Iaac solution for Aurora RDS instances for cross-account clones with AWS managed KMS keys

0

Customer is usingAurora RDS instances. In order to facilitate testing, customer would like to get access to current replicas of clusters from the production account for our new staging/test environment. Although cross-account clones are possible, customer did not initially consider this when creating them. Consequently, the clones are currently use the AWS managed KMS keys for RDS instead of a client managed key.

The customer is using this solution https://repost.aws/knowledge-center/aurora-share-encrypted-snapshot but wants a solution that be deployed as IasC with Terraform or cloud formation.

Do you have any recommendations?

1 Risposta
1

Hello.

The customer is using this solution https://repost.aws/knowledge-center/aurora-share-encrypted-snapshot but wants a solution that be deployed as IasC with Terraform or cloud formation.

Snapshot sharing cannot be handled by IaC, so I think a mechanism to automate it in another way is necessary.

How about creating a Lambda function that creates a copy using the customer KMS key when a snapshot is created?
If you can create this Lambda, you can use RDS event notifications and EventBridge to execute Lambda via SNS, so you can automate the creation of snapshots.
Once the snapshot copy is complete, I think it would be a good idea to share only the necessary snapshots to another AWS account.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.overview.html

profile picture
ESPERTO
con risposta un mese fa
profile picture
ESPERTO
verificato un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande