Share an encrypted RDS snapshot with another AWS account
Steps needed to share an encrypted RDS snapshot with another AWS account are below:
Start with creating a KMS key for encryption, share this key.
Use the key created in step 1 to create an encrypted RDS instance.
Create a snapshot of the encrypted RDS instance.
Share the encrypted snaphot to the other account.
Note: Encrypted snapshots can be shared within the same region.
Step 1: Start with creating a KMS key for encryption, share this key
You must create a new KMS key, can’t use the default key because you can’t share access to it. To share an existing snapshot encrypted from default key, first make a copy of it using new KMS key (see in step 4).
Go to Identity and Access Management (IAM).
Select “Encryption Keys” from the menu on the left.
Click “Create Key”.
Provide an alias and description for the new key and select “next step”.
Choose the IAM users and roles that can administer the new KMS key through the KMS API.
Choose whether the key administrators you chose in the last step can delete the key.
Choose the IAM users and roles that can use the new KMS key.
IMPORTANT: Click “Add an External Account” and enter the target account number. This is what allows the target account to decrypt the encrypted snapshot later on.
Step 2: Use the key created in step 1 to create an encrypted RDS instance
Select the RDS service.
Launch a DB Instance.
Select your engine and version eg SQL Server Standard Edition.
On the “Instance Specifications” page, select all the options you typically would with one exception: The instance class has to be at least db.m3.medium to support encryption (current as of the time of this writing).
IMPORTANT: Select “Yes” for enable encryption, and select the new KMS key you created earlier under “Master Key”.
Finalize and “Launch DB Instance”.
Step 3: Create a snapshot of the encrypted RDS instance
Select “Snapshots”, in RDS dashboard.
“Create Snapshot”.
Choose DB Instance , then click “Create”.
Note: The public option for snapshot visibility is not available for encrypted snapshots.
This is because, 1) The public at large does not have access to your KMS key and 2) Why would you want to encrypt data at rest if you want to make it publicly available?
Add the account number of the account you want to share the snapshot with
Log out of the current AWS account, and log back in to the target account
Navigate to the RDS Dashboard and select the “Snapshots” tab.
Click the drop down filter list. Select “Shared with Me”.
You should now see the snapshot you shared earlier in this list.
Step 4: Share the encrypted snaphot to the other account
Before restoring a shared, encrypted snapshot, you first have to make a copy of the snapshot in the target account.
Select the snapshot and click “Copy Snapshot”.
Enter in a value for the New DB Snapshot Identifier field, and select an encryption key.
Select Copy Snapshot
Switch your filter to “Owned by Me”.
You should now see the snapshot copy in progress. Wait for the copy to complete .
Once the copy is complete, you can select the copy of the snapshot and select “Restore Snapshot” to create a new instance from this snapshot.
Tip: If you already have a snapshot that was encrypted using the default KMS key, you can still share it. Just create a new KMS key like we did in step 1, make a copy of the snapshot in the source account using the new KMS key like we did in step 4, then follow steps 3 and 4 above.
