How can I share an encrypted Amazon Aurora snapshot with another account?

Short description

You can't share a snapshot that's encrypted with the default AWS KMS key. You must create a custom AWS KMS key instead. To share an encrypted Aurora DB cluster snapshot:

1. Create a custom AWS KMS key.
2. Add the target account to the custom AWS KMS key.
3. Create a copy of the DB cluster snapshot using the custom AWS KMS key. Then, share the newly copied snapshot with the target account.
4. Copy the shared DB cluster snapshot from the target account.

Resolution

Create a custom AWS KMS key

1. Log in to the source account, and then go to the AWS KMS console in the same region as the DB cluster snapshot.
2. Select Customer-managed keys from the navigation pane on the side.
3. Choose Create key.
4. Create a symmetric encryption AWS KMS key.
5. In Key usage, select Encrypt and decrypt. For information about creating AWS KMS keys that generate and then verify MAC codes, see Creating HMAC AWS KMS keys.
6. In Advanced options, select AWS KMS as the key material origin.
7. Select Single-region key, and then select Next.
8. Give your key an alias. It is a best practice also to give your key a description and a tag. Then, select Next.
9. Choose the IAM users and roles that will be allowed to administer the AWS KMS key, and then select Next.
   Note: To prevent the IAM users and roles from deleting the AWS KMS key, in the Key deletion section, uncheck the Allow key administrators to delete this key check box.
10. Select the IAM users and role that can use the AWS KMS key in cryptographic operations, and select Next.
    Note: You also can allow other AWS accounts to use the key for cryptographic operations. For more information, see Cryptographic operations.
11. Select Finish to create the AWS KMS key.

Give target account access to the custom AWS KMS key within the source account

1. Log in to the source account, and go to the AWS KMS console in the same Region as the DB cluster snapshot.
2. Select Customer-managed keys from the navigation pane.
3. Select your custom AWS KMS key.
4. From the Other AWS accounts section, select Add another AWS account, and then enter the AWS account number of your target account. For more information see, Allowing users in other accounts to use an AWS KMS key.

Copy and share the DB cluster snapshot

1. Open the Amazon RDS console in the source account, and then select Snapshots from the navigation pane.
2. Select the DB cluster snapshot you want to share. Select Actions, and then select Copy snapshot.
3. Select the same AWS Region that your custom AWS KMS key is in, and then enter a name for the New DB Snapshot Identifier.
4. In the Encryption section, select the custom AWS KMS key that you created.
5. Select Copy Snapshot.
6. Select the newly copied DB cluster snapshot, select Actions, and then select Share snapshot.
7. In AWS account ID, enter the AWS account number of your target account, and then select Add.
8. Select Save.

Copy the shared DB cluster snapshot

1. Log in to the target account, and then open the Amazon RDS console.
2. Choose Snapshots from the navigation pane.
3. From the Snapshots pane, select the Shared with Me tab.
4. Select the DB cluster snapshot that was shared.
5. Select Actions. Then, select Copy Snapshot to copy the DB cluster snapshot into the same AWS Region.

The DB snapshot now has an AWS KMS key from the target account and can be used to launch the instance.

Related information

Sharing a DB cluster snapshot

Creating asymmetric AWS KMS keys

Multi-Region keys in AWS KMS

Copying a DB cluster snapshot

Sharing a snapshot