Now KMS support Multi-Region Keys. But "Using KMS With EBS" session exam tips says we can’t copy KMS keys to another region. Could you please check and clarify? Thank you
You can only create multi-Region primary key as customer manage key. After creating multi-region customer manage key can be replicated to selected regions. But AWS manage keys cannot be copied or replicated to other regions yet.
The note – customer manage keys created with multi-region reginality option cannot be used to encrypt EBS volumes!
I wonder if that has to do with some ARN binding at the EBS level. Although the Key ID remains unchanged across multiple regions, Replica keys do have different ARNs, which may be impeding temporarily the interoperability in EBS. It it so, it should not take long for EBS team to introduce auxiliary binding relying on Key ID and metadata of the multi-region keys.