Iaac solution for Aurora RDS instances for cross-account clones with AWS managed KMS keys

0

Customer is usingAurora RDS instances. In order to facilitate testing, customer would like to get access to current replicas of clusters from the production account for our new staging/test environment. Although cross-account clones are possible, customer did not initially consider this when creating them. Consequently, the clones are currently use the AWS managed KMS keys for RDS instead of a client managed key.

The customer is using this solution https://repost.aws/knowledge-center/aurora-share-encrypted-snapshot but wants a solution that be deployed as IasC with Terraform or cloud formation.

Do you have any recommendations?

1 Antwort
1

Hello.

The customer is using this solution https://repost.aws/knowledge-center/aurora-share-encrypted-snapshot but wants a solution that be deployed as IasC with Terraform or cloud formation.

Snapshot sharing cannot be handled by IaC, so I think a mechanism to automate it in another way is necessary.

How about creating a Lambda function that creates a copy using the customer KMS key when a snapshot is created?
If you can create this Lambda, you can use RDS event notifications and EventBridge to execute Lambda via SNS, so you can automate the creation of snapshots.
Once the snapshot copy is complete, I think it would be a good idea to share only the necessary snapshots to another AWS account.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.overview.html

profile picture
EXPERTE
beantwortet vor einem Monat
profile picture
EXPERTE
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen