AWSSupport-ShareRDSSnapshot - AWS Systems Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWSSupport-ShareRDSSnapshot

描述

The AWSSupport-ShareRDSSnapshot document provides an automated solution for the procedure outlined in the Knowledge Center article How can I share an encrypted Amazon RDS DB snapshot with another account? If your Amazon Relational Database Service (Amazon RDS) snapshot was encrypted using the default AWS Key Management Service (AWS KMS) key, you cannot share the snapshot. In this case, you must copy the snapshot using a customer master key (CMK), and then share the snapshot with the target account. This automation performs these steps using the value you specify in the SnapshotName parameter, or the latest snapshot found for the selected Amazon RDS DB instance or cluster.

注意

If you do not specify a value for the KMSKey parameter, the automation creates a new AWS KMS CMK in your account that is used to encrypt the snapshot.

运行此 Automation(控制台)

文档类型

Automation

所有者

Amazon

平台

数据库

参数

  • AccountIds

    Type: StringList

    描述:(Required) Comma-separated list of account IDs to share the snapshot with.

  • AutomationAssumeRole

    类型:字符串

    说明:(可选)允许 Systems Manager Automation 代表您执行操作的 AWS Identity and Access Management (IAM) 角色的 Amazon 资源名称 (ARN)。如果未指定任何角色,则 Systems Manager Automation 使用运行此文档的用户的权限。

  • 数据库

    类型: 字符串

    描述:(Required) The name of the Amazon RDS DB instance or cluster whose snapshot you want to share. This parameter is optional if you specify a value for the SnapshotName parameter.

  • KMSKey

    类型: 字符串

    描述:(Optional) The full Amazon Resource Name (ARN) of the AWS KMS CMK used to encrypt the snapshot.

  • SnapshotName

    类型: 字符串

    描述:(Optional) The ID of the DB cluster or instance snapshot that you want to use.

所需的 IAM 权限

AutomationAssumeRole 需要执行以下操作才能成功运行 Automation 文档。

  • ssm:StartAutomationExecution

  • rds:DescribeDBInstances

  • rds:DescribeDBSnapshots

  • rds:CopyDBSnapshot

  • rds:ModifyDBSnapshotAttribute

The AutomationAssumeRole requires the following actions to successfully run the Automation document for a DB cluster.

  • ssm:StartAutomationExecution

  • rds:DescribeDBClusters

  • rds:DescribeDBClusterSnapshots

  • rds:CopyDBClusterSnapshot

  • rds:ModifyDBClusterSnapshotAttribute

The IAM role used to run the automation must be added as a key user to use the AWS KMS CMK specified in the ARNKmsKey parameter. For information about adding key users to a AWS KMS CMK, see Changing a key policy in the AWS Key Management Service Developer Guide.

The AutomationAssumeRole requires the following additional actions to successfully run the Automation document if you do not specify a value for the KMSKey parameter.

  • kms:CreateKey

  • kms:ScheduleKeyDeletion

文档步骤

  1. aws:executeScript - Checks whether a value was provided for the KMSKey parameter, and creates a AWS KMS CMK if no value is found.

  2. aws:branch - Checks whether a value was provided for the SnapshotName parameter, and branches accordingly.

  3. aws:executeAwsApi - Checks whether the snapshot provided is from a DB instance.

  4. aws:executeScript - Formats the SnapshotName parameter replacing colons with a hyphen.

  5. aws:executeAwsApi - Copies the snapshot using the specified KMSKey.

  6. aws:waitForAwsResourceProperty - Waits for the copy snapshot operation to complete.

  7. aws:executeAwsApi - Shares the new snapshot with the AccountIds specified.

  8. aws:executeAwsApi - Checks whether the snapshot provided is from a DB cluster.

  9. aws:executeScript - Formats the SnapshotName parameter replacing colons with a hyphen.

  10. aws:executeAwsApi - Copies the snapshot using the specified KMSKey.

  11. aws:waitForAwsResourceProperty - Waits for the copy snapshot operation to complete.

  12. aws:executeAwsApi - Shares the new snapshot with the AccountIds specified.

  13. aws:executeAwsApi - Checks whether the value provided for the Database parameter is a DB instance.

  14. aws:executeAwsApi - Checks whether the value provided for the Database parameter is a DB cluster.

  15. aws:executeAwsApi - Retrieves a list of snapshots for the specified Database.

  16. aws:executeScript - Determines the latest snapshot available from the list assembled in the previous step.

  17. aws:executeAwsApi - Copies the DB instance snapshot using the specified KMSKey.

  18. aws:waitForAwsResourceProperty - Waits for the copy snapshot operation to complete.

  19. aws:executeAwsApi - Shares the new snapshot with the AccountIds specified.

  20. aws:executeAwsApi - Retrieves a list of snapshots for the specified Database.

  21. aws:executeScript - Determines the latest snapshot available from the list assembled in the previous step.

  22. aws:executeAwsApi - Copies the DB instance snapshot using the specified KMSKey.

  23. aws:waitForAwsResourceProperty - Waits for the copy snapshot operation to complete.

  24. aws:executeAwsApi - Shares the new snapshot with the AccountIds specified.

  25. aws:executeScript - Deletes the AWS KMS CMK created by the automation if you did not specify a value for the KMSKey parameter and the automation fails.