Sharing a snapshot Sharing public snapshots Sharing encrypted snapshots Stopping snapshot sharing

Sharing a DB snapshot

Using Amazon RDS, you can share a manual DB snapshot in the following ways:

Sharing a manual DB snapshot, whether encrypted or unencrypted, enables authorized Amazon Web Services accounts to copy the snapshot.
Sharing an unencrypted manual DB snapshot enables authorized Amazon Web Services accounts to directly restore a DB instance from the snapshot instead of taking a copy of it and restoring from that. However, you can't restore a DB instance from a DB snapshot that is both shared and encrypted. Instead, you can make a copy of the DB snapshot and restore the DB instance from the copy.

Note

To share an automated DB snapshot, create a manual DB snapshot by copying the automated snapshot, and then share that copy. This process also applies to Amazon Backup–generated resources.

For more information on copying a snapshot, see Copying a DB snapshot. For more information on restoring a DB instance from a DB snapshot, see Restoring from a DB snapshot.

You can share a manual snapshot with up to 20 other Amazon Web Services accounts.

The following limitations apply when sharing manual snapshots with other Amazon Web Services accounts:

When you restore a DB instance from a shared snapshot using the Amazon Command Line Interface (Amazon CLI) or Amazon RDS API, you must specify the Amazon Resource Name (ARN) of the shared snapshot as the snapshot identifier.

You can't share a DB snapshot that uses an option group with permanent or persistent options, except for Oracle DB instances that have the Timezone or OLS option (or both).

A permanent option can't be removed from an option group. Option groups with persistent options can't be removed from a DB instance once the option group has been assigned to the DB instance.

The following table lists permanent and persistent options and their related DB engines.

Option name	Persistent	Permanent	DB engine
TDE	Yes	No	Microsoft SQL Server Enterprise Edition
TDE	Yes	Yes	Oracle Enterprise Edition
Timezone	Yes	Yes	Oracle Enterprise Edition Oracle Standard Edition Oracle Standard Edition One Oracle Standard Edition 2

Option name

Persistent

Permanent

DB engine

TDE

Yes

Microsoft SQL Server Enterprise Edition

TDE

Yes

Oracle Enterprise Edition

Timezone

Yes

Oracle Enterprise Edition

Oracle Standard Edition

Oracle Standard Edition One

Oracle Standard Edition 2

For Oracle DB instances, you can copy shared DB snapshots that have the Timezone or OLS option (or both). To do so, specify a target option group that includes these options when you copy the DB snapshot. The OLS option is permanent and persistent only for Oracle DB instances running Oracle version 12.2 or higher. For more information about these options, see Oracle time zone and Oracle Label Security.

You can't share a snapshot of a Multi-AZ DB cluster.

You can share a DB snapshot using the Amazon Web Services Management Console, the Amazon CLI, or the RDS API.

Using the Amazon RDS console, you can share a manual DB snapshot with up to 20 Amazon Web Services accounts. You can also use the console to stop sharing a manual snapshot with one or more accounts.

To share a manual DB snapshot by using the Amazon RDS console

Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/.
In the navigation pane, choose Snapshots.
Select the manual snapshot that you want to share.
For Actions, choose Share snapshot.
Choose one of the following options for DB snapshot visibility.
- If the source is unencrypted, choose Public to permit all Amazon accounts to restore a DB instance from your manual DB snapshot, or choose Private to permit only Amazon Web Services accounts that you specify to restore a DB instance from your manual DB snapshot.
  
  Warning
  If you set DB snapshot visibility to Public, all Amazon Web Services accounts can restore a DB instance from your manual DB snapshot and have access to your data. Do not share any manual DB snapshots that contain private information as Public.
  For more information, see Sharing public snapshots.
- If the source is encrypted, DB snapshot visibility is set as Private because encrypted snapshots can't be shared as public.
  
  Note
  Snapshots that have been encrypted with the default Amazon KMS key can't be shared. For information on how to work around this issue, see Sharing encrypted snapshots.
For Amazon Account ID, enter the Amazon Web Services account identifier for an account that you want to permit to restore a DB instance from your manual snapshot, and then choose Add. Repeat to include additional Amazon Web Services account identifiers, up to 20 Amazon Web Services accounts.

If you make an error when adding an Amazon Web Services account identifier to the list of permitted accounts, you can delete it from the list by choosing Delete at the right of the incorrect Amazon Web Services account identifier.
After you have added identifiers for all of the Amazon Web Services accounts that you want to permit to restore the manual snapshot, choose Save to save your changes.

To share a DB snapshot, use the aws rds modify-db-snapshot-attribute command. Use the --values-to-add parameter to add a list of the IDs for the Amazon Web Services accounts that are authorized to restore the manual snapshot.

Example of sharing a snapshot with a single account

The following example enables Amazon Web Services account identifier 123456789012 to restore the DB snapshot named db7-snapshot.

For Linux, macOS, or Unix:


aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier db7-snapshot \
--attribute-name restore \
--values-to-add 123456789012

For Windows:


aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier db7-snapshot ^
--attribute-name restore ^
--values-to-add 123456789012

Example of sharing a snapshot with multiple accounts

The following example enables two Amazon Web Services account identifiers, 111122223333 and 444455556666, to restore the DB snapshot named manual-snapshot1.

For Linux, macOS, or Unix:


aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier manual-snapshot1 \
--attribute-name restore \
--values-to-add {"111122223333","444455556666"}

For Windows:


aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier manual-snapshot1 ^
--attribute-name restore ^
--values-to-add "[\"111122223333\",\"444455556666\"]"

Note

When using the Windows command prompt, you must escape double quotes (") in JSON code by prefixing them with a backslash (\).

To list the Amazon Web Services accounts enabled to restore a snapshot, use the describe-db-snapshot-attributes Amazon CLI command.

You can also share a manual DB snapshot with other Amazon Web Services accounts by using the Amazon RDS API. To do so, call the ModifyDBSnapshotAttribute operation. Specify restore for AttributeName, and use the ValuesToAdd parameter to add a list of the IDs for the Amazon Web Services accounts that are authorized to restore the manual snapshot.

To make a manual snapshot public and restorable by all Amazon Web Services accounts, use the value all. However, take care not to add the all value for any manual snapshots that contain private information that you don't want to be available to all Amazon Web Services accounts. Also, don't specify all for encrypted snapshots, because making such snapshots public isn't supported.

To list all of the Amazon Web Services accounts permitted to restore a snapshot, use the DescribeDBSnapshotAttributes API operation.

Sharing public snapshots

You can also share an unencrypted manual snapshot as public, which makes the snapshot available to all Amazon Web Services accounts. Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot.

When a snapshot is shared publicly, it gives all Amazon Web Services accounts permission both to copy the snapshot and to create DB instances from it.

You aren't billed for the backup storage of public snapshots owned by other accounts. You're billed only for snapshots that you own.

If you copy a public snapshot, you own the copy. You're billed for the backup storage of your snapshot copy. If you create a DB instance from a public snapshot, you're billed for that DB instance. For Amazon RDS pricing information, see the Amazon RDS product page.

You can delete only the public snapshots that you own. To delete a shared or public snapshot, make sure to log into the Amazon Web Services account that owns the snapshot.

Viewing public snapshots owned by other Amazon Web Services accounts

You can view public snapshots owned by other accounts in a particular Amazon Region on the Public tab of the Snapshots page in the Amazon RDS console. Your snapshots (those owned by your account) don't appear on this tab.

To view public snapshots

Open the Amazon RDS console at https://console.amazonaws.cn/rds/.
In the navigation pane, choose Snapshots.
Choose the Public tab.

The public snapshots appear. You can see which account owns a public snapshot in the Owner column.

Note
You might have to modify the page preferences, by selecting the gear icon at the upper right of the Public snapshots list, to see this column.

Viewing your own public snapshots

You can use the following Amazon CLI command (Unix only) to view the public snapshots owned by your Amazon Web Services account in a particular Amazon Region.


aws rds describe-db-snapshots --snapshot-type public --include-public | grep account_number

The output returned is similar to the following example if you have public snapshots.


"DBSnapshotArn": "arn:aws-cn:rds:us-east-1:123456789012:snapshot:mysnapshot1",
"DBSnapshotArn": "arn:aws-cn:rds:us-east-1:123456789012:snapshot:mysnapshot2",

Note

You might see duplicate entries for DBSnapshotIdentifier or SourceDBSnapshotIdentifier.

Sharing public snapshots from deprecated DB engine versions

Restoring or copying public snapshots from deprecated DB engine versions isn't supported.

The RDS for Oracle and RDS for PostgreSQL DB engines support upgrading DB snapshot engine versions directly. You can upgrade your snapshots, then re-share them publicly. For more information, see the following:

For other DB engines, perform the following steps to make your existing unsupported public snapshot available to restore or copy:

Mark the snapshot as private.
Restore the snapshot.
Upgrade the restored DB instance to a supported engine version.
Create a new snapshot.
Re-share the snapshot publicly.

You can share DB snapshots that have been encrypted "at rest" using the AES-256 encryption algorithm, as described in Encrypting Amazon RDS resources.

