Support for AWS KMS CMK per cluster (instead of on a project level)
Hi Team,
Currently, we have KMS CMK configuration available on the project level.
We are hoping to see if that can be changed on cluster level.
Reason: Once we update the key, all the clusters will get re-encrypted with new key, but snapshots will not be re-encrypted with the new key.
For any reason, if we need to restore snapshot of one particular cluster, we will need to update KMS key with the old one, which impacts all clusters to get re-encrypted and then only can restore.
Hence we believe cluster level KMS setting would be beneficial in such a scenario where we wouldn't be impacting all clusters in a project.
Please feel free to reach out if you have any additional questions.
Thank you.
--Regards,
Srikanth Paruchuri.

-
Guido commented
This would still be extremely helpful; managing one project per encryption key makes us need to duplicate all user access permissions across all projects just because we need different keys for different clusters but all around the same business use-case.
It really makes no sense at all to have this limitation. A project should be able to hold multiple encryption at rest configurations and a cluster should be able to be configured to use one of them, and that's it.
-
During the restore process, we have the metadata of which CMK was used during the time the backup was taken. So even if the CMK used is not the active one, as long as the IAM User you have provided still has access to the key, i.e. you haven't deleted the key from KMS, we will be able to restore the snapshot.