Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Copying a DB Snapshot or DB Cluster Snapshot

With Amazon Relational Database Service (Amazon RDS), you can copy DB snapshots and DB cluster snapshots in the following ways:

  • Copy an automated or manual DB snapshot or DB cluster snapshot to create a manual snapshot in the same AWS Region.

  • Within the same AWS account, copy an automated or manual DB snapshot or DB cluster snapshot within a region, or from one region to another region.

  • Within the same region, copy an automated or manual DB cluster snapshot from one AWS account to another AWS account.

You can't copy a DB cluster snapshot between regions and AWS accounts in a single step, but instead must perform one step for each of these copy actions.

As an alternative to copying, you can also share manual snapshots with other AWS accounts. For more information, see Sharing a DB Snapshot or DB Cluster Snapshot.

You can copy snapshots shared to you by other AWS accounts. If you are copying an encrypted snapshot that has been shared from another AWS account, you must have access to the KMS encryption key that was used to encrypt the snapshot. You can copy shared unencrypted DB snapshots across regions, but you can only copy shared encrypted DB snapshots in the same region. You can only copy shared DB cluster snapshots, encrypted or not, in the same region. For more information, see Sharing an Encrypted Snapshot.

Depending on the regions involved and the amount of data to be copied, a cross-region snapshot copy can take hours to complete. If there are large numbers of cross-region snapshot copy requests from a given source region, Amazon RDS might queue new cross-region copy requests for that source region until some in-progress copies have completed. No progress information is displayed about copy requests while they are in the queue. Progress information is displayed when the copy starts.

Handling Encryption

You can copy a snapshot that has been encrypted using an AWS KMS encryption key. If you copy an encrypted snapshot, the copy of the snapshot must also be encrypted. If you copy an encrypted snapshot within the same region, you can encrypt the copy with the same KMS encryption key as the original snapshot, or you can specify a different KMS encryption key. If you copy an encrypted snapshot across regions, you can't use the same KMS encryption key for the copy as used for the source snapshot, because KMS keys are region-specific. Instead, you must specify a KMS key valid in the destination AWS Region.

You can also encrypt a copy of an unencrypted snapshot. This way, you can quickly add encryption to a previously unencrypted DB instance or DB cluster. That is, you can create a snapshot of your DB instance or DB cluster when you are ready to encrypt it, and then create a copy of that snapshot and specify a KMS encryption key to encrypt that snapshot copy. You can then restore an encrypted DB instance or DB cluster from the encrypted snapshot. For Amazon Aurora DB cluster snapshots, you also have the option to leave the DB cluster snapshot unencrypted and instead specify a KMS encryption key when restoring. The restored DB cluster is encrypted using the specified key.

Working with Snapshot Retention

Amazon RDS deletes automated snapshots at the end of their retention period, when you disable automated snapshots for a DB instance or DB cluster, or when you delete a DB instance or DB cluster. If you want to keep an automated snapshot for a longer period, copy it to create a manual snapshot, which is retained until you delete it. Amazon RDS storage costs might apply to manual snapshots if they exceed your default storage space. For information on backup storage costs, see Amazon RDS Pricing.

Limitations

There are some limitations to how and where you can copy snapshots:

  • You can't copy a snapshot to or from the AWS GovCloud (US) region.

  • You can't copy a DB snapshot across regions if it was created from a DB instance that is using Oracle Transparent Data Encryption (TDE) or Microsoft SQL Server TDE.

  • You can't copy a SQL Server DB snapshot across regions if the DB snapshot was created from an instance using Multi-AZ mirroring.

Setting Parameter Groups and Option Groups

A snapshot copied across regions doesn't include the parameter and option groups used by the DB instance or DB cluster that the snapshot is created from. When you restore a snapshot to create a new DB instance or DB cluster, that DB instance or DB cluster is assigned the default parameter group and default option group for the region it is created in. To give the new DB instance or DB cluster the same parameters and options as the source, you must do the following:

  1. In the destination region, create a DB parameter group or DB cluster parameter group with the same settings as the parameter group used by the source DB instance or DB cluster, or note the name of an existing parameter group that has those settings.

  2. In the destination region, create an option group with the same settings as the option group used by the source DB instance or DB cluster, or note the name of an existing option group that has those settings.

  3. After restoring the snapshot in the destination region, modify the new DB instance or DB cluster to add the DB parameter group or DB cluster parameter group and option group available in the destination region.

Copying a DB Snapshot

For each AWS account, you can copy up to five DB snapshots at a time from one region to another. If you copy a DB snapshot to another AWS Region, you create a manual DB snapshot that is retained in that region. Copying a DB snapshot out of the source region incurs Amazon RDS data transfer charges. For more information about Amazon RDS data transfer pricing, go to Amazon Relational Database Service Pricing.

To copy a DB snapshot, use the AWS Management Console, the copy-db-snapshot command, or the CopyDBSnapshot API action, as illustrated in the following procedures:

If you copy a DB snapshot using the copy-db-snapshot AWS CLI command or CopyDBSnapshot RDS API action, issue the command in the AWS region that you want to copy the DB snapshot to, and use an Amazon RDS Amazon Resource Name (ARN) to specify the source DB snapshot to be copied. For information about Amazon RDS ARN formats, see Working with Amazon Resource Names (ARNs) in Amazon RDS.

After the DB snapshot copy has been created in the new region, the DB snapshot copy behaves the same as all other DB snapshots in that region.

You can copy both encrypted and unencrypted DB snapshots for the following database engines:

  • MariaDB

  • MySQL

  • Oracle

  • PostgreSQL

  • Microsoft SQL Server

For more information about copying Amazon Aurora DB cluster snapshots in the same account, see Copying a DB Cluster Snapshot in the Same Account, in the Same Region or Across Regions. For more information about copying Amazon Aurora DB cluster snapshots across accounts, see Copying a DB Cluster Snapshot Across Accounts.

Copying a DB Snapshot by Using the AWS Management Console

This procedure works for copying encrypted or unencrypted DB snapshots, in the same region or across regions.

To copy a DB snapshot

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Snapshots.

  3. Select the check box for the DB snapshot you want to copy.

  4. Choose Snapshot Actions, and then choose Copy Snapshot.

  5. (Optional) To copy the DB snapshot to a different region, choose that region for Destination Region.

    Note

    The destination region must have the same database engine version available as the source region.

  6. Type the name of the DB snapshot copy in New DB Snapshot Identifier.

  7. To copy tags and values from the snapshot to the copy of the snapshot, choose Copy Tags.

    
								Copy a DB snapshot
  8. Choose one of the following options for Enable Encryption.

    • If the DB snapshot isn't encrypted and you don't want to encrypt the copy, choose No for Enable Encryption.

    • If the DB snapshot isn't encrypted but you want to encrypt the copy, choose Yes for Enable Encryption, and then specify the KMS key identifier to use to encrypt the DB snapshot copy for Master Key.

      
										Copy and encrypt a DB snapshot
    • If the DB snapshot being copied is encrypted, you must encrypt the copy, so Enable Encryption is already set to Yes. Specify the KMS key identifier to use to encrypt the DB snapshot copy for Master Key.

      
										Copy an encrypted a DB snapshot
  9. Choose Copy Snapshot.

Copying an Unencrypted DB Snapshot by Using the AWS CLI or the Amazon RDS API

Use the procedures in the following sections to copy an unencrypted DB snapshot by using the AWS CLI or the Amazon RDS API.

CLI

To copy a DB snapshot, use the AWS CLI copy-db-snapshot command. If you are copying the snapshot to another region, run the command in the region to which the snapshot will be copied.

The following options are used to copy an unencrypted DB snapshot:

  • --source-db-snapshot-identifier – The identifier for the encrypted DB snapshot to be copied. If you are copying the snapshot to another region, this identifier must be in the ARN format for the source region.

  • --target-db-snapshot-identifier – The identifier for the new copy of the encrypted DB snapshot.

The following code creates a copy of snapshot arn:aws:rds:us-east-1:123456789012:snapshot:mysql-instance1-snapshot-20130805 named mydbsnapshotcopy in the region in which the command is run. When the copy is made, all tags on the original snapshot are copied to the snapshot copy.

Example

For Linux, OS X, or Unix:

Copy
aws rds copy-db-snapshot \ --source-db-snapshot-identifier arn:aws:rds:us-east-1:123456789012:snapshot:mysql-instance1-snapshot-20130805 \ --target-db-snapshot-identifier mydbsnapshotcopy \ --copy-tags

For Windows:

Copy
aws rds copy-db-snapshot ^ --source-db-snapshot-identifier arn:aws:rds:us-east-1:123456789012:snapshot:mysql-instance1-snapshot-20130805 ^ --target-db-snapshot-identifier mydbsnapshotcopy ^ --copy-tags

API

To copy a DB snapshot, use the Amazon RDS API CopyDBSnapshot action. If you are copying the snapshot to another region, perform the action in the region to which the snapshot will be copied.

