AWS Cross Account Encrypted RDS DB Cloning

Today, I am going to write about the cross account RDS clone of Mysql Community Flavor DB. 

Current Setup - Account A has encrypted DB with default Key. 

Requirement is to clone the DB to Account B. 


Steps Involved:

1. Take Manual Snapshot Backup of of the DB

2. You can't share the snapshot to Account B. "Sharing snapshots encrypted with the default service key for RDS is currently not supported. " As DB is encrypted with default encryption Key. 

3. Create Symmetric KMS Key in Account B

4. Share the symmetric KMS Key in the Account B to Account A ( ON KMS key Creation Step "Define key usage permissions Screen" )

5. On Account A, Copy the Manual Snapshot that was created  to new snapshot with Shared KMS Key(Copy using ARN option)

6. On Account A Share the newly copied snapshot to Account B 

7. You can't restore straight after sharing, Hence On Account B Copy the snapshot with new KMS Key or Default aws/rds key with Target Option Group (Optional)

8. Restore as a DB from snapshot that was copied. 


Screenshot - Step 2 Error


Screenshot - Step 3





Screenshot - Step 4


Screenshot - Step 5




Screenshot - Step 6 (In my case I shared with two different accounts)



Hope this helps someone. 


No comments: