> Software > Protect > Cloud > Amazon Web Services > Amazon RDS > Planning

KMS Key Permission Requirements for Amazon RDS Using Snapshot

To replicate a copy of encrypted Amazon RDS snapshots, you need certain KMS permissions and keys.

Note

You must configure the key on both the source and target AWS accounts for cross-account and cross-region replication.

Requirements

Create a stack in the AWS CloudFormation console using the YAML template. For details on stack creation, refer to the AWS documentation.

While creating the stack, provide the following parameters:

  • Alias: Specify the KMS alias name in the format alias/<any_name>.

  • ExternalAccountId: Enter the AWS replication account ID.

    When deployed through CloudFormation, the stack automatically handles the required KMS alias/tag setup, IAM key-user access, and necessary permissions, removing the need for manual configuration.

Configure Encryption Key Sharing in the AWS Console

  1. Log on to the AWS Console as the user or with a role associated with the account that contains the snapshots.

  2. On the ribbon, click Services.

  3. Click Key Management Service.

  4. Under Key users, select a key:

    • If you select a key that is tagged with cvlt-rds or cvlt-master, you can add another account by adding the account root in JSON.

    • If you select your own custom key, complete the following steps:

      1. Under Other AWS accounts, click Add Other AWS Account.

        The Other AWS accounts page appears.

      2. In the arn:aws:iam:: box, enter the number of the AWS account that you want to copy the snapshots to.

      3. Click Save changes.

  5. Click Save changes.

×

Loading...