Tuesday, October 14, 2025

Copying KMS Snapshots (Across Multiple Regions) | Overview.

Copying KMS Snapshots (Across Multiple Regions) - Overview.

Scope:

  • Overview,
  • Detailed Flow,
  • Source Region Snapshot Encryption,
  • Snapshot Copying (CLI),
  • Cross-Region Re-Encryption Process (Behind the scenes),
  • Destination Region New Encrypted Snapshot,
  • CloudTrail Integration,
  • Architecture,
  • Key Considerations & Description,
  • Final thoughts.

 Overview

    • When twtech copies an encrypted Amazon EBS (Elastic Block Store) snapshot or RDS snapshot to another AWS Region, AWS uses KMS to manage encryption keys in both the source and destination Regions.
    • This copying process involves two key elements:
      • Source Region CMK (Customer Managed Key)
      • Destination Region CMK (Customer Managed Key in target Region)

 Detailed Flow

1. Source Region Snapshot Encryption

    • An EBS snapshot is encrypted using a CMK in the source Region (e.g., arn:aws:kms:us-east-2:accountID:key/twtechsource-key-id).
    • The encrypted snapshot is stored in Amazon S3 (internal to EBS), but inaccessible directly by users.

2. Snapshot Copying (CLI):

# bash
aws ec2 copy-snapshot \
  --source-region us-east-2 \
  --source-snapshot-id snap-1234567890abcdef0 \
  --destination-region us-west-1 \
  --kms-key-id arn:aws:kms:us-west-1:accountID:key/twtechdestination-key-id

twtech tell AWS to:

    • Copy the snapshot data across multiple Regions.
    • Re-encrypt the snapshot with a different KMS key in the destination Region.

3. Cross-Region Re-Encryption Process (Behind the scenes):

    1. EBS requests the plaintext snapshot data (temporarily decrypted using the source CMK).
2. The data is then re-encrypted using the destination Region’s CMK.
3. The re-encrypted snapshot is stored in the destination Region’s S3 storage.

NB:

  • AWS never exposes plaintext data to the user.
  • All encryption/decryption occurs within the AWS-controlled environment using KMS APIs.

4. Destination Region New Encrypted Snapshot

    • The resulting snapshot in the destination Region is now encrypted under a new KMS key.
    • This new key can be a Customer Managed Key (CMK) or an AWS Managed Key.

5. CloudTrail Integration

    •  Every KMS operation — including Decrypt, ReEncrypt, and GenerateDataKey — is logged in AWS CloudTrail.
    •  twtech can trace cross-region snapshot operations for compliance or auditing / Security Ferinsics.
Architecture

 Key Considerations & Description

Aspect

Description

Permissions

IAM role/user must have access to both CMKs (source and destination).

Multi-Region Keys

Optionally, twtech can use multi-Region KMS keys for simplified replication.

Compliance

Cross-region copies help meet data residency and DR requirements.

Performance

Copy operations can take time depending on snapshot size and network transfer.

Final thoughts:

    • When copying a KMS-encrypted snapshot across Regions, AWS decrypts data using the source CMK, then AWS re-encrypts with the destination CMK, and stores it in the target Region 
    • All these processes are done within AWS’s secure boundaries.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...