Sharing a DB cluster snapshot
Using Amazon RDS, you can share a manual DB cluster snapshot in the following ways:
-
Sharing a manual DB cluster snapshot, whether encrypted or unencrypted, enables authorized Amazon accounts to copy the snapshot.
-
Sharing a manual DB cluster snapshot, whether encrypted or unencrypted, enables authorized Amazon accounts to directly restore a DB cluster from the snapshot instead of taking a copy of it and restoring from that.
To share an automated DB cluster snapshot, create a manual DB cluster snapshot by copying the automated snapshot, and then share that copy. This process also applies to Amazon Backup–generated resources.
For more information on copying a snapshot, see Copying a DB cluster snapshot. For more information on restoring a DB instance from a DB cluster snapshot, see Restoring from a DB cluster snapshot.
For more information on restoring a DB cluster from a DB cluster snapshot, see Overview of backing up and restoring an Aurora DB cluster.
You can share a manual snapshot with up to 20 other Amazon accounts.
The following limitation applies when sharing manual snapshots with other Amazon accounts:
-
When you restore a DB cluster from a shared snapshot using the Amazon Command Line Interface (Amazon CLI) or Amazon RDS API, you must specify the Amazon Resource Name (ARN) of the shared snapshot as the snapshot identifier.
Sharing public snapshots
You can also share an unencrypted manual snapshot as public, which makes the snapshot available to all Amazon accounts. Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot.
When a snapshot is shared publicly, it gives all Amazon accounts permission both to copy the snapshot and to create DB clusters from it.
You aren't billed for the backup storage of public snapshots owned by other accounts. You're billed only for snapshots that you own.
If you copy a public snapshot, you own the copy. You're billed for the backup storage of your snapshot copy. If you
create a DB cluster from a public snapshot, you're billed for that DB cluster. For Amazon Aurora pricing information, see the
Aurora pricing page
You can delete only the public snapshots that you own. To delete a shared or public snapshot, make sure to log into the Amazon account that owns the snapshot.
Viewing public snapshots owned by other Amazon accounts
You can view public snapshots owned by other accounts in a particular Amazon Region on the Public tab of the Snapshots page in the Amazon RDS console. Your snapshots (those owned by your account) don't appear on this tab.
To view public snapshots
Open the Amazon RDS console at https://console.amazonaws.cn/rds/
. -
In the navigation pane, choose Snapshots.
-
Choose the Public tab.
The public snapshots appear. You can see which account owns a public snapshot in the Owner column.
Note You might have to modify the page preferences, by selecting the gear icon at the upper right of the Public snapshots list, to see this column.
Viewing your own public snapshots
You can use the following Amazon CLI command (Unix only) to view the public snapshots owned by your Amazon account in a particular Amazon Region.
aws rds describe-db-cluster-snapshots --snapshot-type public --include-public | grep
account_number
The output returned is similar to the following example if you have public snapshots.
"DBClusterSnapshotArn": "arn:aws-cn:rds:us-west-2:123456789012:cluster-snapshot:myclustersnapshot1", "DBClusterSnapshotArn": "arn:aws-cn:rds:us-west-2:123456789012:cluster-snapshot:myclustersnapshot2",
Sharing encrypted snapshots
You can share DB cluster snapshots that have been encrypted "at rest" using the AES-256 encryption algorithm, as described in Encrypting Amazon Aurora resources. To do this, take the following steps:
Share the Amazon KMS key that was used to encrypt the snapshot with any accounts that you want to be able to access the snapshot.
You can share KMS keys with another Amazon account by adding the other account to the KMS key policy. For details on updating a key policy, see Key policies in the Amazon KMS Developer Guide. For an example of creating a key policy, see Allowing access to an Amazon KMS key later in this topic.
Use the Amazon Web Services Management Console, Amazon CLI, or Amazon RDS API to share the encrypted snapshot with the other accounts.
These restrictions apply to sharing encrypted snapshots:
You can't share encrypted snapshots as public.
