# Copying an encrypted DB cluster snapshot by using the Amazon CLI or Amazon RDS API
<a name="USER_CopyDBClusterSnapshot.Encrypted.CrossRegion"></a>

Use the procedures in the following sections to copy an encrypted DB cluster snapshot by using the Amazon Web Services Management Console, Amazon CLI, or Amazon RDS API.

To cancel a copy operation once it is in progress, delete the target DB cluster snapshot identified by `--target-db-cluster-snapshot-identifier` or `TargetDBClusterSnapshotIdentifier` while that DB cluster snapshot is in **copying** status.

## Console
<a name="USER_CopyDBClusterSnapshot.Encrypted.CrossRegion.Console"></a>

To copy a DB cluster snapshot using the Amazon Web Services Management Console, see [Copying a DB cluster snapshot with the Amazon Web Services Management Console](USER_CopyDBClusterSnapshot.CrossRegion.md).

## Amazon CLI
<a name="USER_CopyDBClusterSnapshot.Encrypted.CrossRegion.CLI"></a>

To copy a DB cluster snapshot, use the Amazon CLI [copy-db-cluster-snapshot](https://docs.amazonaws.cn/cli/latest/reference/rds/copy-db-cluster-snapshot.html) command. If you are copying the snapshot to another Amazon Web Services Region, run the command in the Amazon Web Services Region to which the snapshot will be copied. 

The following options are used to copy an encrypted DB cluster snapshot:
+ `--source-db-cluster-snapshot-identifier` – The identifier for the encrypted DB cluster snapshot to be copied. If you are copying the snapshot to another Amazon Web Services Region, this identifier must be in the ARN format for the source Amazon Web Services Region.
+ `--target-db-cluster-snapshot-identifier` – The identifier for the new copy of the encrypted DB cluster snapshot.
+ `--kms-key-id` – The KMS key identifier for the key to use to encrypt the copy of the DB cluster snapshot.

  You can optionally use this option if the DB cluster snapshot is encrypted, you copy the snapshot in the same Amazon Web Services Region, and you want to specify a new KMS key to encrypt the copy. Otherwise, the copy of the DB cluster snapshot is encrypted with the same KMS key as the source DB cluster snapshot. 

  You must use this option if the DB cluster snapshot is encrypted and you are copying the snapshot to another Amazon Web Services Region. In that case, you must specify a KMS key for the destination Amazon Web Services Region.

The following code example copies the encrypted DB cluster snapshot from the US West (Oregon) Region to the US East (N. Virginia) Region. The command is called in the US East (N. Virginia) Region.

**Example**  
For Linux, macOS, or Unix:  

```
aws rds copy-db-cluster-snapshot \
  --source-db-cluster-snapshot-identifier {{arn:aws-cn:rds:us-west-2:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20161115}} \
  --target-db-cluster-snapshot-identifier {{myclustersnapshotcopy}} \
  --kms-key-id {{my-us-east-1-key}}
```
For Windows:  

```
aws rds copy-db-cluster-snapshot ^
  --source-db-cluster-snapshot-identifier {{arn:aws-cn:rds:us-west-2:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20161115}} ^
  --target-db-cluster-snapshot-identifier {{myclustersnapshotcopy}} ^
  --kms-key-id {{my-us-east-1-key}}
```

## RDS API
<a name="USER_CopyDBClusterSnapshot.Encrypted.CrossRegion.API"></a>

To copy a DB cluster snapshot, use the Amazon RDS API [CopyDBClusterSnapshot](https://docs.amazonaws.cn/AmazonRDS/latest/APIReference/API_CopyDBClusterSnapshot.html) operation. If you are copying the snapshot to another Amazon Web Services Region, perform the action in the Amazon Web Services Region to which the snapshot will be copied.

