By using AWS re:Post, you agree to the Terms of Use

Minimal KMS permissions to copy a database snapshot


I am trying to setup minimal permissions for doing aws rds copy-db-snapshot with a KMS encryption key:

aws rds copy-db-snapshot --source-db-snapshot-identifier rds-backup-share-mysql --target-db-snapshot-identifier rds-backup-share-mysql-reencrypted --kms-key-id <kms-arn>

(Everything within <> is stripped out by me and contains valid values.)

Unfortunately I get this error:

An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target snapshot KMS key [<kms-arn>] does not exist, is not enabled or you do not have permissions to access it.

Currently I allow these actions:

      "Action": [

It works if I replace it with "kms:*{code}", so it must be a permission issue.

I tried to figure out the correct permissions with CloudTrail, but it just contains the same unhelpful error message.

So my actual questions:

  • What are the minimal KMS permissions for CopyDBSnapshot?
  • Is there a generic way to figure out the required permissions? It is always a pain to waste my time by googling the required permissions.
2 Answers

I figured it out by myself:

I want to repeat, that this kind of problem is very annoying, time wasting and feels exceedingly unnecessary.

answered 5 years ago

I found another root cause for this, and another solution:

Just create, then delete, a RDS in the target region!

AWS RDS simply refused to copy a snapshot, no matter what I did to key policies, UNTIL I created a small, automatic RDS. Now any key works "out-of-box", even new ones without any policy change!

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions