How do I share manual Amazon RDS DB snapshots or Aurora DB cluster snapshots with another AWS account?

4 minute read
0

I want to share manual Amazon Relational Database Service (Amazon RDS) DB snapshots or Amazon Aurora DB cluster snapshots with another account.

Resolution

Note: Any unencrypted snapshot that is shared can be restored without having to make a copy. For more information, see Sharing a DB snapshot.

You can share manual DB snapshots with up to 20 AWS accounts. To share manual snapshots, use the Amazon RDS console.

Note: You can't share manual snapshots of DB instances that use custom option groups with persistent or permanent options. This limit also includes Transparent Data Encryption (TDE) and time zone. The only exception to the limit is for Oracle DB instances that have the Timezone or OLS option.

Automated Amazon RDS snapshots

To share an automated Amazon RDS snapshot with other AWS accounts, copy the snapshot. Then, complete the steps under Share a snapshot.

Note: If the snapshot is encrypted, then you must take additional steps. Based on your use case, complete the steps under Manual encrypted snapshots that use a default AWS KMS key. Or, complete the steps under Manual encrypted snapshots that use a non-default AWS KMS key.

Manual encrypted snapshots that use a default AWS KMS key

You can share encrypted snapshots that use a default AWS Key Management Service (AWS KMS) key. To share these snapshots, copy the snapshot with a customer managed key to re-encrypt the snapshot. Then, complete the steps under Manual encrypted snapshots that use a non-default AWS KMS key.

Manual encrypted snapshots that use a non-default AWS KMS key

To share encrypted manual snapshots that use a non-default AWS KMS key, share the AWS KMS key with the target account that you want to share the snapshot with.

To share the manual snapshot that uses a non-default AWS KMS key, complete the following steps:

  1. Add the target account to the AWS KMS key policy. For more information, see Add IAM policies in the external account.
  2. Share the new snapshot that's encrypted with the customer managed key with the target account.
  3. When you copy the snapshot to the destination account, use an AWS KMS key in the destination account.
    Note: For Aurora cluster snapshots, you can directly restore shared snapshots from the destination account.
  4. Restore the copied snapshot.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Share a snapshot

To share a snapshot, complete the following steps:

  1. Open the Amazon RDS console.
  2. In the navigation pane, choose Snapshots.
  3. Choose the DB snapshot that you want to share.
  4. Choose Actions, and then choose Share Snapshot.
  5. Based on your use case, select your DB snapshot visibility:
    Public allows all AWS accounts to restore a DB instance from your manual DB snapshot.
    Private allows only AWS accounts that you specify to restore a DB instance from your manual DB snapshot.
  6. In the AWS Account ID field, enter the ID of the AWS account that you want to permit to restore a DB instance from your manual DB snapshot. Then, choose Add.
    Note: You can repeat this step to share snapshots with up to 20 AWS accounts.
  7. Choose Save.
  8. To stop sharing a snapshot with an AWS Account, select the Delete check box next to the account ID from the Snapshot permissions pane.
  9. Choose Save.

You can use the AWS CLI or Amazon RDS API to restore a DB instance or DB cluster from a shared snapshot. To use these methods to restore an instance, you must specify the full ARN of the shared snapshot as the snapshot identifier.

Related information

Creating a DB snapshot for a Single-AZ DB instance

Restoring from a DB snapshot

How can I share an encrypted Amazon RDS DB snapshot with another account?