How to Migrate RDS

DB → snapshot → share across account → relaunch with snapshot

<Restrictions>

• Can share encrypted/decrypted to other accounts
• Cannot share encrypted snapshots with AWS default generated keys
• When sharing, need to provide the encrypted key together

So… if you have AWS default key + encrypted snapshots…
You need to ‘change encryption key’ to a AWS CMK (Custom Managed Key)

<If your DB is encrypted with AWS default key… Steps..>
>> Create snapshot of exsiting DB
(can just click on create snapshot — will take 10~15minutes)

>> Create copy of the snapshot + WITH DIFFERENT KEY !! (also 10~15minutes)

>> Share the new snapshot to other accounts
(Now can access from other accounts!)

1. To Access the snapshot!! You need to share AWS CMK keys to the account
   https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Encrypted.KeyPolicy

• CHANGE KEY POLICY
• only touch the ‘allow key access’ & ‘allow persistent ….’ part

2. Also need to create IAM user & policy in that account (second) to access the encrypted snapshot

• CHANGE IAM POLICY
• Create a custom policy and copy paste it in your IAM (find it in the docs)

>>When you use the snapshot in the second account, NEED TO COPY the snapshot for usage (can’t use directly)