost, what would happen our records in KMS, Certificate Manager and Route 53?
- Will we able to use them from another region even the regions we created them is lost? or they will be lost together with region?
- Since we can't backup KMS keys, what would be the action to mitigate the risk of loosing whole region?

Answer

Hello.

Route 53 is a global resource, so it can probably be used even if there is a region-level failure.  
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/disaster-recovery-resiliency.html

KMS and ACM are region-level resources, so if a region failure occurs, they will no longer be available in the region where the failure occurs.  
https://docs.aws.amazon.com/kms/latest/developerguide/disaster-recovery-resiliency.html  
https://docs.aws.amazon.com/acm/latest/userguide/disaster-recovery-resiliency.html

In the case of KMS, I think multi-region keys are a good measure against region failures.  
https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

Answer

Hi,

In addition to multi-region keys suggested by Riku, you can also create keys based on imported material under your control. See https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html

So, you can re-use same material in a different region after failure to recreate KMS keys.

Best,

Didier

AWS Disaster Recovery Plan: Safeguarding KMS, Certificate Manager, and Route 53 Data in the Event of a Region Failure ?

Relevant content