You can't share a snapshot that has been encrypted using the default KMS key of the Amazon account that shared the snapshot.
Allowing access to an Amazon KMS key
For another Amazon account to copy an encrypted DB cluster snapshot shared from your account, the account that you share your snapshot with must have access to the Amazon KMS key that encrypted the snapshot.
To allow another Amazon account access to a KMS key, update the key policy for
the KMS key. You update it with the Amazon Resource Name (ARN) of the Amazon
account that you are sharing to as Principal
in the KMS key policy.
Then you allow the kms:CreateGrant
action.
After you have given an Amazon account access to your KMS key, to copy your encrypted snapshot that Amazon account must create an Amazon Identity and Access Management (IAM) role or user if it doesn't already have one. In addition, that Amazon account must also attach an IAM policy to that IAM role or permission set that allows the role or user to copy an encrypted DB cluster snapshot using your KMS key. The account must be a user and cannot be a root Amazon account identity due to Amazon KMS security restrictions.
In the following key policy example, user 111122223333
is the owner of the KMS key,
and user 444455556666
is the account that the key is being shared with. This updated key policy
gives the Amazon account access to the KMS key by including the ARN for the root Amazon account
identity for user 444455556666
as a Principal
for the policy, and by
allowing the kms:CreateGrant
action.
{ "Id": "key-policy-1", "Version": "2012-10-17", "Statement": [ { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"Amazon": [ "arn:aws-cn:iam::111122223333:user/KeyUser", "arn:aws-cn:iam::444455556666:root" ]}, "Action": [ "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": {"Amazon": [ "arn:aws-cn:iam::111122223333:user/KeyUser", "arn:aws-cn:iam::444455556666:root" ]}, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}} } ] }
Creating an IAM policy to enable copying of the encrypted snapshot
Once the external Amazon account has access to your KMS key, the owner of that Amazon account can create a policy that allows a user created for that account to copy an encrypted snapshot encrypted with that KMS key.
The following example shows a policy that can be attached to a user for Amazon account
444455556666
that enables the user to copy a shared snapshot
from Amazon account 111122223333
that has been encrypted with the KMS key
c989c1dd-a3f2-4a5d-8d96-e793d082ab26
in the us-west-2
region.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUseOfTheKey", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:CreateGrant", "kms:RetireGrant" ], "Resource": ["arn:aws-cn:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26"] }, { "Sid": "AllowAttachmentOfPersistentResources", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": ["arn:aws-cn:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26"], "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }
For details on updating a key policy, see Key policies in the Amazon KMS Developer Guide.
Sharing a snapshot
You can share a DB cluster snapshot using the Amazon Web Services Management Console, the Amazon CLI, or the RDS API.
Using the Amazon RDS console, you can share a manual DB cluster snapshot with up to 20 Amazon accounts. You can also use the console to stop sharing a manual snapshot with one or more accounts.
To share a manual DB cluster snapshot by using the Amazon RDS console
-
Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/
. -
In the navigation pane, choose Snapshots.
-
Select the manual snapshot that you want to share.
-
For Actions, choose Share snapshot.
-
Choose one of the following options for DB snapshot visibility.
If the source is unencrypted, choose Public to permit all Amazon accounts to restore a DB cluster from your manual DB cluster snapshot, or choose Private to permit only Amazon accounts that you specify to restore a DB cluster from your manual DB cluster snapshot.
Warning If you set DB snapshot visibility to Public, all Amazon accounts can restore a DB cluster from your manual DB cluster snapshot and have access to your data. Do not share any manual DB cluster snapshots that contain private information as Public.
-
If the source is encrypted, DB snapshot visibility is set as Private because encrypted snapshots can't be shared as public.
-
For Amazon Account ID, type the Amazon account identifier for an account that you want to permit to restore a DB cluster from your manual snapshot, and then choose Add. Repeat to include additional Amazon account identifiers, up to 20 Amazon accounts.
