KMS Key Permission Requirements

To replicate a copy of encrypted Amazon RDS snapshots, you need certain KMS permissions and keys.

Requirements

  • To replicate a copy of encrypted Amazon RDS snapshots, the user can have either the cvlt-rds alias or the cvlt-master alias at the destination region in the source and destination account. If the user is using the key with a different alias, then the user must create a tag for the KMS key with the tag name cvlt-rds or cvlt-master at the destination region.

  • The IAM user must be added as a key user for the KMS key used for the destination region. For information about using a KMS key for different accounts, go to Allowing users in other accounts to use a KMS key, on the AWS website.

  • The AWS account that you want to copy the snapshots to must have the following permissions:

    • kms:CreateGrant

    • kms:Encrypt

    • kms:Decrypt

    • kms:ReEncrypt*

    • kms:GenerateDataKey*

    • kms:DescribeKey

Configure Encryption Key Sharing in the AWS Console

  1. Log on to the AWS Console as the user or with a role associated with the account that contains the snapshots.

  2. On the ribbon, click Services.

  3. Click Key Management Service.

  4. Under Key users, select a key:

    • If you select a key that is tagged with cvlt-rds or cvlt-master, you can add another account by adding the account root in JSON.

    • If you select your own custom key, complete the following steps:

      1. Under Other AWS accounts, click Add Other AWS Account.

        The Other AWS accounts page appears.

      2. In the arn:aws:iam:: box, enter the number of the AWS account that you want to copy the snapshots to.

      3. Click Save changes.

  5. Click Save changes.

Loading...