Minimal KMS permissions to copy a database snapshot

Question

I am trying to setup minimal permissions for doing `aws rds copy-db-snapshot` with a KMS encryption key:

```
aws rds copy-db-snapshot --source-db-snapshot-identifier rds-backup-share-mysql --target-db-snapshot-identifier rds-backup-share-mysql-reencrypted --kms-key-id 
```

(Everything within <> is stripped out by me and contains valid values.)  
  
Unfortunately I get this error:

```
An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target snapshot KMS key [] does not exist, is not enabled or you do not have permissions to access it.
```

Currently I allow these actions:

```
      "Action": [
        "kms:ReEncrypt*",
        "kms:ListKeys",
        "kms:ListAliases",
        "kms:GenerateDataKey*",
        "kms:Encrypt",
        "kms:DescribeKey",
        "kms:Decrypt"
      ],
```

It works if I replace it with "kms:*{code}", so it must be a permission issue.  
  
I tried to figure out the correct permissions with CloudTrail, but it just contains the same unhelpful error message.  
  
So my actual questions:  
  
 - What are the minimal KMS permissions for CopyDBSnapshot?  
 - Is there a generic way to figure out the required permissions? It is always a pain to waste my time by googling the required permissions.

Answer

I figured it out by myself: https://stackoverflow.com/a/45881950/393157  
  
I want to repeat, that this kind of problem is very annoying, time wasting and feels exceedingly unnecessary.

Answer

I found another root cause for this, and another solution:  
  
Just create, then delete, a RDS in the target region!  
  
AWS RDS simply refused to copy a snapshot, no matter what I did to key policies, UNTIL I created a small, automatic RDS. Now any key works "out-of-box", even new ones without any policy change!

Minimal KMS permissions to copy a database snapshot

Relevant content