Sharing Default AWS KMS Key Encrypted RDS Snapshot

When I look at my Production Account occasionally

You can’t share a snapshot that has been encrypted using the default AWS KMS encryption key of the AWS account that shared the snapshot.

Self Approval
Encryption details of our RDS
Snapshot of our RDS
AWS doesn’t allow us to share default AWS KMS Key encrypted snapshots
Copying the first snapshot with our CMK
The error message is now gone
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "EnableIAMUserPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "AllowAccessForKeyAdministrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/MainAccountUser"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/MainAccountUser",
"arn:aws:iam::456789012345:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::456789012345:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:eu-central-1:123456789012:key/${our_custom_key_id}"
]
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": [
"arn:aws:kms:eu-central-1:123456789012:key/${our_custom_key_id}"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "AllowReencryptionOfNewCMK",
"Effect": "Allow",
"Action": [
"kms:ReEncryptTo*",
"kms:ReEncryptFrom*"
],
"Resource": "*"
}
]
}
We can see our shared snapshot under “Shared With Me”
Thanks for your time!

From Vault 11, the Last Survivor 💫 I have a theoretical degree in Theoretical Physics 👨‍🎓

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to embed a Unity game into an iOS native Swift App

Merapar DevOps — CloudFormation macros to create dynamic CloudWatch Dashboards

Move to Stage 2…ABC On How to Get Your HNG Task done for Stage 1 to Stage 2

How To Block / Blacklist a Number on Motorola Moto E6s (2020)

How to Block Number / Call on Motorola Moto E6s (2020)

SparkLens: A Profiling tool for Spark Optimization

2D Translation in Computer Graphics

GSoC’20 @OpenMRS | Coding Period | Week 11

Good Design Practices with Python — Design by Contract

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mert Açıkportalı

Mert Açıkportalı

From Vault 11, the Last Survivor 💫 I have a theoretical degree in Theoretical Physics 👨‍🎓

More from Medium

Just Enough AWS Application Architecture

Oracle licenses on AWS (illustrated)

Why Did We Migrate to AWS Cloud Platform?

Collect, parse and store SSO events from CloudTrail using Lambda and S3 bucket — Part 2