By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Exporting RDS DB Snapshot from one account into an S3 bucket in another account

0

Is it possible to export an RDS DB Snapshot from Account A to an S3 bucket in Account B with the help of a policy only and without using the RDS Instance? The account with the destination bucket,i.e., Account B should have access to the RDS System Snapshot present in Account A, and the command to export the snapshot should be given in Account B.

1 Answer
0

Yes, that is possible. In Account A, create an IAM role with permissions to access the RDS snapshot and the necessary S3 bucket in Account B. This role will be assumed by Account B when exporting the snapshot using the CLI with aws sts assume-role and aws rds export-db-snapshot.

The policy in Account A would look something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAssumeRoleAccountB",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ROLE_NAME_IN_ACCOUNT_B"
        },
        {
            "Sid": "AllowExportSnapshot",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBSnapshotAttributes",
                "rds:ListTagsForResource",
                "rds:CopyDBSnapshot"
            ],
            "Resource": "arn:aws:rds:REGION:ACCOUNT_A_ID:snapshot:SNAPSHOT_ID"
        },
        {
            "Sid": "AllowS3BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}

The policy in Account B then would look like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAssumeRoleAccountA",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT_A_ID:role/ROLE_NAME_IN_ACCOUNT_A"
        },
        {
            "Sid": "AllowS3BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}

Hope this helps.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions