05 May,2023 by Rambler
Question: I'm trying to restore an RDS backup from AWS Backup but the original customer managed KMS key is no longer available. When I attempt the Restore I get the following message:
An error occurred (KMSKeyNotAccessibleFault) when calling the RestoreDBInstanceFromDBSnapshot operation: The specified KMS key [arn:aws:kms:xxxxxxxxxxxxxxxxxxxxxxx] does not exist, is not enabled or you do not have permissions to access it.
Answer: That error message makes sense as the KMS key is no longer available , therefore the Restore cannot occure . There is more information in the this AWS article AWS KMS key management
When using a customer managed key - there is the benefit of full control , but part of the process must inlcude a backup or copy of the KMS keys. These keys require management to support Restores
A quote from the article linked above
Added to the error message you've supplied above there are also other scenarios & consequences of disabling\deleting the original Key used to encrypt the RDS .
Foor example -
aws kms disable-key --key-id arn:aws:kms:us-west-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws rds start-db-instance --db-instance-identifier MyRDSInstance
An error occurred (KMSKeyNotAccessibleFault) when calling the StartDBInstance operation: AWS KMS key 'arn:aws:kms:us-west-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' is disabled
Management of the Keys is critical for resiliency
Useful links to AWS articles
Logging KMS API Calls with AWS CloudTrail.
Securing data in Amazon RDS using AWS KMS encryption
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |