DB → snapshot → share across account → relaunch with snapshot

<Restrictions>

  • Can share encrypted/decrypted to other accounts
  • Cannot share encrypted snapshots with AWS default generated keys
  • When sharing, need to provide the encrypted key together

So… if you have AWS default key + encrypted snapshots…
You need to ‘change encryption key’ to a AWS CMK (Custom Managed Key)

<If your DB is encrypted with AWS default key… Steps..>
>> Create snapshot of exsiting DB
(can just click on create snapshot — will take 10~15minutes)

>> Create copy of the snapshot + WITH DIFFERENT KEY !! (also 10~15minutes)

>> Share the new snapshot to other accounts
(Now can access from other accounts!)

  1. To Access the snapshot!! You need to share AWS CMK keys to the account
    https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Encrypted.KeyPolicy
  • CHANGE KEY POLICY
  • only touch the ‘allow key access’ & ‘allow persistent ….’ part

2. Also need to create IAM user & policy in that account (second) to access the encrypted snapshot

  • CHANGE IAM POLICY
  • Create a custom policy and copy paste it in your IAM (find it in the docs)

>>When you use the snapshot in the second account, NEED TO COPY the snapshot for usage (can’t use directly)