To replicate a copy of encrypted Amazon RDS snapshots, you need certain KMS permissions and keys.
Requirements
-
To replicate a copy of encrypted Amazon RDS snapshots, the user can have either the
cvlt-rds
alias or thecvlt-master
alias at the destination region in the source and destination account. If the user is using the key with a different alias, then the user must create a tag for the KMS key with the tag namecvlt-rds
orcvlt-master
at the destination region. -
The IAM user must be added as a key user for the KMS key used for the destination region. For information about using a KMS key for different accounts, go to Allowing users in other accounts to use a KMS key, on the AWS website.
-
The AWS account that you want to copy the snapshots to must have the following permissions:
-
kms:CreateGrant
-
kms:Encrypt
-
kms:Decrypt
-
kms:ReEncrypt*
-
kms:GenerateDataKey*
-
kms:DescribeKey
-
Configure Encryption Key Sharing in the AWS Console
-
Log on to the AWS Console as the user or with a role associated with the account that contains the snapshots.
-
On the ribbon, click Services.
-
Click Key Management Service.
-
Under Key users, select a key:
-
If you select a key that is tagged with
cvlt-rds
orcvlt-master
, you can add another account by adding the account root in JSON. -
If you select your own custom key, complete the following steps:
-
Under Other AWS accounts, click Add Other AWS Account.
The Other AWS accounts page appears.
-
In the arn:aws:iam:: box, enter the number of the AWS account that you want to copy the snapshots to.
-
Click Save changes.
-
-
-
Click Save changes.