Configure AWS custom encryption keys

Cloud Snapshot Manager supports creating copies of snapshots in remote regions or cross-regions. Snapshots, both unencrypted and encrypted, can be copied to a remote account. Depending on the original snapshot encryption state and encryption key set for the DR account's remote region, copied snapshots can be unencrypted or encrypted.

About this task

However, if the original region snapshot is encrypted, then the copied snapshots are encrypted with the AWS default encryption key for the targeted cross-region.

Cloud Snapshot Manager provides you with the option to encrypt cross-region snapshot copies with a custom encryption key. For information about AWS custom encryption keys, see AWS Key Management Service and AWS Key Overview. You can configure the custom defined encryption key (AWS Customer Master Key) in Cloud Snapshot Manager.

While copying the snapshot from the original region to the cross-region, AWS first decrypts the source snapshot data and encrypts it again with the target region encryption key. The encrypted snapshot data is stored in the cross-region S3 bucket. As the cross-region snapshot data is encrypted with the target region key, to launch a VM or a volume in the cross-region, AWS only needs the cross-region encryption key.

The list of region-specific encryption key aliases is available in the Cloud Snapshot Manager portal only if kms:ListAliases is added in the IAM policy that is used by the Cloud Snapshot Manager IAM role or user. For information about the JSON format of the permission, see AWS minimum permission policy.

You can also encrypt snapshots that are copied to the DR account. Snapshots that are encrypted with the default AWS-managed key cannot be copied. You can only copy snapshots that are either unencrypted or encrypted with a customer-managed key. To successfully copy encrypted snapshots to the DR account, you must also share the customer-managed key that is used to encrypt the snapshots with the DR account. To understand the various encryption scenarios that are possible during cross-account copying of snapshots, see Encryption status of cross-account snapshot copies.

Currently, custom encryption key support is applicable only for AWS snapshot copies. Also, ensure that the configured encryption keys are enabled in AWS and have access to the configured cloud account.

For cross-account same region or cross-region restore operations to be successful, the key that is used to encrypt the snapshot must be shared with the cloud account where the snapshot restoration takes place.

NOTE: If you delete the encryption key from the AWS account and if it has been used for a copy snapshot or volume restore operation in Cloud Snapshot Manager, the operation would fail since the encryption key is not available.

Steps

  1. In the Cloud Accounts page, click Encryption Keys next to an AWS cloud account if you want a custom encryption key for the cross-region snapshot.
  2. In the Configure Encryption Keys page, select a region, and then select a key from the drop-down list provided. You can select multiple regions and select a key for each region.
  3. Click Save.

Results

Encryption keys are configured for the regions specified. You can also update or remove encryption key configuration for cross-regions. To remove encryption key settings for any region, clear the corresponding region check box.