Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I share an encrypted Amazon Aurora snapshot with another account?

2 minute read

I have an Amazon Aurora DB cluster-encrypted snapshot that uses the default AWS Key Management Service (AWS KMS) key. I want to share the encrypted snapshot with another AWS account.

Short description

You can't share a snapshot that's encrypted with the default AWS KMS key. Instead, you must create a custom AWS KMS key. To share an encrypted Aurora DB cluster snapshot, complete the following steps:

Create a custom AWS KMS key, and then add the target account.
Use the AWS KMS key to create a copy of the DB cluster snapshot, and then share the new snapshot copy with the target account.
Copy the shared DB cluster snapshot from the target account.

Resolution

Create a custom AWS KMS key

Log in to the source account. Then, create a symmetric encryption key and select Add another AWS account for Other AWS accounts. Enter the target account number. For more information about cross-account permissions, see Allowing users in other accounts to use an AWS KMS key.

Copy and share the DB cluster snapshot

Copy the DB cluster snapshot and configure the following settings:

For Destination Region, select the AWS Region that your custom AWS KMS key is in.
Under Encryption, for AWS KMS Key, select the custom AWS KMS key that you created.

Then, share the snapshot with the other account.

Copy the shared DB cluster snapshot

Complete the following steps:

Log in to the target account.
Open the Amazon Relational Database Service (Amazon RDS) console.
In the navigation pane, choose Snapshots.
Under Snapshots, choose the Shared with me tab.
Select the DB cluster snapshot that you shared.
Choose Actions, and then choose Copy snapshot to copy the DB cluster snapshot into the same Region.

The AWS KMS key can be the default key or a customer-managed key. You can use the snapshot to launch the instance.

Related information

Sharing a DB cluster snapshot

Create an asymmetric KMS key

Multi-Region keys in AWS KMS

DB cluster snapshot copying

Topics

Database

Relevant content

Encrypted Amazon RDS DB snapshots shared with another account can't be restored without first copying it locally in the shared account.
Accepted Answer
Larry
asked 2 years ago
How do i migrate RDS encrypted cluster to another aws account
rePost-User-9145123
asked 2 years ago
Copying RDS Snapshot to another account
Accepted Answer
AWS-User-2071380
asked 5 years ago
Restore encrypted Snapshot
Jess
asked 3 years ago
Snapshot volume encrypted with shared cmk from lost account
acdci
asked 8 months ago
How do I share manual Amazon RDS DB snapshots or Aurora DB cluster snapshots with another AWS account?
AWS OFFICIALUpdated a year ago
How can I share an encrypted Amazon RDS DB snapshot with another account?
AWS OFFICIALUpdated 2 years ago
How can I share an encrypted EBS snapshot or volume with another AWS account?
AWS OFFICIALUpdated 2 years ago
How can I use the AWSSupport-ModifyEBSSnapshotPermission runbook to modify the permissions of snapshots?
AWS OFFICIALUpdated 2 years ago
Why do I get an error "The snapshot is currently in use by AMI" when I try to delete an EBS snapshot, even though there is no AMI on the account?
EXPERT
Dnyaneshwar Bhosale DB
published a year ago