Amazon RDS Instances "Inaccessible-encryption-credentials" Status

Hello.

Have you disabled the KMS key used for RDS Aurora encryption?
As stated in the documentation below, if the status is "inaccessible-encryption-credentials" you will need to restore from a backup.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html#Overview.Encryption.Enabling

Amazon Aurora can lose access to the KMS key for a DB cluster when you disable the KMS key. In these cases, the encrypted DB cluster shortly goes into inaccessible-encryption-credentials-recoverable state. The DB cluster remains in this state for seven days, during which the instance is stopped. API calls made to the DB cluster during this time might not succeed. To recover the DB cluster, enable the KMS key and restart this DB cluster. Enable the KMS key from the AWS Management Console. Restart the DB cluster using the AWS CLI command start-db-cluster or AWS Management Console.

If the DB cluster isn't recovered within seven days, it goes into the terminal inaccessible-encryption-credentials state. In this state, the DB cluster is not usable anymore and you can only restore the DB cluster from a backup. We strongly recommend that you always turn on backups for encrypted DB clusters to guard against the loss of encrypted data in your databases.

During the creation of a DB cluster, Aurora checks if the calling principal has access to the KMS key and generates a grant from the KMS key that it uses for the entire lifetime of the DB cluster. Revoking the calling principals access to the KMS key does not affect a running database. When using KMS keys in cross-account scenarios, such as copying a snapshot to another account, the KMS key needs to be shared with the other account. If you create a DB cluster from the snapshot without specifying a different KMS key, the new cluster uses the KMS key from the source account. Revoking access to the key after you create the DB cluster does not affect the cluster. However, disabling the key impacts all DB clusters encrypted with that key. To prevent this, specify a different key during the snapshot copy operation.

Thank you again for your quick response.

I’ve confirmed that the KMS key used for RDS Aurora encryption is still enabled, so I don’t believe that is the issue. However, when I attempted to modify the DB instance, I received the following error:

We're sorry, your request to modify DB instance arn:aws:rds:eu-west-2:612898656523:db has failed. The specified database instance is currently in inaccessible-encryption-credentials state, which is a terminal state.

Given this error, do you think an expired certificate might be the cause of the "Inaccessible-encryption-credentials" status? If so, would updating the certificate resolve the issue, and could you provide guidance on how to proceed with that?

Additionally, I’d like to ensure that restoring from the backup I found under the Backup Service tab is a safe and reliable option, with no risk of data loss. I would greatly appreciate a step-by-step guide if possible.

Thank you once again for your assistance, and I look forward to your advice.

Best regards,

Thank you for your help, I really appreciate it.

I'll go ahead and try restoring from the backup. I understand it will create a new instance, and I'll need to update my application accordingly. If I run into any issues, I'll let you know.

I attempted to restore the backup following your guidance and using the same configuration as the original instance. However, I observed that there is a writer instance but no reader instance. Is this expected behavior?

Additionally, I have a question regarding the multi-zone setup. It currently indicates "none," while the previous configuration was set to "2 zones." Could you please clarify this discrepancy?

Thank you for your assistance.