Follow dba-ninja.com

Subscribe to RSS feed  Follow @jackvamvas - Twitter

*Use the Comments section for questions

dba-ninja.com Links

Dba_db2_button

Sqlserver_dba_button

How do I recover a deleted RDS database when the KMS key is deleted

05 May,2023 by Rambler

Question:  I'm trying to restore an RDS backup from AWS Backup but the original  customer managed  KMS key is no longer available. When I attempt the Restore I get the following message:

An error occurred (KMSKeyNotAccessibleFault) when calling the RestoreDBInstanceFromDBSnapshot operation: The specified KMS key [arn:aws:kms:xxxxxxxxxxxxxxxxxxxxxxx] does not exist, is not enabled or you do not have permissions to access it.

Answer:  That error message makes sense as the KMS key is no longer available , therefore the Restore cannot occure . There is more information in the this AWS article AWS KMS key management

When using a customer managed key - there is the benefit of full control , but part of the process must inlcude a backup or copy of the KMS keys. These keys require management to support Restores

A quote from the article linked above

"If you turn off or revoke permissions to a KMS key used by an RDS database, RDS puts your database into a terminal state when access to the KMS key is required. This change could be immediate, or deferred, depending on the use case that required access to the KMS key. In this state, the DB instance is no longer available, and the current state of the database can't be recovered. To restore the DB instance, you must re-enable access to the KMS key for RDS, and then restore the DB instance from the latest available backup."

Added to the error message you've supplied above there are also other scenarios & consequences of disabling\deleting the original Key used to encrypt the RDS . 

Foor example - 

                                          aws kms disable-key --key-id arn:aws:kms:us-west-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

                                           aws rds start-db-instance --db-instance-identifier MyRDSInstance

                                         An error occurred (KMSKeyNotAccessibleFault) when calling the StartDBInstance operation: AWS KMS key 'arn:aws:kms:us-west-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' is disabled

 

Management of the Keys is critical for resiliency  

 

Useful links to AWS articles

Logging KMS API Calls with AWS CloudTrail.

Securing data in Amazon RDS using AWS KMS encryption

 

 

 


Author: Rambler (http://www.dba-ninja.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on How do I recover a deleted RDS database when the KMS key is deleted


dba-ninja.com