How To Copy an Encrypted RDS Using Default KMS Key to Another AWS Account
By Hyuntaek Park
Senior full-stack engineer at Twigfarm
Cloning a database is very easy through Dump and restore. However, if you have your database in AWS RDS and if that RDS is encrypted with a default provided AWS KMS key, it is not that simple. AWS does not allow you to share the snapshot to a different account.
In order to solve this problem, we need to make a few extra steps. In this article, I will explain how to copy a snapshot; and finally, restore an RDS using the snapshot that is shared.
Source database
I created a simple Postgres database in my source account as the following:
As I understand this RDS instance is encrypted using the default AWS KMS key.
Create a snapshot
Go to RDS > Snapshots. Click the Take Snapshot button. CHOOSE THE DB INSTANCE AND NAME THE SNAPSHOT AS YOU LIKE. Then click the take snapshot button
You need to wait a few minutes until the creation process is finished.
Share the snapshot (first try)
Once the snapshot creation is finished, choose the snapshot. Click the Actions [dropdown] and click [Share snapshot].
This is where you specify the AWS destination account that the snapshot is to be shared.
Refused I saved the correct AWS account number the Save button is kept disabled.
And the error message is wrong,
Sharing snapshots encrypted with the default service key for RDS is currently not supported.
We need a different way to share the snapshot.
Create a KMS key in the source account
Go to [Key Management Service (KMS)] in the AWS console. Then click the [Create a key] button.
Leave the options as they were unless you needed to make a change.
Click the [Next] button. Then enter alias. Then click [Next] again.
Then choose your user name or a role if you want it that way. I agree my user name here. Click [Next].
Here, choose your user name again, then enter the destination account number. Then click [Next].
Check the key policy then click the [Finish] button. Now that you have your first KMS key for the snapshot in the source account.
Copy the snapshot
Go to [RDS] > [Snapshots] > choose the snapshot you created. Then click the [Actions] drop down then choose [Copy snapshot] this time.
Enter [New DB Snapshot Identifier] and ensure to choose the KMS key that you just created for the [AWS KMS key]. Then click the [Copy snapshot] button.
Wait a few minutes again while the snapshot copy is in progress.
Share the snapshot (second try)
When the copy of the snapshot is ready, choose the snapshot copy. Click the [Actions] dropdown button then select the [Share snapshot] button. Then add the destination AWS account ID. Refrain, repeat the steps you did in Share the snapshot (first try) section.
This time, the save button is enabled. Click it!
Restore from the snapshot (first try)
Log in to the destination AWS account. Go to [RDS] > [Snapshots] > [Shared with me]. You should see a snapshot that we shared from the source account.
Our goal is to restore from this snapshot. Choose the snapshot. Click the [Actions] dropdown button.
The Restore Snapshot button is disabled. We need to make another copy with a new destination KMS key.
Create a KMS key in the destination account
Go to [KMS] then click [Create a key]. Do the same as what we did in Create a KMS key in source account Section except for Alias.
Copy the snapshot (Again but in the destination account)
Now we need to make a copy of the snapshot that is shared using the key that we have just created.
Go to [RDS] > [Snapshots] > [Shared with me]. Choose the shared snapshot. Click [Actions] > [Copy snapshot]
Be sure to choose the newly made AWS KMS key.
Restore from the snapshot (second try)
Now choose the copied snapshot. Click the Actions dropdown button. Now you see the restore snapshot is enabled. Select Restore snapshot.
Fill in the database information. You will see your new database instance is created with the snapshot.
What a long way to copy (backup) and restore in a new AWS account. I hope AWS provides us with a better way to achieve this goal.
Thanks!
