AWS KMS Key Mapping

AWS KMS key mapping allows users to map the respective encryption and decryption keys for protected EBS volumes. Cloud Rewind utilizes this mapped key to encrypt and decrypt EBS volume snapshots during replication from one region to another.

Cloud Rewind provides two options for KMS key mapping in your AWS account:

Automap by Key Name

When using this option for encryption key mapping, Cloud Rewind checks for the encryption KMS key in the recovery region with the same name as the source encryption key used for encrypting the EBS volumes in the primary region. If a key with the same name is found in the recovery region, that key is mapped for the recovery region encryption and decryption. If not found, Cloud Rewind automatically maps the default key for encryption and decryption in the recovery region.

To configure Automap by Key Name for your AWS Cloud Connection, follow the steps below,

  • Click on the primary AWS Cloud Connection.
  • Choose "ACTIONS" and select "Map KMS Keys."
  • Choose "Automap by Key Name" and save the configuration.

Custom Mapping

With the custom mapping option, users have the flexibility to manually specify the encryption and decryption keys for EBS volumes in the recovery region.

To configure custom mapping for your AWS Cloud Connection, follow the steps below,

  • Click on the primary AWS Cloud Connection.
  • Choose "ACTIONS" and select "Map KMS Keys."
  • Choose "Custom mapping".
  • In the encryption key mapping tab choose each key and map the equivalent other region key.
  • Save the configuration.

Note

  • For cross-account replication, it is mandatory to share the Encryption KMS key from the primary AWS account to the Recovery AWS account. To share the KMS key, 1. Login to your primary AWS account. 2. Open the KMS dashboard and select the KMS key which is used for encrypting the EBS volume. 3. Share it by entering the recovery AWS account ID

  • Cross region replication can't be done if the EBS volume is encrypted using the default AWS encryption key.

Loading...