Iaac solution for Aurora RDS instances for cross-account clones with AWS managed KMS keys
Customer is usingAurora RDS instances. In order to facilitate testing, customer would like to get access to current replicas of clusters from the production account for our new staging/test environment. Although cross-account clones are possible, customer did not initially consider this when creating them. Consequently, the clones are currently use the AWS managed KMS keys for RDS instead of a client managed key.
The customer is using this solution https://repost.aws/knowledge-center/aurora-share-encrypted-snapshot but wants a solution that be deployed as IasC with Terraform or cloud formation.
Do you have any recommendations?
- Language
- English
asked 2 years ago495 views
- Newest
- Most votes
- Most comments
Hello.
The customer is using this solution https://repost.aws/knowledge-center/aurora-share-encrypted-snapshot but wants a solution that be deployed as IasC with Terraform or cloud formation.
Snapshot sharing cannot be handled by IaC, so I think a mechanism to automate it in another way is necessary.
How about creating a Lambda function that creates a copy using the customer KMS key when a snapshot is created?
If you can create this Lambda, you can use RDS event notifications and EventBridge to execute Lambda via SNS, so you can automate the creation of snapshots.
Once the snapshot copy is complete, I think it would be a good idea to share only the necessary snapshots to another AWS account.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.overview.html
Relevant content
asked 3 years ago
- AWS OFFICIALUpdated 10 months ago
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Clone.html#Aurora.Managing.Clone.Cross-Account - can this approach be deployed as Iaac>