The following parameters are used to copy an encrypted DB cluster snapshot:
+ `SourceDBClusterSnapshotIdentifier` – The identifier for the encrypted DB cluster snapshot to be copied. If you are copying the snapshot to another Amazon Web Services Region, this identifier must be in the ARN format for the source Amazon Web Services Region. 
+ `TargetDBClusterSnapshotIdentifier` – The identifier for the new copy of the encrypted DB cluster snapshot.
+ `KmsKeyId` – The KMS key identifier for the key to use to encrypt the copy of the DB cluster snapshot.

  You can optionally use this parameter if the DB cluster snapshot is encrypted, you copy the snapshot in the same Amazon Web Services Region, and you specify a new KMS key to use to encrypt the copy. Otherwise, the copy of the DB cluster snapshot is encrypted with the same KMS key as the source DB cluster snapshot. 

  You must use this parameter if the DB cluster snapshot is encrypted and you are copying the snapshot to another Amazon Web Services Region. In that case, you must specify a KMS key for the destination Amazon Web Services Region.
+ `PreSignedUrl` – If you are copying the snapshot to another Amazon Web Services Region, you must specify the `PreSignedUrl` parameter. The `PreSignedUrl` value must be a URL that contains a Signature Version 4 signed request for the `CopyDBClusterSnapshot` action to be called in the source Amazon Web Services Region where the DB cluster snapshot is copied from. To learn more about using a presigned URL, see [CopyDBClusterSnapshot](https://docs.amazonaws.cn/AmazonRDS/latest/APIReference/API_CopyDBClusterSnapshot.html). 

The following code example copies the encrypted DB cluster snapshot from the US West (Oregon) Region to the US East (N. Virginia) Region. The action is called in the US East (N. Virginia) Region.

**Example**  

```
https://rds.us-east-1.amazonaws.com/
    ?Action=CopyDBClusterSnapshot
    &KmsKeyId=my-us-east-1-key
    &PreSignedUrl=https%253A%252F%252Frds.us-west-2.amazonaws.com%252F
         %253FAction%253DCopyDBClusterSnapshot
         %2526DestinationRegion%253Dus-east-1
         %2526KmsKeyId%253Dmy-us-east-1-key
         %2526SourceDBClusterSnapshotIdentifier%253Darn%25253Aaws%25253Ards%25253Aus-west-2%25253A123456789012%25253Acluster-snapshot%25253Aaurora-cluster1-snapshot-20161115
         %2526SignatureMethod%253DHmacSHA256
         %2526SignatureVersion%253D4
         %2526Version%253D2014-10-31
         %2526X-Amz-Algorithm%253DAWS4-HMAC-SHA256
         %2526X-Amz-Credential%253DAKIADQKE4SARGYLE%252F20161117%252Fus-west-2%252Frds%252Faws4_request
         %2526X-Amz-Date%253D20161117T215409Z
         %2526X-Amz-Expires%253D3600
         %2526X-Amz-SignedHeaders%253Dcontent-type%253Bhost%253Buser-agent%253Bx-amz-content-sha256%253Bx-amz-date
         %2526X-Amz-Signature%253D255a0f17b4e717d3b67fad163c3ec26573b882c03a65523522cf890a67fca613
    &SignatureMethod=HmacSHA256
    &SignatureVersion=4
    &SourceDBClusterSnapshotIdentifier=arn%3Aaws%3Ards%3Aus-west-2%3A123456789012%3Acluster-snapshot%3Aaurora-cluster1-snapshot-20161115
    &TargetDBClusterSnapshotIdentifier=myclustersnapshotcopy
    &Version=2014-10-31
    &X-Amz-Algorithm=AWS4-HMAC-SHA256
    &X-Amz-Credential=AKIADQKE4SARGYLE/20161117/us-east-1/rds/aws4_request
    &X-Amz-Date=20161117T221704Z
    &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date
    &X-Amz-Signature=da4f2da66739d2e722c85fcfd225dc27bba7e2b8dbea8d8612434378e52adccf
```