Resolving KMS Key Error in Backup Replication for Encrypted RDS Volumes Across Regions

Let’s assume you want to enable backup replication in another region for your encrypted RDS instance. You’ve created the correct key in KMS with the appropriate regional settings, set up the correct permissions, and confirmed that the key is enabled.

After double-checking all data, everything seems fine. You then navigate to the Maintenance & Backups section, click Modify, scroll down to Backup replication, and check the box to enable it. When prompted to provide an AWS KMS key, you open the dropdown but don’t see your newly created key. This seems odd, so you decide to copy the ARN from the General configuration above.

Despite seeing that the values were extracted correctly, you’re surprised by an unexpected error message when attempting to modify the DB instance:

We’re sorry, your request to modify DB instance has failed. The target KMS key does not exist, is not enabled or you do not have permissions to access it.

You know that the key exists, is enabled, and you have the necessary permissions. So, what’s the problem? The biggest issue here is the misleading error message 🙃. When I first saw it, I started searching for possible missing policy configurations, but nothing seemed to work.

Feeling hopeless, I turned to ChatGPT, which highlighted a non-obvious step I had missed.

It even generated an example policy to help me double-check for any mistakes. Amazon Q, which is supposed to assist with AWS products, didn’t provide any help.

So, what’s the solution? Create a new key replica in the region where the backups will be stored.

Once this is done, you should be able to modify the DB instance. You’ll also start seeing the ARN of the key in the dropdown mentioned above — a good sign that the operation was successful — and once you’ve modified the instance, you’ll see the chosen region in the Backup section.

Unfortunately, the UX of AWS occasionally leaves a lot to be desired (race conditions, incorrect error messages, etc.), and the robust documentation often provides a lot of information, except what you currently need. Therefore, sharing such knowledge feels like a duty, as these seemingly minor bugs can lead to a lot of frustration. Let me know if this helped!