The following parameters are used to copy an unencrypted DB snapshot:

  • SourceDBSnapshotIdentifier – The identifier for the DB snapshot to be copied. If you are copying the snapshot to another region, this identifier must be in the ARN format for the source region.

  • TargetDBSnapshotIdentifier – The identifier for the new copy of the DB snapshot.

The following code creates a copy of snapshot arn:aws:rds:us-east-1:123456789012:snapshot:mysql-instance1-snapshot-20130805 named mydbsnapshotcopy in the us-west-1 region. When the copy is made, all tags on the original snapshot are copied to the snapshot copy.

Example

Copy
https://rds.us-west-1.amazonaws.com/ ?Action=CopyDBSnapshot &CopyTags=true &SignatureMethod=HmacSHA256 &SignatureVersion=4 &SourceDBSnapshotIdentifier=arn%3Aaws%3Ards%3Aus-east-1%3A123456789012%3Asnapshot%3Amysql-instance1-snapshot-20130805 &TargetDBSnapshotIdentifier=mydbsnapshotcopy &Version=2013-09-09 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20140429/us-west-1/rds/aws4_request &X-Amz-Date=20140429T175351Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=9164337efa99caf850e874a1cb7ef62f3cea29d0b448b9e0e7c53b288ddffed2

Copying an Encrypted DB Snapshot by Using the AWS CLI or the Amazon RDS API

Use the procedures in the following sections to copy an encrypted DB snapshot by using the AWS CLI or the Amazon RDS API.

CLI

To copy a DB snapshot, use the AWS CLI copy-db-snapshot command. If you are copying the snapshot to another region, run the command in the region to which the snapshot will be copied.

The following options are used to copy an encrypted DB snapshot:

  • --source-region – If you are copying the snapshot to another region, specify the AWS region that the encrypted DB snapshot will be copied from.

    If you are copying the snapshot to another region and you don't specify source-region, you must specify the pre-signed-url option instead. The pre-signed-url value must be a URL that contains a Signature Version 4 signed request for the CopyDBSnapshot action to be called in the source region where the DB snapshot is copied from. To learn more about the pre-signed-url, see copy-db-snapshot.

  • --source-db-snapshot-identifier – The identifier for the encrypted DB snapshot to be copied. If you are copying the snapshot to another region, this identifier must be in the ARN format for the source region. If that is the case, the region specified in --source-db-snapshot-identifier must match the region specified for --source-region.

  • --target-db-snapshot-identifier – The identifier for the new copy of the encrypted DB snapshot.

  • --kms-key-id – The KMS key identifier for the key to use to encrypt the copy of the DB snapshot.

    You can optionally use this option if the DB snapshot is encrypted, you are copying the snapshot in the same region, and you want to specify a new KMS encryption key to use to encrypt the copy. Otherwise, the copy of the DB snapshot is encrypted with the same KMS key as the source DB snapshot.

    You must use this option if the DB snapshot is encrypted and you are copying the snapshot to another region. In that case, you must specify a KMS key for the destination AWS region.

The following code example copies an encrypted DB snapshot from the us-west-2 region to the us-east-1 region. The copy-db-snapshot command is called in the us-east-1 region.

Example

For Linux, OS X, or Unix:

Copy
aws rds copy-db-snapshot \ --source-db-snapshot-identifier arn:aws:rds:us-west-2:123456789012:snapshot:mysql-instance1-snapshot-20161115 \ --target-db-snapshot-identifier mydbsnapshotcopy \ --source-region us-west-2 \ --kms-key-id my-us-east-1-key

For Windows:

Copy
aws rds copy-db-snapshot ^ --source-db-snapshot-identifier arn:aws:rds:us-west-2:123456789012:snapshot:mysql-instance1-snapshot-20161115 ^ --target-db-snapshot-identifier mydbsnapshotcopy ^ --source-region us-west-2 ^ --kms-key-id my-us-east-1-key

API

To copy a DB snapshot, use the Amazon RDS API CopyDBSnapshot action. If you are copying the snapshot to another region, perform the action in the region to which the snapshot will be copied.

The following parameters are used to copy an encrypted DB snapshot:

  • SourceDBSnapshotIdentifier – The identifier for the encrypted DB snapshot to be copied. If you are copying the snapshot to another region, this identifier must be in the ARN format for the source region.

  • TargetDBSnapshotIdentifier – The identifier for the new copy of the encrypted DB snapshot.

  • KmsKeyId – The KMS key identifier for the key to use to encrypt the copy of the DB snapshot.

    You can optionally use this parameter if the DB snapshot is encrypted, you are copying the snapshot in the same region, and you want to specify a new KMS encryption key to use to encrypt the copy. Otherwise, the copy of the DB snapshot is encrypted with the same KMS key as the source DB snapshot.

    You must use this parameter if the DB snapshot is encrypted and you are copying the snapshot to another region. In that case, you must specify a KMS key for the destination AWS region.

  • PreSignedUrl – A URL that contains a Signature Version 4 signed request for the CopyDBSnapshot action to be called in the source region where the DB snapshot is copied from. To learn more about using a presigned URL, see CopyDBSnapshot.

    To automatically rather than manually generate a presigned URL, use the AWS CLI copy-db-snapshot command with the --source-region option instead.

The following code creates a copy of snapshot arn:aws:rds:us-west-2:123456789012:snapshot:mysql-instance1-snapshot-20161115 named mydbsnapshotcopy in the us-east-1 region. When the copy is made, all tags on the original snapshot are copied to the snapshot copy.

Example

Copy
https://rds.us-east-1.amazonaws.com/ ?Action=CopyDBSnapshot &KmsKeyId=my-us-east-1-key &PreSignedUrl=https%253A%252F%252Frds.us-west-2.amazonaws.com%252F %253FAction%253DCopyDBSnapshot %2526DestinationRegion%253Dus-east-1 %2526KmsKeyId%253Dmy-us-east-1-key %2526SourceDBSnapshotIdentifier%253Darn%25253Aaws%25253Ards%25253Aus-west-2%25253A123456789012%25253Asnapshot%25253Amysql-instance1-snapshot-20161115 %2526SignatureMethod%253DHmacSHA256 %2526SignatureVersion%253D4 %2526Version%253D2014-10-31 %2526X-Amz-Algorithm%253DAWS4-HMAC-SHA256 %2526X-Amz-Credential%253DAKIADQKE4SARGYLE%252F20161117%252Fus-west-2%252Frds%252Faws4_request %2526X-Amz-Date%253D20161117T215409Z %2526X-Amz-Expires%253D3600 %2526X-Amz-SignedHeaders%253Dcontent-type%253Bhost%253Buser-agent%253Bx-amz-content-sha256%253Bx-amz-date %2526X-Amz-Signature%253D255a0f17b4e717d3b67fad163c3ec26573b882c03a65523522cf890a67fca613 &SignatureMethod=HmacSHA256 &SignatureVersion=4 &SourceDBSnapshotIdentifier=arn%3Aaws%3Ards%3Aus-west-2%3A123456789012%3Asnapshot%3Amysql-instance1-snapshot-20161115 &TargetDBSnapshotIdentifier=mydbsnapshotcopy &Version=2014-10-31 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20161117/us-east-1/rds/aws4_request &X-Amz-Date=20161117T221704Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=da4f2da66739d2e722c85fcfd225dc27bba7e2b8dbea8d8612434378e52adccf

Copying a DB Cluster Snapshot in the Same Account, in the Same Region or Across Regions

For each AWS account, you can copy up to five DB cluster snapshots at a time from one region to another. Copying both encrypted and unencrypted DB cluster snapshots is supported. If you copy a DB cluster snapshot to another AWS Region, you create a manual DB cluster snapshot that is retained in that region. Copying a DB cluster snapshot out of the source region incurs Amazon RDS data transfer charges. For more information about Amazon RDS data transfer pricing, go to Amazon Relational Database Service Pricing.

To copy a DB cluster snapshot, use the AWS Management Console, the copy-db-cluster-snapshot command, or the CopyDBClusterSnapshot API action, as illustrated in the following procedures:

After the DB cluster snapshot copy has been created in the new region, the DB cluster snapshot copy behaves the same as all other DB cluster snapshots in that region.

For more information about copying DB snapshots for database engines other than Aurora, see Copying a DB Snapshot.

Copying a DB Cluster Snapshot by Using the AWS Management Console

This procedure works for copying encrypted or unencrypted DB cluster snapshots, in the same region or across regions.

