restore shared snapshot (b/w two different aws accounts) RDS/PostgreSQL
Question:
I have a snapshot that was shared to my aws account from partner.
when I tried to restore it, it doesn’t show restore option.
the only option I can see right now is copy snapshot/migrate snapshot.
how can I restore this snapshot?
click here to see the picture of the snapshot I received and options it’s showing
Answers:
I guess it’s encrypted, you need to first copy the snapshot and change the keys and the restore.
https://aws.amazon.com/premiumsupport/knowledge-center/rds-snapshots-share-account/
A shared snapshot is still located in the other account. You need to copy the snapshot to your account. Then you will have access to the normal AWS commands.
The snapshots are encrypted with master key(default key). we can’t grant access to other while using default key.
Created new shared key and attached it to RDS and granted permissions from shared key and now we were able to share and decrypt/copy.
To copy an RDS instance / database from one AWS account into another AWS account:
- Tip: If the RDS instance for the database is unencrypted, then it’s simple as pie. If it’s encrypted (especially by AWS’s default encryption), then the below will hopefully help.
Instructions:
- The SOURCE AWS account (AccountA) is Acct # 111122223333 in the
examples.
- The TARGET AWS account (AccountB) is Acct # 444455556666
in the examples.
QUESTION: Is the snapshot you wish to copy from AccountA to AccountB encrypted?
- No? Then life is really easy.
Within the SOURCE AWS account:
- Simply navigate to RDS>Snapshots>Actions>Share snapshot.
- Input the target AWS account, which you get from your AWS user profile.
Within the TARGET AWS account:
- Navigate to RDS>Snapshots>Shared with me. Choose Actions>Restore.
- Sit back and enjoy your awesomeness.
QUESTION: Is the snapshot you wish to copy from AccountA to AccountB encrypted?
Yes? Oh gosh. Sorry, some more work needed….
Is it encrypted using AWS’s default encryption? Yes? – Then you have to copy the snapshot and re-encrypt it using your own AWS KMS Key. This same key is referenced in both the SOURCE and the TARGET AWS accounts.
i.e. This means you have to encrypt twice, in the source AWS account and the target AWS account.
Note: You cannot unencrypt an encrypted snapshot. You can only encrypt it using another key.
Within the SOURCE AWS account (Acct 111122223333):
- Create or add an AWS KMS Key that references the TARGET AWS account (Acct: 444455556666). Navigate to KMS>Customer managed keys to do this.
Note for the below JSON example:
arn:aws:iam::111122223333:user/KeyUser
- is you or an admin account.
arn:aws:iam::444455556666:root
- is the TARGET account.
Note the repetition in "Sid": "Allow use of the key" and "Sid": "Allow attachment of persistent resources".
Give the new key a meaningful name, e.g. “Allows data transfer to or from other AWS accounts“. You can simply add more AWS accounts in the “:root” rows below.
{
"Id": "key-policy-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
}
]
}
Now you will have an AWS KMS Key set up that allows the target account to use the resources in the source account, that uses this key.
When you look at this KMS key again, you will now get a key ID (Link A below) that you need to use later, in the TARGET AWS account.
Navigate to:
- RDS>Snapshots>Actions>Copy snapshot
- Goto Encryption>AWS KMS Key
- Choose the new key you created above (that contains the target AWS account in it).
- Name the new snapshot, and then select “Copy snapshot”.
- Then make your snapshot shareable: Actions>Share snapshot.
- Specify the new AWS Account ID.
Within the TARGET AWS account (Acct 444455556666):
- Navigate to KMS>Customer managed keys.
Note for the below:
arn:aws:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26
Is the same type of code as (Link A above) the ID I referenced in the screenshot above.
AWS account 111122223333 below is the SOURCE AWS account ID.
Note the repetition in "Sid": "Allow use of the key" and "Sid": "Allow attachment of persistent resources".
Again, give the new key a meaningful name, e.g. “Allows data transfer to or from other AWS accounts“.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:RetireGrant"
],
"Resource": ["arn:aws:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26"]
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": ["arn:aws:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26"],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
If you have multiple keys you need to reference, you can simply list them as:
"Resource": [
"arn:aws:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26",
"arn:aws:kms:us-west-2:111122223333:key/mrk-90f7e1a9282068dbbf30f734dad7f4fa"
],
Goto RDS -> Snapshots -> Shared with me.
- Choose the incoming snapshot and select Copy.
- Now change the AWS KMS key (Encryption section) to the new local key you defined above in Encryption -> AWS KMS Key. i.e. You previously created a key in this, the TARGET account, that references a key in the SOURCE account.
- This will now encrypt the copy using the new encryption key.
- This should now allow you to restore that snapshot in the new TARGET AWS acct.
- Sit back and enjoy your awesomeness.
