KMS Key Permission Requirements for Amazon Redshift

To replicate a copy of encrypted Amazon Redshift snapshots, you need certain KMS permissions and keys.

Requirements

To replicate a copy of encrypted Amazon Redshift snapshots, the user can have either the cvlt-rds alias or the cvlt-master alias at the destination region in the source and destination account. If the user is using the key with a different alias, then the user must create a tag for the KMS key with the tag name cvlt-rds or cvlt-master at the destination region.
- For the default key encrypted snapshots, the snapshots must be initially copied with Customer Managed Key (CMK) using the Commvault Cloud snapshot copy feature before attempting cross-account restore.
The IAM user must be added as a key user for the KMS key used for the destination region. For information about using a KMS key for different accounts, go to Allowing users in other accounts to use a KMS key, on the AWS website.
The AWS account that you want to copy the snapshots to must have the following permissions:
- kms:CreateGrant
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey

Log on to the AWS Console as the user or with a role associated with the account that contains the snapshots.
On the ribbon, click Services.
Click Key Management Service.
Under Key users, select a key:
- If you select a key that is tagged with cvlt-rds or cvlt-master, you can add another account by adding the account root in JSON.
- If you select your own custom key, complete the following steps:
  1. Under Other AWS accounts, click Add Other AWS Account.
    
    The Other AWS accounts page appears.
  2. In the arn:aws:iam:: box, enter the number of the AWS account that you want to copy the snapshots to.
  3. Click Save changes.
Click Save changes.