How can I share an encrypted Amazon RDS snapshot that uses the default AWS KMS key with another account?

Last updated: 2019-05-16

I have an encrypted snapshot of an Amazon Relational Database Service (Amazon RDS) instance that uses the default AWS Key Management Service (AWS KMS) key. How can I share an encrypted snapshot of an RDS DB instance with another AWS account?

Short Description

You can't share a snapshot that's encrypted using the default AWS KMS encryption key. For more information about the limitations of sharing DB snapshots, see Sharing an Encrypted Snapshot.

To share an encrypted Amazon RDS DB snapshot:

  1. Add the target account to a custom (non-default) KMS key.
  2. Copy the snapshot using the custom KMS key, and then share the snapshot with the target account.
  3. Copy the shared DB snapshot from the target account.

Resolution

Add the target account to a custom KMS key

  1. Log in to the source account, and then open the AWS KMS console in the same AWS Region as the DB snapshot.
  2. Choose Customer managed keys from the navigation pane.
  3. Choose the name of your custom key, or choose Create key, if you don't yet have one. For more information, see Creating Keys.
  4. From the Key administrators section, Add the AWS Identity and Access Management (IAM) users and roles who can administer the AWS KMS key.
  5. From the Key users section, Add the IAM users and roles who can use the customer master key (CKM) to encrypt and decrypt data.
  6. In the Other AWS accounts section, choose Add another AWS account, and then enter the AWS account number of the target account. For more information, see Allowing External AWS Accounts to Access a CMK.

Copy and share the snapshot

  1. Open the Amazon RDS console, and then choose Snapshots from the navigation pane.
  2. Select the snapshot you created, choose Actions, and then choose Copy Snapshot.
  3. Choose the same AWS Region that your KMS key is in, and then enter a New DB Snapshot Identifier.
  4. In the Encryption section, choose the KMS key that you created.
  5. Choose Copy Snapshot.
  6. Share the copied snapshot with the target account.

Copy the shared DB snapshot

  1. Log in to the target account, and then open the Amazon RDS console.
  2. Choose Snapshots from the navigation pane.
  3. From the Snapshots pane, choose Shared with Me from the drop-down menu.
  4. Select the DB snapshot that was shared.
  5. Choose Actions, and then choose Copy Snapshot to copy the snapshot into the same AWS Region and with a KMS key from the target account.

After the DB snapshot is copied, you can use the copy to launch the instance.


Did this article help you?

Anything we could improve?


Need more help?