By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Encrypted Amazon RDS DB snapshots shared with another account can't be restored without first copying it locally in the shared account.

2

Hey there, I'm looking for a way to share an encrypted RDS snapshot and restore it from the shared tab in the (shared account). More information: Today we have encrypted snapshots in our main account, and we created a shared KMS to share the snapshots between accounts. The process is working, and we can see the shared snapshot in the shared account, but the restored option is disabled. The snapshot is a big one over 3TB. Copying it locally is not an option. Could someone please help me and tell me why AWS is not letting us restore the encrypted shared snapshot directly without copying it?

Topics
Database
Tags
Database
Language
English
Larry
asked 2 years ago2.7K views
3 Answers
2

Just a heads up for anyone who is battling this issue. AWS seems to be inconsistent on this.

It used to work for me, then it stopped.

I have been restoring shared snapshots directly to an RDS instance for weeks, without having to create an intermediary snapshot copy within the destination account. However, yesterday this behavior changed suddenly. Now I get the error message "Restoring db instance from cross account storage encrypted snapshot is not supported". Cloudtrail logs show nothing has changed in my environment or the API call being invoked.

This error seems to be very rare; There are literally 2 results on google with this error message. This makes me think that AWS often supports this behavior, but not always. Perhaps restoring directly from cross-account shared snapshots was not purposefully designed, so they say it isn't supported even though it sometimes works.

Two log entries that prove the inconsistent behavior of this functionality:

Here is a snippet of a CloudTrail log entry showing a snapshot ARN from <SourceAccountNumber> being restored to <DestinationAccountNumber> working on 2024-26 :

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "<redacted>",
        "arn": "arn:aws:iam::<DestinationAccountNumber>:user/RedactedUserAccount",
        "accountId": "<DestinationAccountNumber>",
        "accessKeyId": "<redacted>",
        "userName": "RedactedUserAccount"
    },
    "eventTime": "2024-06-26T00:33:03Z",
    "eventSource": "rds.amazonaws.com",
    "eventName": "RestoreDBInstanceFromDBSnapshot",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<redacted>",
    "userAgent": "<redacted>",
    "requestParameters": {
        "dBSnapshotIdentifier": "arn:aws:rds:us-east-1:<SourceAccountNumber>:snapshot:<SharedSnapshotName>",
        "engine": "mysql",
        "dBSubnetGroupName": "<subnet_group_name>",
        "dBInstanceClass": "db.m6gd.xlarge",
        "dBInstanceIdentifier": "<DestinationInstanceName>",
        "vpcSecurityGroupIds": [
            "sg-<sg_id>"
        ],
        "multiAZ": true
    }
...

And here is that exact same process (performed by automation) attempted the next day, when it failed on 2024-06-27 :

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "<Redacted>",
        "arn": "arn:aws:iam::<DestinationAccountNumber>:user/RedactedUserAccount",
        "accountId": "<DestinationAccountNumber>",
        "accessKeyId": "<Redacted>",
        "userName": "RedactedUserAccount"
    },
    "eventTime": "2024-06-27T03:08:12Z",
    "eventSource": "rds.amazonaws.com",
    "eventName": "RestoreDBInstanceFromDBSnapshot",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<redacted>",
    "userAgent": "<redacted>",
    "errorCode": "InvalidParameterValueException",
    "errorMessage": "Restoring db instance from cross account storage encrypted snapshot is not supported.",
    "requestParameters": {
        "dBSnapshotIdentifier": "arn:aws:rds:us-east-1:<SourceAccountNumber>:snapshot:<SharedSnapshotName>",
        "engine": "mysql",
        "dBSubnetGroupName": "<subnet_group_name>",
        "dBInstanceClass": "db.m6gd.xlarge",
        "dBInstanceIdentifier": "<DestinationInstanceName>",
        "vpcSecurityGroupIds": [
            "sg-<sg_id>"
        ],
        "multiAZ": true
    },
    "responseElements": null,
    "requestID": "<redacted uuid>",
    "eventID": "<redacted uuid>",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<DestinationAccountNumber>",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.3",
        "cipherSuite": "TLS_AES_128_GCM_SHA256",
        "clientProvidedHostHeader": "rds.us-east-1.amazonaws.com"
    }
}

Currently, it does work for AWS support.

As they work through my open case, an AWS support engineer reports that in his test environment he is able to restore RDS instances directly from cross-account shared snapshots, despite what this page says. They are still researching to see why this function stopped working on my account, or why it does work for theirs. Either way, it seems to be unreliable.

Sean
answered a year ago
  • Anentropic
    8 months ago

    I just got this error too. No idea yet if it's intermittent for me too as it's my first attempt to restore from a shared snapshot.

    But it seems to defeat the purpose of sharing snapshots if you can't restore from them.

    Makes no sense.

0
Accepted Answer

You have to copy the snapshot to the new account before you can restore it.

But yeah, snapshots need to encrypted with a kms key. Kms key needs to be accessible by the account where you are looking to restore the snapshot.

profile picture
EXPERT
Gary Mclean
answered 2 years ago
profile picture
EXPERT
Giovanni Lauria
reviewed 8 months ago
  • Larry
    2 years ago

    why can't I restore the snapshot from the shared tab (in the account i want to restore to). i don't want to copy it. because the snapshot is more then 3TB.

  • Gary Mclean EXPERT
    2 years ago

    You can always delete the snapshot after you have restored it.

  • Gary Mclean EXPERT
    2 years ago

    Afraid that’s just the way the process works. You copy the snapshot into your own Rds snapshot area then restore from there.

0

Tested on Feb-2025:

  • Encrypted Amazon RDS DB Cluster snapshots shared with another account can be restored without first copying it locally in the shared account.
  • Encrypted Amazon RDS DB Instance snapshots shared with another account can't be restored without first copying it locally in the shared account anymore, previously it worked fine.
profile picture
EXPERT
Denis Astahov - ADV-IT
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content