Restore Redshift Snapshot to different account

0

We are trying to restore a snapshot of a redshift cluster from one account into a new account. Accounts are unlinked. Snapshot process and copy works fine. When we try to restore the snapshot on the new account it is requiring access to to the Redshift KMS key from the source account.

The source cluster for this snapshot is encrypted. When you restore, the target database will be encrypted as well. You can't unencrypt the data as part of the restore operation. After you restore, you can change encryption settings.

Here it is prompting for access to the source key. I am not sure how, or if it is possible to give the new/destination account or my user access to the key from the old source account. The source Redshift cluster uses a AWS managed aws/redshift key from the source account. We want to bring the whole snapshot, redshift users and all, not just the data.

3 Answers
0
Accepted Answer

You can't use built-on KMS key for Redshift on another account.

answered 9 months ago
0

Thank you Anusha. Since the source key is an AWS managed key, is it still possible to do what you described? I can edit the key policy for customer managed keys but don't appear to have the same option to edit key policy for AWS managed keys. It could be my access level but maybe the key policy can't be edited for AWS managed keys?

answered a year ago
  • Key policy on AWS managed keys cannot be updated. However, you can change they KMS key during restore process. Under Additional configurations, provide the key you want to use for Choose an AWS KMS key. This can be the AWS managed redshift key from the account.

    Please note that restore process takes longer when the key is changed during restore process.

0

In the source account, provide access on the KMS Key used for encryption to the target account. In order to do it, you can follow the steps below:

  1. In AWS Management console of the source account, navigate to KMS
  2. Click on the KMS key that was used to encrypt the cluster
  3. Click on the Edit button in the Key Policy tab
  4. Update the Key policy to add the principal for destination account as shown in the sample policy below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::{SourceAccountID}:root",
                    "arn:aws:iam::{DestinationAccountID}:root"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

Once you provide access on KMS key to destination account's principal, re-try snapshot restore.

If you are using an AWS managed, Key policy cannot be updated. In such case, you can change they KMS key during restore process. In the restore screen, under Additional configurations, provide the key you want to use for Choose an AWS KMS key. This can be the AWS managed redshift key from the target account.

Please note that restore process takes longer when the key is changed during restore process.

The restore process moves users, groups along with data.

AWS
answered a year ago
  • On more research we found that we can't share or edit the policy of an AWS managed key. We were able to unecrypt and re-encrypt a test cluster to a customer managed key but we do not want the state of the production cluster to ever be unencrypted - even during this process. We tried changing they aws key to our key directly in the console but got the error below. InvalidParameterValue You can't transform a cluster with KMS encryption type to KMS encryption type.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions