Sharing Default AWS KMS Key Encrypted RDS Snapshot

When I look at my Production Account occasionally

You can’t share a snapshot that has been encrypted using the default AWS KMS encryption key of the AWS account that shared the snapshot.

Self Approval
Encryption details of our RDS
Snapshot of our RDS
AWS doesn’t allow us to share default AWS KMS Key encrypted snapshots
Copying the first snapshot with our CMK
The error message is now gone
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "EnableIAMUserPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "AllowAccessForKeyAdministrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/MainAccountUser"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/MainAccountUser",
"arn:aws:iam::456789012345:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::456789012345:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:eu-central-1:123456789012:key/${our_custom_key_id}"
]
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": [
"arn:aws:kms:eu-central-1:123456789012:key/${our_custom_key_id}"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "AllowReencryptionOfNewCMK",
"Effect": "Allow",
"Action": [
"kms:ReEncryptTo*",
"kms:ReEncryptFrom*"
],
"Resource": "*"
}
]
}
We can see our shared snapshot under “Shared With Me”
Thanks for your time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store