I have an encrypted snapshot of an Amazon Relational Database Service (Amazon RDS) DB instance. It uses the default AWS Key Management Service (AWS KMS) key. I want to share an encrypted snapshot of a DB instance with another AWS account.
You can't use the default AWS KMS encryption key to share a snapshot that's encrypted. For more information about the limitations of sharing DB snapshots, see Sharing encrypted snapshots.
To share an encrypted Amazon RDS DB snapshot, complete the following steps:
- Add the target account to a custom (non-default) KMS key.
- Use the customer managed key to copy the snapshot, and then share the snapshot with the target account.
- Copy the shared DB snapshot from the target account.
Note: You can also follow the steps in the AWSSupport-ShareRDSSnapshot AWS Systems Manager Automation document to share your snapshot. Provide a snapshot to copy and share with the target account. You can also provide the DB instance or DB cluster ID to share with snapshots. Provide an existing KMS Key, or keep it blank to create a new key. For more information, see Add a key policy statement in the local account and Run an automation.
Allow access to the target account on the AWS KMS key of the source account
- Log in to the source account, and then open the AWS KMS console in the same AWS Region as the DB snapshot.
- Choose Customer managed keys from the navigation pane.
- Choose the name of your customer managed key. If you don't have a key, then choose Create key. For more information, see Creating keys.
- From the Key administrators section, Add the AWS Identity and Access Management (IAM) users and roles who can administer the AWS KMS key.
- From the Key users section, Add the IAM users and roles who can use the AWS KMS key (KMS key) to encrypt and decrypt data.
- In the Other AWS accounts section, choose Add another AWS account, and then enter the AWS account number of the target account. For more information, see Allowing users in other accounts to use a KMS key.
Copy and share the snapshot
- Open the Amazon RDS console, and then choose Snapshots from the navigation pane.
- Choose the name of the snapshot that you created, choose Actions, and then choose Copy Snapshot.
- Choose the same AWS Region that your KMS key is in, and then enter a New DB Snapshot Identifier.
- In the Encryption section, choose the KMS key that you created.
- Choose Copy Snapshot.
- Share the copied snapshot with the target account.
Copy the shared DB snapshot
- Log in to the target account, and then open the Amazon RDS console.
- Choose Snapshots from the navigation pane.
- From the Snapshots pane, choose the Shared with Me tab.
- Select the DB snapshot that you shared.
- Choose Actions. Then, choose Copy Snapshot to copy the snapshot into the same AWS Region and with a KMS key from the target account.
After you copy the DB snapshot, you can use the copy to launch the instance.
How can I change the encryption key used by my Amazon RDS DB instances and DB snapshots?
Encrypting Amazon RDS resources
Copying a DB snapshot