Iaac solution for Aurora RDS instances for cross-account clones with AWS managed KMS keys

0

Customer is usingAurora RDS instances. In order to facilitate testing, customer would like to get access to current replicas of clusters from the production account for our new staging/test environment. Although cross-account clones are possible, customer did not initially consider this when creating them. Consequently, the clones are currently use the AWS managed KMS keys for RDS instead of a client managed key.

The customer is using this solution https://repost.aws/knowledge-center/aurora-share-encrypted-snapshot but wants a solution that be deployed as IasC with Terraform or cloud formation.

Do you have any recommendations?

1 Respuesta
1

Hello.

The customer is using this solution https://repost.aws/knowledge-center/aurora-share-encrypted-snapshot but wants a solution that be deployed as IasC with Terraform or cloud formation.

Snapshot sharing cannot be handled by IaC, so I think a mechanism to automate it in another way is necessary.

How about creating a Lambda function that creates a copy using the customer KMS key when a snapshot is created?
If you can create this Lambda, you can use RDS event notifications and EventBridge to execute Lambda via SNS, so you can automate the creation of snapshots.
Once the snapshot copy is complete, I think it would be a good idea to share only the necessary snapshots to another AWS account.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.overview.html

profile picture
EXPERTO
respondido hace un mes
profile picture
EXPERTO
revisado hace un mes

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas