Sharing encrypted snapshots for Amazon RDS - Amazon Relational Database Service
Create a customer managed key and give access to itCopy and share the snapshot from the source accountCopy the shared snapshot in the target account
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Sharing encrypted snapshots for Amazon RDS

You can share DB snapshots that have been encrypted "at rest" using the AES-256 encryption algorithm, as described in Encrypting Amazon RDS resources.

The following restrictions apply to sharing encrypted snapshots:

  • You can't share encrypted snapshots as public.

  • You can't share Oracle or Microsoft SQL Server snapshots that are encrypted using Transparent Data Encryption (TDE).

  • You can't share a snapshot that has been encrypted using the default KMS key of the Amazon Web Services account that shared the snapshot.

    For more information about Amazon KMS key management for Amazon RDS, see Amazon KMS key management.

To work around the default KMS key issue, perform the following tasks:

  1. Create a customer managed key and give access to it.

  2. Copy and share the snapshot from the source account.

  3. Copy the shared snapshot in the target account.

Create a customer managed key and give access to it

First you create a custom KMS key in the same Amazon Web Services Region as the encrypted DB snapshot. While creating the customer managed key, you give access to it for another Amazon Web Services account.

Note

You can also use a KMS key from another Amazon account when the key policy grants access to the source and target accounts.

To create a customer managed key and give access to it

  1. Sign in to the Amazon Web Services Management Console from the source Amazon Web Services account.

  2. Open the Amazon KMS console at https://console.amazonaws.cn/kms.

  3. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  4. In the navigation pane, choose Customer managed keys.

  5. Choose Create key.

  6. On the Configure key page:

    1. For Key type, select Symmetric.

    2. For Key usage, select Encrypt and decrypt.

    3. Expand Advanced options.

    4. For Key material origin, select KMS.

    5. For Regionality, select Single-Region key.

    6. Choose Next.

  7. On the Add labels page:

    1. For Alias. enter a display name for your KMS key, for example share-snapshot.

    2. (Optional) Enter a description for your KMS key.

    3. (Optional) Add tags to your KMS key.

    4. Choose Next.

  8. On the Define key administrative permissions page, choose Next.

  9. On the Define key usage permissions page:

    1. For Other Amazon Web Services accounts, choose Add another Amazon Web Services account.

    2. Enter the ID of the Amazon Web Services account to which you want to give access.

      You can give access to multiple Amazon Web Services accounts.

    3. Choose Next.

  10. Review your KMS key, then choose Finish.

Copy and share the snapshot from the source account

Next you copy the source DB snapshot to a new snapshot using the customer managed key. Then you share it with the target Amazon Web Services account.

To copy and share the snapshot

  1. Sign in to the Amazon Web Services Management Console from the source Amazon Web Services account.

  2. Open the Amazon RDS console at https://console.amazonaws.cn/rds/

  3. In the navigation pane, choose Snapshots.

  4. Select the DB snapshot you want to copy.

  5. For Actions, choose Copy snapshot.

  6. On the Copy snapshot page:

    1. For Destination Region, choose the Amazon Web Services Region where you created the customer managed key in the previous procedure.

    2. Enter the name of the DB snapshot copy in New DB Snapshot Identifier.

    3. For Amazon KMS key, choose the customer managed key that you created.

      Choose the customer managed key.

    4. Choose Copy snapshot.

  7. When the snapshot copy is available, select it.

  8. For Actions, choose Share snapshot.

  9. On the Snapshot permissions page:

    1. Enter the Amazon Web Services account ID with which you're sharing the snapshot copy, then choose Add.

    2. Choose Save.

    The snapshot is shared.

Copy the shared snapshot in the target account

Now you can copy the shared snapshot in the target Amazon Web Services account.

To copy the shared snapshot

  1. Sign in to the Amazon Web Services Management Console from the target Amazon Web Services account.

  2. Open the Amazon RDS console at https://console.amazonaws.cn/rds/

  3. In the navigation pane, choose Snapshots.

  4. Choose the Shared with me tab.

  5. Select the shared snapshot.

  6. For Actions, choose Copy snapshot.

  7. Choose your settings for copying the snapshot as in the previous procedure, but use an Amazon KMS key that belongs to the target account.

    Choose Copy snapshot.