Home › Forums › AWS › AWS Certified Security – Specialty › Data Protection KMS Clarification › Reply To: Data Protection KMS Clarification
-
Hi Jar-B,
Thanks for posting your question.
If the CMK cannot be restored or you don’t have access to restore it, you can create a new CMK. Take note that the new CMK will have a different key ID and won’t be able to directly decrypt the data encrypted with the previous CMK.
In this case, you will need to create a new unencrypted EBS volume and attach it to an EC2 instance. Then copy the data from the encrypted volume to the new unencrypted volume.
- Use tools like “dd” or file-level copying utilities (e.g., rsync) to copy the data from the encrypted volume to the unencrypted volume.
- Once the data transfer is complete, you can detach and delete the encrypted EBS volume.
According to AWS docs, “When you have access to both an encrypted and unencrypted volume, you can freely transfer data between them. EC2 carries out the encryption and decryption operations transparently.”
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam on your first try!
Regards,
Gerome @ Tutorials Dojo