AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Restore Redshift Snapshot to different account

0

We are trying to restore a snapshot of a redshift cluster from one account into a new account. Accounts are unlinked. Snapshot process and copy works fine. When we try to restore the snapshot on the new account it is requiring access to to the Redshift KMS key from the source account.

The source cluster for this snapshot is encrypted. When you restore, the target database will be encrypted as well. You can't unencrypt the data as part of the restore operation. After you restore, you can change encryption settings.

Here it is prompting for access to the source key. I am not sure how, or if it is possible to give the new/destination account or my user access to the key from the old source account. The source Redshift cluster uses a AWS managed aws/redshift key from the source account. We want to bring the whole snapshot, redshift users and all, not just the data.

주제
보안, 신원 및 규정 준수분석
태그
AWS 키 관리 서비스아마존 Redshift
언어
English
rePost-User-1579460
질문됨 일 년 전950회 조회
3개 답변
1
수락된 답변

You can't use built-on KMS key for Redshift on another account.

rePost-User-1579460
답변함 일 년 전
profile picture
전문가
Oleksii Bebych
검토됨 11시간 전
0

Thank you Anusha. Since the source key is an AWS managed key, is it still possible to do what you described? I can edit the key policy for customer managed keys but don't appear to have the same option to edit key policy for AWS managed keys. It could be my access level but maybe the key policy can't be edited for AWS managed keys?

rePost-User-1579460
답변함 일 년 전
  • Anusha_C
    일 년 전

    Key policy on AWS managed keys cannot be updated. However, you can change they KMS key during restore process. Under Additional configurations, provide the key you want to use for Choose an AWS KMS key. This can be the AWS managed redshift key from the account.

    Please note that restore process takes longer when the key is changed during restore process.

0

In the source account, provide access on the KMS Key used for encryption to the target account. In order to do it, you can follow the steps below:

  1. In AWS Management console of the source account, navigate to KMS
  2. Click on the KMS key that was used to encrypt the cluster
  3. Click on the Edit button in the Key Policy tab
  4. Update the Key policy to add the principal for destination account as shown in the sample policy below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::{SourceAccountID}:root",
                    "arn:aws:iam::{DestinationAccountID}:root"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

Once you provide access on KMS key to destination account's principal, re-try snapshot restore.

If you are using an AWS managed, Key policy cannot be updated. In such case, you can change they KMS key during restore process. In the restore screen, under Additional configurations, provide the key you want to use for Choose an AWS KMS key. This can be the AWS managed redshift key from the target account.

Please note that restore process takes longer when the key is changed during restore process.

The restore process moves users, groups along with data.

AWS
Anusha_C
답변함 일 년 전
  • rePost-User-1579460
    일 년 전

    On more research we found that we can't share or edit the policy of an AWS managed key. We were able to unecrypt and re-encrypt a test cluster to a customer managed key but we do not want the state of the production cluster to ever be unencrypted - even during this process. We tried changing they aws key to our key directly in the console but got the error below. InvalidParameterValue You can't transform a cluster with KMS encryption type to KMS encryption type.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