KMS Resources
Arpio replicates the following KMS resource types. Jump to:
KMS Key
Arpio replicates customer-managed KMS Keys and their associated aliases to the recovery environment. This allows policies and resources that reference the key to continue operating with the same level of trust in the recovery environment.
Note: the key material itself is not replicated, so any data that is encrypted with the key in the primary environment cannot be decrypted with the replica of the key in the recovery environment. For resources that Arpio manages that are encrypted with custom keys (such as Secrets Manager Secrets), Arpio recreates these in the recovery environment with the replica keys, which causes them to be re-encrypted with the new key material.
Selection
The following resources are automatically selected into recovery points when a KMS Key is selected:
- Resources and IAM roles that are referenced within the key’s policy
- KMS Aliases that are pointed to the key
Translation
The following attributes are translated during replication:
|
Attribute |
Translation |
|
Resource Policy |
Arpio replicates the policy from the primary key to the recovery key. During a test or a failover, the primary key statements are included and translated according to the policy document translation process. |
KMS Alias
Arpio replicates AWS-managed and customer-managed KMS Aliases and their associated keys to the recovery environment.
Selection
The following resources are automatically selected into recovery points when a KMS Alias is selected:
- The KMS Key that the alias is pointed to
Translation
The following attributes are translated during replication:
|
Attribute |
Translation |
|
KMS Key |
Aliases in the recovery environment are updated to point to the mirror of the corresponding key in the recovery environment |