Related articles:
How to share an RDS snapshot:
How to change an AWS KMS Key policy:
I have a snapshot that was shared to my aws account from partner.
when I tried to restore it, it doesn’t show restore option.
the only option I can see right now is copy snapshot/migrate snapshot.
how can I restore this snapshot?
click here to see the picture of the snapshot I received and options it’s showing
I guess it’s encrypted, you need to first copy the snapshot and change the keys and the restore.
https://aws.amazon.com/premiumsupport/knowledge-center/rds-snapshots-share-account/
A shared snapshot is still located in the other account. You need to copy the snapshot to your account. Then you will have access to the normal AWS commands.
The snapshots are encrypted with master key(default key). we can’t grant access to other while using default key.
Created new shared key and attached it to RDS and granted permissions from shared key and now we were able to share and decrypt/copy.
To copy an RDS instance / database from one AWS account into another AWS account:
- Tip: If the RDS instance for the database is unencrypted, then it’s simple as pie. If it’s encrypted (especially by AWS’s default encryption), then the below will hopefully help.
Instructions:
- The SOURCE AWS account (AccountA) is Acct # 111122223333 in the
examples. - The TARGET AWS account (AccountB) is Acct # 444455556666
in the examples.
QUESTION: Is the snapshot you wish to copy from AccountA to AccountB encrypted?
- No? Then life is really easy.
Within the SOURCE AWS account:
- Simply navigate to RDS>Snapshots>Actions>Share snapshot.
- Input the target AWS account, which you get from your AWS user profile.
Within the TARGET AWS account: - Navigate to RDS>Snapshots>Shared with me. Choose Actions>Restore.
- Sit back and enjoy your awesomeness.
QUESTION: Is the snapshot you wish to copy from AccountA to AccountB encrypted?
Yes? Oh gosh. Sorry, some more work needed….
Is it encrypted using AWS’s default encryption? Yes? – Then you have to copy the snapshot and re-encrypt it using your own AWS KMS Key. This same key is referenced in both the SOURCE and the TARGET AWS accounts.
i.e. This means you have to encrypt twice, in the source AWS account and the target AWS account.
Note: You cannot unencrypt an encrypted snapshot. You can only encrypt it using another key.
Within the SOURCE AWS account (Acct 111122223333):
- Create or add an AWS KMS Key that references the TARGET AWS account (Acct: 444455556666). Navigate to KMS>Customer managed keys to do this.
Note for the below JSON example:
arn:aws:iam::111122223333:user/KeyUser
- is you or an admin account.
arn:aws:iam::444455556666:root
- is the TARGET account.
Note the repetition in "Sid": "Allow use of the key" and "Sid": "Allow attachment of persistent resources".
Give the new key a meaningful name, e.g. “Allows data transfer to or from other AWS accounts“. You can simply add more AWS accounts in the “:root” rows below.
{
"Id": "key-policy-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
}
]
}
Now you will have an AWS KMS Key set up that allows the target account to use the resources in the source account, that uses this key.
When you look at this KMS key again, you will now get a key ID (Link A below) that you need to use later, in the TARGET AWS account.
Navigate to:
- RDS>Snapshots>Actions>Copy snapshot
- Goto Encryption>AWS KMS Key
- Choose the new key you created above (that contains the target AWS account in it).
- Name the new snapshot, and then select “Copy snapshot”.
- Then make your snapshot shareable: Actions>Share snapshot.
- Specify the new AWS Account ID.
Within the TARGET AWS account (Acct 444455556666):
- Navigate to KMS>Customer managed keys.
Note for the below:
arn:aws:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26
Is the same type of code as (Link A above) the ID I referenced in the screenshot above.
AWS account 111122223333 below is the SOURCE AWS account ID.
Note the repetition in "Sid": "Allow use of the key" and "Sid": "Allow attachment of persistent resources".
Again, give the new key a meaningful name, e.g. “Allows data transfer to or from other AWS accounts“.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:RetireGrant"
],
"Resource": ["arn:aws:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26"]
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": ["arn:aws:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26"],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
If you have multiple keys you need to reference, you can simply list them as:
"Resource": [
"arn:aws:kms:us-west-2:111122223333:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26",
"arn:aws:kms:us-west-2:111122223333:key/mrk-90f7e1a9282068dbbf30f734dad7f4fa"
],
Goto RDS -> Snapshots -> Shared with me.
- Choose the incoming snapshot and select Copy.
- Now change the AWS KMS key (Encryption section) to the new local key you defined above in Encryption -> AWS KMS Key. i.e. You previously created a key in this, the TARGET account, that references a key in the SOURCE account.
- This will now encrypt the copy using the new encryption key.
- This should now allow you to restore that snapshot in the new TARGET AWS acct.
- Sit back and enjoy your awesomeness.
Related articles:
How to share an RDS snapshot:
How to change an AWS KMS Key policy: