Scenario
When copying an EBS Snapshot from one AWS Region to another and the snapshot is encrypted with KMS, the encryption key must be re-handled because KMS keys are region-specific.
Example Workflow
Source Region (
eu-west-2)- EBS volume is encrypted with KMS Key A.
- Snapshot is also encrypted with KMS Key A.
Destination Region (
ap-southeast-2)- Snapshot is copied using KMS ReEncrypt.
- Data is encrypted with a new KMS Key B in the destination region.
- Copied snapshot and any volumes created from it are encrypted with KMS Key B.
Key Points
- KMS keys are bound to their region; they cannot be used directly across regions.
- Cross-region copies require re-encryption with a destination-region KMS key.
- You must specify or create the target KMS key in the destination region before copying.