To cancel a copy operation once it is in progress, delete the target DB cluster snapshot while that DB cluster snapshot is in copying status.

To copy a DB cluster snapshot

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Snapshots.

  3. Select the check box for the DB snapshot you want to copy.

  4. Choose Snapshot Actions, and then choose Copy Snapshot.

  5. (Optional) To copy the DB cluster snapshot to a different region, choose that region for Destination Region.

  6. Type the name of the DB cluster snapshot copy in New DB Snapshot Identifier.

  7. To copy tags and values from the snapshot to the copy of the snapshot, choose Copy Tags.

    
								Copy a DB snapshot
  8. Choose one of the following options for Enable Encryption.

    • If the DB cluster snapshot isn't encrypted and you don't want to encrypt the copy, choose No for Enable Encryption.

    • If the DB cluster snapshot isn't encrypted but you want to encrypt the copy, choose Yes for Enable Encryption, and then specify the KMS key identifier to use to encrypt the DB cluster snapshot copy for Master Key.

      
										Copy and encrypt a DB snapshot
    • If the DB cluster snapshot being copied is encrypted, you must encrypt the copy, so Enable Encryption is already set to Yes. Specify the KMS key identifier to use to encrypt the DB cluster snapshot copy for Master Key.

      
										Copy an encrypted a DB snapshot
  9. Choose Copy Snapshot.

Copying an Unencrypted DB Cluster Snapshot by Using the AWS CLI or Amazon RDS API

Use the procedures in the following sections to copy an unencrypted DB cluster snapshot by using the AWS CLI or Amazon RDS API.

To cancel a copy operation once it is in progress, delete the target DB cluster snapshot identified by --target-db-cluster-snapshot-identifier or TargetDBClusterSnapshotIdentifier while that DB cluster snapshot is in copying status.

CLI

To copy a DB cluster snapshot, use the AWS CLI copy-db-cluster-snapshot command. If you are copying the snapshot to another region, run the command in the region to which the snapshot will be copied.

The following options are used to copy an unencrypted DB cluster snapshot:

  • --source-db-cluster-snapshot-identifier – The identifier for the DB cluster snapshot to be copied. If you are copying the snapshot to another region, this identifier must be in the ARN format for the source region.

  • --target-db-cluster-snapshot-identifier – The identifier for the new copy of the DB cluster snapshot.

The following code creates a copy of DB cluster snapshot arn:aws:rds:us-east-1:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20130805 named myclustersnapshotcopy in the region in which the command is run. When the copy is made, all tags on the original snapshot are copied to the snapshot copy.

Example

For Linux, OS X, or Unix:

Copy
aws rds copy-db-cluster-snapshot \ --source-db-cluster-snapshot-identifier arn:aws:rds:us-east-1:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20130805 \ --target-db-cluster-snapshot-identifier myclustersnapshotcopy \ --copy-tags

For Windows:

Copy
aws rds copy-db-cluster-snapshot ^ --source-db-cluster-snapshot-identifier arn:aws:rds:us-east-1:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20130805 ^ --target-db-cluster-snapshot-identifier myclustersnapshotcopy ^ --copy-tags

API

To copy a DB cluster snapshot, use the Amazon RDS API CopyDBClusterSnapshot action. If you are copying the snapshot to another region, perform the action in the region to which the snapshot will be copied.

The following parameters are used to copy an unencrypted DB cluster snapshot:

  • SourceDBClusterSnapshotIdentifier – The identifier for the DB cluster snapshot to be copied. If you are copying the snapshot to another region, this identifier must be in the ARN format for the source region.

  • TargetDBClusterSnapshotIdentifier – The identifier for the new copy of the DB cluster snapshot.

The following code creates a copy of snapshot arn:aws:rds:us-east-1:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20130805 named myclustersnapshotcopy in the us-west-1 region. When the copy is made, all tags on the original snapshot are copied to the snapshot copy.

Example

Copy
https://rds.us-west-1.amazonaws.com/ ?Action=CopyDBClusterSnapshot &CopyTags=true &SignatureMethod=HmacSHA256 &SignatureVersion=4 &SourceDBSnapshotIdentifier=arn%3Aaws%3Ards%3Aus-east-1%3A123456789012%3Acluster-snapshot%3Aaurora-cluster1-snapshot-20130805 &TargetDBSnapshotIdentifier=myclustersnapshotcopy &Version=2013-09-09 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20140429/us-west-1/rds/aws4_request &X-Amz-Date=20140429T175351Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=9164337efa99caf850e874a1cb7ef62f3cea29d0b448b9e0e7c53b288ddffed2

Copying an Encrypted DB Cluster Snapshot by Using the AWS CLI or Amazon RDS API

Use the procedures in the following sections to copy an encrypted DB cluster snapshot by using the AWS CLI or Amazon RDS API.

To cancel a copy operation once it is in progress, delete the target DB cluster snapshot identified by --target-db-cluster-snapshot-identifier or TargetDBClusterSnapshotIdentifier while that DB cluster snapshot is in copying status.

CLI

To copy a DB cluster snapshot, use the AWS CLI copy-db-cluster-snapshot command. If you are copying the snapshot to another region, run the command in the region to which the snapshot will be copied.

The following options are used to copy an encrypted DB cluster snapshot:

  • --source-region – If you are copying the snapshot to another region, specify the AWS region that the encrypted DB cluster snapshot will be copied from.

    If you are copying the snapshot to another region and you don't specify source-region, you must specify the pre-signed-url option instead. The pre-signed-url value must be a URL that contains a Signature Version 4 signed request for the CopyDBClusterSnapshot action to be called in the source region where the DB cluster snapshot is copied from. To learn more about the pre-signed-url, see copy-db-cluster-snapshot.

  • --source-db-cluster-snapshot-identifier – The identifier for the encrypted DB cluster snapshot to be copied. If you are copying the snapshot to another region, this identifier must be in the ARN format for the source region. If that is the case, the region specified in source-db-cluster-snapshot-identifier must match the region specified for --source-region.

  • --target-db-cluster-snapshot-identifier – The identifier for the new copy of the encrypted DB cluster snapshot.

  • --kms-key-id – The KMS key identifier for the key to use to encrypt the copy of the DB cluster snapshot.

    You can optionally use this option if the DB cluster snapshot is encrypted, you are copying the snapshot in the same region, and you want to specify a new KMS encryption key to use to encrypt the copy. Otherwise, the copy of the DB cluster snapshot is encrypted with the same KMS key as the source DB cluster snapshot.

    You must use this option if the DB cluster snapshot is encrypted and you are copying the snapshot to another region. In that case, you must specify a KMS key for the destination AWS region.

The following code example copies the encrypted DB cluster snapshot from the us-west-2 region to the us-east-1 region. The command is called in the us-east-1 region.

Example

For Linux, OS X, or Unix:

Copy
aws rds copy-db-cluster-snapshot \ --source-db-cluster-snapshot-identifier arn:aws:rds:us-west-2:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20161115 \ --target-db-cluster-snapshot-identifier myclustersnapshotcopy \ --source-region us-west-2 \ --kms-key-id my-us-east-1-key

For Windows:

Copy
aws rds copy-db-cluster-snapshot ^ --source-db-cluster-snapshot-identifier arn:aws:rds:us-west-2:123456789012:cluster-snapshot:aurora-cluster1-snapshot-20161115 ^ --target-db-cluster-snapshot-identifier myclustersnapshotcopy ^ --source-region us-west-2 ^ --kms-key-id my-us-east-1-key

API

To copy a DB cluster snapshot, use the Amazon RDS API CopyDBClusterSnapshot action. If you are copying the snapshot to another region, perform the action in the region to which the snapshot will be copied.

The following parameters are used to copy an encrypted DB cluster snapshot:

  • SourceDBClusterSnapshotIdentifier – The identifier for the encrypted DB cluster snapshot to be copied. If you are copying the snapshot to another region, this identifier must be in the ARN format for the source region.

  • TargetDBClusterSnapshotIdentifier – The identifier for the new copy of the encrypted DB cluster snapshot.

  • KmsKeyId – The KMS key identifier for the key to use to encrypt the copy of the DB cluster snapshot.

    You can optionally use this parameter if the DB cluster snapshot is encrypted, you are copying the snapshot in the same region, and you want to specify a new KMS encryption key to use to encrypt the copy. Otherwise, the copy of the DB cluster snapshot is encrypted with the same KMS key as the source DB cluster snapshot.

    You must use this parameter if the DB cluster snapshot is encrypted and you are copying the snapshot to another region. In that case, you must specify a KMS key for the destination AWS region.

  • PreSignedUrl – If you are copying the snapshot to another region, you must specify the PreSignedUrl parameter. The PreSignedUrl value must be a URL that contains a Signature Version 4 signed request for the CopyDBClusterSnapshot action to be called in the source region where the DB cluster snapshot is copied from. To learn more about using a presigned URL, see CopyDBClusterSnapshot.

    To automatically rather than manually generate a presigned URL, use the AWS CLI copy-db-cluster-snapshot command with the --source-region option instead.

The following code example copies the encrypted DB cluster snapshot from the us-west-2 region to the us-east-1 region. The action is called in the us-east-1 region.

Example

Copy
https://rds.us-east-1.amazonaws.com/ ?Action=CopyDBClusterSnapshot &KmsKeyId=my-us-east-1-key &PreSignedUrl=https%253A%252F%252Frds.us-west-2.amazonaws.com%252F %253FAction%253DCopyDBClusterSnapshot %2526DestinationRegion%253Dus-east-1 %2526KmsKeyId%253Dmy-us-east-1-key %2526SourceDBClusterSnapshotIdentifier%253Darn%25253Aaws%25253Ards%25253Aus-west-2%25253A123456789012%25253Acluster-snapshot%25253Aaurora-cluster1-snapshot-20161115 %2526SignatureMethod%253DHmacSHA256 %2526SignatureVersion%253D4 %2526Version%253D2014-10-31 %2526X-Amz-Algorithm%253DAWS4-HMAC-SHA256 %2526X-Amz-Credential%253DAKIADQKE4SARGYLE%252F20161117%252Fus-west-2%252Frds%252Faws4_request %2526X-Amz-Date%253D20161117T215409Z %2526X-Amz-Expires%253D3600 %2526X-Amz-SignedHeaders%253Dcontent-type%253Bhost%253Buser-agent%253Bx-amz-content-sha256%253Bx-amz-date %2526X-Amz-Signature%253D255a0f17b4e717d3b67fad163c3ec26573b882c03a65523522cf890a67fca613 &SignatureMethod=HmacSHA256 &SignatureVersion=4 &SourceDBClusterSnapshotIdentifier=arn%3Aaws%3Ards%3Aus-west-2%3A123456789012%3Acluster-snapshot%3Aaurora-cluster1-snapshot-20161115 &TargetDBClusterSnapshotIdentifier=myclustersnapshotcopy &Version=2014-10-31 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20161117/us-east-1/rds/aws4_request &X-Amz-Date=20161117T221704Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=da4f2da66739d2e722c85fcfd225dc27bba7e2b8dbea8d8612434378e52adccf

Copying a DB Cluster Snapshot Across Accounts

You can enable other AWS accounts to copy DB cluster snapshots that you specify by using the Amazon RDS API ModifyDBClusterSnapshotAttribute and CopyDBClusterSnapshot actions. You can only copy DB cluster snapshots across accounts in the same region. The cross-account copying process works as follows, where Account A is making the snapshot available to copy, and Account B is copying it.

  1. Using Account A, call ModifyDBClusterSnapshotAttribute, specifying restore for the AttributeName parameter, and the ID for Account B for the ValuesToAdd parameter.

  2. (If the snapshot is encrypted) Using Account A, update the key policy for the KMS key, first adding the ARN of Account B as a Principal, and then allow the kms:CreateGrant action.

  3. (If the snapshot is encrypted) Using Account B, choose or create an IAM user and attach an IAM policy to that user that allows it to copy an encrypted DB snapshot using your KMS key.

  4. Using Account B, call CopyDBClusterSnapshot and use the SourceDBClusterSnapshotIdentifier parameter to specify the ARN of the DB cluster snapshot to be copied, which must include the ID for Account A.

To list all of the AWS accounts permitted to restore a DB snapshot, use the DescribeDBSnapshotAttributes or DescribeDBClusterSnapshotAttributes API action.

To remove sharing permission for an AWS account, use the ModifyDBSnapshotAttribute or ModifyDBClusterSnapshotAttribute action with AttributeName set to restore and the ID of the account to remove in the ValuesToRemove parameter.

Copying an Unencrypted DB Cluster Snapshot to Another Account

Use the following procedure to copy an unencrypted DB cluster snapshot to another account in the same region.

  1. In the source account for the DB cluster snapshot, call ModifyDBClusterSnapshotAttribute, specifying restore for the AttributeName parameter, and the ID for the target account for the ValuesToAdd parameter.

    Running the following example using the account 987654321 permits two AWS account identifiers, 123451234512 and 123456789012, to restore the DB snapshot named manual-snapshot1.

