Posted On: Nov 3, 2021

Amazon Relational Database Service (Amazon RDS) now offers the ability to specify an AWS Key Management Service (KMS) customer managed key (CMK) from a different account when exporting an Amazon RDS Snapshot to Amazon S3. This option helps customers organize and consolidate their KMS keys by eliminating the need to create keys in each account that has snapshots.

Snapshot export extracts data from snapshots and stores it in an Amazon S3 bucket in Apache Parquet format. Exported data can be analyzed using tools such as Amazon Athena. RDS secures the exported data by encrypting it with a KMS key while exporting to S3. Now, when you setup the task for exporting the snapshot data, you can specify a KMS key that is shared with the account where the snapshot currently resides. This can help you organize KMS keys in a centralized account. For more details, refer to the documentation.

Cross account KMS keys for snapshot exports is available in all AWS regions that snapshot export is generally available. To learn more about these keys and how to configure them, see the Allowing users in other accounts to use a CMK topic in the AWS Key Management Service Developer Guide.