If you make an error when adding an Amazon account identifier to the list of permitted accounts, you can delete it from the list by choosing Delete at the right of the incorrect Amazon account identifier.
-
After you have added identifiers for all of the Amazon accounts that you want to permit to restore the manual snapshot, choose Save to save your changes.
To stop sharing a manual DB cluster snapshot with an Amazon account
-
Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/
. -
In the navigation pane, choose Snapshots.
-
Select the manual snapshot that you want to stop sharing.
-
Choose Actions, and then choose Share snapshot.
-
To remove permission for an Amazon account, choose Delete for the Amazon account identifier for that account from the list of authorized accounts.
-
Choose Save to save your changes.
To share a DB cluster snapshot, use the aws rds modify-db-cluster-snapshot-attribute
command. Use the --values-to-add
parameter to add a list of the IDs for the Amazon accounts
that are authorized to restore the manual snapshot.
Example of sharing a snapshot with a single account
The following example enables Amazon account identifier 123456789012
to restore the DB cluster snapshot
named cluster-3-snapshot
.
For Linux, macOS, or Unix:
aws rds modify-db-cluster-snapshot-attribute \ --db-cluster-snapshot-identifier cluster-3-snapshot \ --attribute-name restore \ --values-to-add 123456789012
For Windows:
aws rds modify-db-cluster-snapshot-attribute ^ --db-cluster-snapshot-identifier cluster-3-snapshot ^ --attribute-name restore ^ --values-to-add 123456789012
Example of sharing a snapshot with multiple accounts
The following example enables two Amazon account identifiers, 111122223333
and
444455556666
, to restore the DB cluster snapshot named
manual-cluster-snapshot1
.
For Linux, macOS, or Unix:
aws rds modify-db-cluster-snapshot-attribute \ --db-cluster-snapshot-identifier manual-cluster-snapshot1 \ --attribute-name restore \ --values-to-add {"111122223333","444455556666"}
For Windows:
aws rds modify-db-cluster-snapshot-attribute ^ --db-cluster-snapshot-identifier manual-cluster-snapshot1 ^ --attribute-name restore ^ --values-to-add "[\"111122223333\",\"444455556666\"]"
When using the Windows command prompt, you must escape double quotes (") in JSON code by prefixing them with a backslash (\).
To remove an Amazon account identifier from the list, use the --values-to-remove
parameter.
Example of stopping snapshot sharing
The following example prevents Amazon account ID 444455556666 from restoring the snapshot.
For Linux, macOS, or Unix:
aws rds modify-db-cluster-snapshot-attribute \ --db-cluster-snapshot-identifier manual-cluster-snapshot1 \ --attribute-name restore \ --values-to-remove 444455556666
For Windows:
aws rds modify-db-cluster-snapshot-attribute ^ --db-cluster-snapshot-identifier manual-cluster-snapshot1 ^ --attribute-name restore ^ --values-to-remove 444455556666
To list the Amazon accounts enabled to restore a snapshot, use the
describe-db-cluster-snapshot-attributes
Amazon CLI command.
You can also share a manual DB cluster snapshot with other Amazon accounts by
using the Amazon RDS API. To do so, call the
ModifyDBClusterSnapshotAttribute
operation. Specify restore
for AttributeName
, and
use the ValuesToAdd
parameter to add a list of the IDs for the Amazon accounts
that are authorized to restore the manual snapshot.
To make a manual snapshot public and restorable by all Amazon accounts, use the value
all
. However, take care not to add the all
value for any
manual snapshots that contain private information that you don't want to be available to
all Amazon accounts. Also, don't specify all
for encrypted snapshots, because
making such snapshots public isn't supported.
To remove sharing permission for an Amazon account, use the
ModifyDBClusterSnapshotAttribute
operation with AttributeName
set to restore
and the
ValuesToRemove
parameter. To mark a manual snapshot as private, remove
the value all
from the values list for the restore
attribute.
To list all of the Amazon accounts permitted to restore a snapshot, use the
DescribeDBClusterSnapshotAttributes
API operation.