The following restrictions apply to sharing encrypted snapshots:

You can't share encrypted snapshots as public.
You can't share Oracle or Microsoft SQL Server snapshots that are encrypted using Transparent Data Encryption (TDE).
You can't share a snapshot that has been encrypted using the default KMS key of the Amazon Web Services account that shared the snapshot.

To work around the default KMS key issue, perform the following tasks:

Create a customer managed key and give access to it.
Copy and share the snapshot from the source account.
Copy the shared snapshot in the target account.

First you create a custom KMS key in the same Amazon Web Services Region as the encrypted DB snapshot. While creating the customer managed key, you give access to it for another Amazon Web Services account.

To create a customer managed key and give access to it

Sign in to the Amazon Web Services Management Console from the source Amazon Web Services account.
Open the Amazon KMS console at https://console.amazonaws.cn/kms.
To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
In the navigation pane, choose Customer managed keys.
Choose Create key.
On the Configure key page:
1. For Key type, select Symmetric.
2. For Key usage, select Encrypt and decrypt.
3. Expand Advanced options.
4. For Key material origin, select KMS.
5. For Regionality, select Single-Region key.
6. Choose Next.
On the Add labels page:
1. For Alias. enter a display name for your KMS key, for example share-snapshot.
2. (Optional) Enter a description for your KMS key.
3. (Optional) Add tags to your KMS key.
4. Choose Next.
On the Define key administrative permissions page, choose Next.
On the Define key usage permissions page:
1. For Other Amazon Web Services accounts, choose Add another Amazon Web Services account.
2. Enter the ID of the Amazon Web Services account to which you want to give access.
  
  You can give access to multiple Amazon Web Services accounts.
3. Choose Next.
Review your KMS key, then choose Finish.

Next you copy the source DB snapshot to a new snapshot using the customer managed key. Then you share it with the target Amazon Web Services account.

To copy and share the snapshot

Sign in to the Amazon Web Services Management Console from the source Amazon Web Services account.
Open the Amazon RDS console at https://console.amazonaws.cn/rds/
In the navigation pane, choose Snapshots.
Select the DB snapshot you want to copy.
For Actions, choose Copy snapshot.
On the Copy snapshot page:
1. For Destination Region, choose the Amazon Web Services Region where you created the customer managed key in the previous procedure.
2. Enter the name of the DB snapshot copy in New DB Snapshot Identifier.
3. For Amazon KMS key, choose the customer managed key that you created.
4. Choose Copy snapshot.
When the snapshot copy is available, select it.
For Actions, choose Share snapshot.
On the Snapshot permissions page:
1. Enter the Amazon Web Services account ID with which you're sharing the snapshot copy, then choose Add.
2. Choose Save.
The snapshot is shared.

Now you can copy the shared snapshot in the target Amazon Web Services account.

To copy the shared snapshot

Sign in to the Amazon Web Services Management Console from the target Amazon Web Services account.
Open the Amazon RDS console at https://console.amazonaws.cn/rds/
In the navigation pane, choose Snapshots.
Choose the Shared with me tab.
Select the shared snapshot.
For Actions, choose Copy snapshot.
Choose your settings for copying the snapshot as in the previous procedure, but use an Amazon KMS key that belongs to the target account.

Choose Copy snapshot.

To stop sharing a DB snapshot, you remove permission from the target Amazon Web Services account.

To remove an Amazon Web Services account identifier from the list, use the --values-to-remove parameter.

Example of stopping snapshot sharing

The following example prevents Amazon Web Services account ID 444455556666 from restoring the snapshot.

For Linux, macOS, or Unix:


aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier manual-snapshot1 \
--attribute-name restore \
--values-to-remove 444455556666

For Windows:


aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier manual-snapshot1 ^
--attribute-name restore ^
--values-to-remove 444455556666

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Copying a DB snapshot

Exporting DB snapshot data to Amazon S3

Sharing a DB snapshot

Note

Contents

Sharing a snapshot

To share a manual DB snapshot by using the Amazon RDS console

Warning

Note

Example of sharing a snapshot with a single account

Example of sharing a snapshot with multiple accounts

Note

Sharing public snapshots

Viewing public snapshots owned by other Amazon Web Services accounts

To view public snapshots

Note

Viewing your own public snapshots

Note

Sharing public snapshots from deprecated DB engine versions

Sharing encrypted snapshots

Create a customer managed key and give access to it

To create a customer managed key and give access to it

Copy and share the snapshot from the source account

To copy and share the snapshot

Copy the shared snapshot in the target account

To copy the shared snapshot

Stopping snapshot sharing

To stop sharing a manual DB snapshot with an Amazon Web Services account

Example of stopping snapshot sharing