How to Migrate RDS
DB → snapshot → share across account → relaunch with snapshot
<Restrictions>
- Can share encrypted/decrypted to other accounts
- Cannot share encrypted snapshots with AWS default generated keys
- When sharing, need to provide the encrypted key together
So… if you have AWS default key + encrypted snapshots…
You need to ‘change encryption key’ to a AWS CMK (Custom Managed Key)
<If your DB is encrypted with AWS default key… Steps..>
>> Create snapshot of exsiting DB
(can just click on create snapshot — will take 10~15minutes)
>> Create copy of the snapshot + WITH DIFFERENT KEY !! (also 10~15minutes)
>> Share the new snapshot to other accounts
(Now can access from other accounts!)
- To Access the snapshot!! You need to share AWS CMK keys to the account
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Encrypted.KeyPolicy
- CHANGE KEY POLICY
- only touch the ‘allow key access’ & ‘allow persistent ….’ part
2. Also need to create IAM user & policy in that account (second) to access the encrypted snapshot
- CHANGE IAM POLICY
- Create a custom policy and copy paste it in your IAM (find it in the docs)
>>When you use the snapshot in the second account, NEED TO COPY the snapshot for usage (can’t use directly)