If Irish EBS volume is snapped, AMI created and encrypted w/ MyIrishEBSCMK, then copied to Virginia and encrypted w/ MyVirginiaEBSCMK, who encrypts the data in transit and with what key?
I believe this is the process to do that:
Andy- thanks for the pointer to this very informative blog- perhaps if I’m still missing something as it still seems like the copy has to be in "in the clear or at least with a key that is not a customer CMK". Under the section, Deploying the Solution, Step 3 (Share your encrypted snapshots w/ target acct) and Step 4 (Copy snapshots to target region and reencrypt… using target region CMK), the "reencrypt" implies that the copy has to be done in the clear or that there is no end to end custom CMK encryption in a cross region copy since keys can’t leave the region.
You are correct. The cross-region copy has to be with an unencrypted image file. However, it’s not done in the clear, it’s copied via SSH or HTTPS (depending on how you do it) so it’s still encrypted. This is also how cross-region replication of S3 buckets with SSE-KMS is done as well; the files are unencrypted, copied to another region, and then re-encrypted at the destination.