Certified Security - Specialty

Sign Up Free or Log In to participate!

Since CMK keys are scoped to region, how does a cross region encrypted AMI copy work?

If Irish EBS volume is snapped, AMI created and encrypted w/ MyIrishEBSCMK, then copied to Virginia and encrypted w/ MyVirginiaEBSCMK, who encrypts the data in transit and with what key?

1 Answers

Maureen Chew

Andy- thanks for the pointer to this very informative blog- perhaps if I’m still missing something as it still seems like the copy has to be in "in the clear or at least with a key that is not a customer CMK". Under the section, Deploying the Solution, Step 3 (Share your encrypted snapshots w/ target acct) and Step 4 (Copy snapshots to target region and reencrypt… using target region CMK), the "reencrypt" implies that the copy has to be done in the clear or that there is no end to end custom CMK encryption in a cross region copy since keys can’t leave the region.

CJ Thrasher

You are correct. The cross-region copy has to be with an unencrypted image file. However, it’s not done in the clear, it’s copied via SSH or HTTPS (depending on how you do it) so it’s still encrypted. This is also how cross-region replication of S3 buckets with SSE-KMS is done as well; the files are unencrypted, copied to another region, and then re-encrypted at the destination.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?