Restore Redshift Snapshot to different account

Question

We are trying to restore a snapshot of a redshift cluster from one account into a new account. Accounts are unlinked.  Snapshot process and copy works fine.  When we try to restore the snapshot on the new account it is requiring access to to the Redshift KMS key from the source account.

*The source cluster for this snapshot is encrypted. When you restore, the target database will be encrypted as well. You can't unencrypt the data as part of the restore operation. After you restore, you can change encryption settings.*

Here it is prompting for access to the source key.   I am not sure how, or if it is possible to  give the new/destination account or my user access to the key from the old source account.    The source Redshift cluster uses a AWS managed  aws/redshift key from the source account.   We want to bring the whole snapshot, redshift users and all, not just the data.

rePost-User-1579460 · Accepted Answer

You can't use built-on KMS key for Redshift on another account.

Anusha_C · Answer

In the source account, provide access on the KMS Key used for encryption to the target account.
In order to do it, you can follow the steps below:
1. In AWS Management console of the source account, navigate to [KMS](https://us-east-1.console.aws.amazon.com/kms)
2. Click on the KMS key that was used to encrypt the cluster
3. Click on the **Edit** button in the **Key Policy** tab
4. Update the Key policy to add the principal for destination account  as shown in the sample policy below

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::{SourceAccountID}:root",
                    "arn:aws:iam::{DestinationAccountID}:root"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}
```
Once you provide access on KMS key to destination account's principal, re-try snapshot restore.

If you are using an AWS managed, Key policy cannot be updated. In such case, you can change they KMS key during restore process. In the restore screen, under **Additional configurations**, provide the key you want to use for **Choose an AWS KMS key**. This can be the AWS managed redshift key from the target account.

Please note that restore process takes longer when the key is changed during restore process.

The restore process moves users, groups along with data.

rePost-User-1579460 · Answer

Thank you Anusha.  Since the source key is an AWS managed key, is it still possible to do what you described?  I can edit the key policy for customer managed keys but don't appear to have the same option to edit key policy for AWS managed keys.   It could be my access level but maybe the key policy can't be edited for AWS managed keys?

Restore Redshift Snapshot to different account

Relevant content