    Copy
    https://rds.us-west-2.amazonaws.com/ ?Action=ModifyDBClusterSnapshotAttribute &AttributeName=restore &DBClusterSnapshotIdentifier=manual-snapshot1 &SignatureMethod=HmacSHA256&SignatureVersion=4 &ValuesToAdd.member.1=123451234512 &ValuesToAdd.member.2=123456789012 &Version=2014-10-31 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20150922/us-west-2/rds/aws4_request &X-Amz-Date=20150922T220515Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=ef38f1ce3dab4e1dbf113d8d2a265c67d17ece1999ffd36be85714ed36dddbb3
  2. In the target account, call CopyDBClusterSnapshot and use the SourceDBClusterSnapshotIdentifier parameter to specify the ARN of the DB cluster snapshot to be copied, which must include the ID for the source account.

    Running the following example using the account 123451234512 copies the DB cluster snapshot aurora-cluster1-snapshot-20130805 from account 987654321 and creates a DB cluster snapshot named dbclustersnapshot1.

    Copy
    https://rds.us-west-2.amazonaws.com/ ?Action=CopyDBClusterSnapshot &CopyTags=true &SignatureMethod=HmacSHA256 &SignatureVersion=4 &SourceDBClusterSnapshotIdentifier=arn:aws:rds:us-west-2:987654321:cluster-snapshot:aurora-cluster1-snapshot-20130805 &TargetDBClusterSnapshotIdentifier=dbclustersnapshot1 &Version=2013-09-09 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20150922/us-west-2/rds/aws4_request &X-Amz-Date=20140429T175351Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=9164337efa99caf850e874a1cb7ef62f3cea29d0b448b9e0e7c53b288ddffed2

Copying an Encrypted DB Cluster Snapshot to Another Account

Use the following procedure to copy an encrypted DB cluster snapshot to another account in the same region.

  1. In the source account for the DB cluster snapshot, call ModifyDBClusterSnapshotAttribute, specifying restore for the AttributeName parameter, and the ID for the target account for the ValuesToAdd parameter.

    Running the following example using the account 987654321 permits two AWS account identifiers, 123451234512 and 123456789012, to restore the DB snapshot named manual-snapshot1.

    Copy
    https://rds.us-west-2.amazonaws.com/ ?Action=ModifyDBClusterSnapshotAttribute &AttributeName=restore &DBClusterSnapshotIdentifier=manual-snapshot1 &SignatureMethod=HmacSHA256&SignatureVersion=4 &ValuesToAdd.member.1=123451234512 &ValuesToAdd.member.2=123456789012 &Version=2014-10-31 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20150922/us-west-2/rds/aws4_request &X-Amz-Date=20150922T220515Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=ef38f1ce3dab4e1dbf113d8d2a265c67d17ece1999ffd36be85714ed36dddbb3
  2. In the source account for the DB cluster snapshot, update the key policy for the KMS key, first adding the ARN of the target account as a Principal, and then allow the kms:CreateGrant action. For more information, see Allowing Access to an AWS KMS Encryption Key.

  3. In the target account, choose or create an IAM user and attach an IAM policy to that user that allows it to copy an encrypted DB snapshot using your KMS key. For more information, see Creating an IAM Policy to Enable Copying of the Encrypted Snapshot.

  4. In the target account, call CopyDBClusterSnapshot and use the SourceDBClusterSnapshotIdentifier parameter to specify the ARN of the DB cluster snapshot to be copied, which must include the ID for the source account.

    Running the following example using the account 123451234512 copies the DB cluster snapshot aurora-cluster1-snapshot-20130805 from account 987654321 and creates a DB cluster snapshot named dbclustersnapshot1.

    Copy
    https://rds.us-west-2.amazonaws.com/ ?Action=CopyDBClusterSnapshot &CopyTags=true &SignatureMethod=HmacSHA256 &SignatureVersion=4 &SourceDBClusterSnapshotIdentifier=arn:aws:rds:us-west-2:987654321:cluster-snapshot:aurora-cluster1-snapshot-20130805 &TargetDBClusterSnapshotIdentifier=dbclustersnapshot1 &Version=2013-09-09 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIADQKE4SARGYLE/20150922/us-west-2/rds/aws4_request &X-Amz-Date=20140429T175351Z &X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date &X-Amz-Signature=9164337efa99caf850e874a1cb7ef62f3cea29d0b448b9e0e7c53b288ddffed2

Related Topics