# Sharing encrypted snapshots for Amazon RDS
<a name="share-encrypted-snapshot"></a>

You can share DB snapshots that have been encrypted "at rest" using the AES-256 encryption algorithm, as described in [Encrypting Amazon RDS resources](Overview.Encryption.md).

The following restrictions apply to sharing encrypted snapshots:
+ You can't share encrypted snapshots as public.
+ You can't share Oracle or Microsoft SQL Server snapshots that are encrypted using Transparent Data Encryption (TDE).
+ You can't share a snapshot that has been encrypted using the default KMS key of the Amazon Web Services account that shared the snapshot.

  For more information about Amazon KMS key management for Amazon RDS, see [Amazon KMS key management](Overview.Encryption.Keys.md).

To work around the default KMS key issue, perform the following tasks:

1. [Create a customer managed key and give access to it](#share-encrypted-snapshot.cmk).

1. [Copy and share the snapshot from the source account](#share-encrypted-snapshot.share).

1. [Copy the shared snapshot in the target account](#share-encrypted-snapshot.target).

## Create a customer managed key and give access to it
<a name="share-encrypted-snapshot.cmk"></a>

First you create a custom KMS key in the same Amazon Web Services Region as the encrypted DB snapshot. While creating the customer managed key, you give access to it for another Amazon Web Services account.

**Note**  
You can also use a KMS key from another Amazon account when the key policy grants access to the source and target accounts.

**To create a customer managed key and give access to it**

1. Sign in to the Amazon Web Services Management Console from the source Amazon Web Services account.

1. Open the Amazon KMS console at [https://console.amazonaws.cn/kms](https://console.amazonaws.cn/kms).

1. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**.

1. Choose **Create key**.

1. On the **Configure key** page:

   1. For **Key type**, select **Symmetric**.

   1. For **Key usage**, select **Encrypt and decrypt**.

   1. Expand **Advanced options**.

   1. For **Key material origin**, select **KMS**.

   1. For **Regionality**, select **Single-Region key**.

   1. Choose **Next**.

1. On the **Add labels** page:

   1. For **Alias**. enter a display name for your KMS key, for example **share-snapshot**.

   1. (Optional) Enter a description for your KMS key.

   1. (Optional) Add tags to your KMS key.

   1. Choose **Next**.

1. On the **Define key administrative permissions** page, choose **Next.**

1. On the **Define key usage permissions** page:

   1. For **Other Amazon Web Services accounts**, choose **Add another Amazon Web Services account**.

   1. Enter the ID of the Amazon Web Services account to which you want to give access.

      You can give access to multiple Amazon Web Services accounts.

   1. Choose **Next**.

1. Review your KMS key, then choose **Finish**.

## Copy and share the snapshot from the source account
<a name="share-encrypted-snapshot.share"></a>

Next you copy the source DB snapshot to a new snapshot using the customer managed key. Then you share it with the target Amazon Web Services account.

**To copy and share the snapshot**

1. Sign in to the Amazon Web Services Management Console from the source Amazon Web Services account.

1. Open the Amazon RDS console at [https://console.amazonaws.cn/rds/](https://console.amazonaws.cn/rds/)

1. In the navigation pane, choose **Snapshots**.

1. Select the DB snapshot you want to copy.

1. For **Actions**, choose **Copy snapshot**.

1. On the **Copy snapshot** page:

   1. For **Destination Region**, choose the Amazon Web Services Region where you created the customer managed key in the previous procedure.

   1. Enter the name of the DB snapshot copy in **New DB Snapshot Identifier**.

   1. For **Amazon KMS key**, choose the customer managed key that you created.  
![\[Choose the customer managed key.\]](http://docs.amazonaws.cn/en_us/AmazonRDS/latest/UserGuide/images/copy-encrypted-snapshot.png)

   1. Choose **Copy snapshot**.

1. When the snapshot copy is available, select it.

1. For **Actions**, choose **Share snapshot**.

1. On the **Snapshot permissions** page:

   1. Enter the **Amazon Web Services account ID** with which you're sharing the snapshot copy, then choose **Add**.

   1. Choose **Save**.

   The snapshot is shared.

## Copy the shared snapshot in the target account
<a name="share-encrypted-snapshot.target"></a>

Now you can copy the shared snapshot in the target Amazon Web Services account.

**To copy the shared snapshot**

1. Sign in to the Amazon Web Services Management Console from the target Amazon Web Services account.

1. Open the Amazon RDS console at [https://console.amazonaws.cn/rds/](https://console.amazonaws.cn/rds/)

1. In the navigation pane, choose **Snapshots**.

1. Choose the **Shared with me** tab.

1. Select the shared snapshot.

1. For **Actions**, choose **Copy snapshot**.

1. Choose your settings for copying the snapshot as in the previous procedure, but use an Amazon KMS key that belongs to the target account.

   Choose **Copy snapshot**.