How can I share an encrypted Amazon RDS DB snapshot with another account?
Last updated: 2020-09-20
I have an encrypted snapshot of an Amazon Relational Database Service (Amazon RDS) DB instance. It uses the default AWS Key Management Service (AWS KMS) key. How can I share an encrypted snapshot of a DB instance with another AWS account?
You can't share a snapshot that's encrypted using the default AWS KMS encryption key. For more information about the limitations of sharing DB snapshots, see Sharing an encrypted snapshot.
To share an encrypted Amazon RDS DB snapshot:
- Add the target account to a custom (non-default) KMS key.
- Copy the snapshot using the customer managed key, and then share the snapshot with the target account.
- Copy the shared DB snapshot from the target account.
Note: You can also follow the steps in the AWSSupport-ShareRDSSnapshot AWS Systems Manager Automation document to share your snapshot. You can provide a snapshot to be copied and shared with the target account. You can also provide the DB instance/DB cluster ID that the latest snapshots will be shared with. You can provide an existing KMS Key, or leave it blank to create a new key. For more information, see Add a key policy statement in the local account and Running a simple automation.
Allowing access to the target account on the AWS KMS key of the source account
- Log in to the source account, and then open the AWS KMS console in the same AWS Region as the DB snapshot.
- Choose Customer managed keys from the navigation pane.
- Choose the name of your customer managed key, or choose Create key, if you don't yet have one. For more information, see Creating keys.
- From the Key administrators section, Add the AWS Identity and Access Management (IAM) users and roles who can administer the AWS KMS key.
- From the Key users section, Add the IAM users and roles who can use the AWS KMS key (KMS key) to encrypt and decrypt data.
- In the Other AWS accounts section, choose Add another AWS account, and then enter the AWS account number of the target account. For more information, see Allowing users in other accounts to use a KMS key.
Copy and share the snapshot
- Open the Amazon RDS console, and then choose Snapshots from the navigation pane.
- Choose the name of the snapshot that you created, choose Actions, and then choose Copy Snapshot.
- Choose the same AWS Region that your KMS key is in, and then enter a New DB Snapshot Identifier.
- In the Encryption section, choose the KMS key that you created.
- Choose Copy Snapshot.
- Share the copied snapshot with the target account.
Copy the shared DB snapshot
- Log in to the target account, and then open the Amazon RDS console.
- Choose Snapshots from the navigation pane.
- From the Snapshots pane, choose the Shared with Me tab.
- Select the DB snapshot that was shared.
- Choose Actions, and then choose Copy Snapshot to copy the snapshot into the same AWS Region and with a KMS key from the target account.
After the DB snapshot is copied, you can use the copy to launch the instance.