☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS KMS (Key Management Service)/
🔷
Copying Snapshots Across AWS Accounts (with KMS Encryption)
🔷

Copying Snapshots Across AWS Accounts (with KMS Encryption)

Steps

  1. Create and Encrypt Snapshot
      • In the source account, create an EBS snapshot encrypted with a Customer Managed KMS Key (CMK).
  1. Update KMS Key Policy
      • Modify the CMK policy to allow the target account to use the key for Decrypt and DescribeKey operations.
  1. Share the Encrypted Snapshot
      • Share the snapshot with the target account via console, CLI, or SDK.
  1. Copy in Target Account
      • In the target account, copy the shared snapshot.
      • During copy, re-encrypt using a CMK owned by the target account.
  1. Create Volume
      • Use the re-encrypted snapshot to create a new EBS volume in the target account.

Key Points

  • KMS key policies are mandatory for cross-account encrypted snapshot sharing.
  • A snapshot must be re-encrypted with a CMK in the target account before use.