Share Encrypted RDS snapshots across AWS Accounts

An account can share AWS RDS snapshots (unencrypted/encrypted) across AWS accounts. Unencrypted RDS snapshots can be shared privately as well publicly; however, encrypted snapshots cannot be shared publicly for security reasons. A unique account can share encrypted snapshots with up to 20 accounts via the RDS console, API, and CLI.

In addition to sharing the encrypted database snapshots, an account can add encryption at REST using KMS keys to a previously unencrypted database instance. To accomplish this, the administrator needs to copy a snapshot of the unencrypted database instance, and they can enable the encryption key during the copy operation. Once the copy operation is complete, the administrator can restore a database instance from the copied snapshot, which is encrypted using the key specified. This method can be used to change encryption keys for existing encrypted database instances. However, it not possible to remove encryption from an encrypted database snapshot.

To learn how to share AWS RDS snapshots across AWS account, download the case study.