AWSSupport-ShareRDSSnapshot - AWS Systems Manager Automation runbook reference

AWSSupport-ShareRDSSnapshot

Description

The AWSSupport-ShareRDSSnapshot runbook provides an automated solution for the procedure outlined in the Knowledge Center article How can I share an encrypted Amazon RDS DB snapshot with another account? If your Amazon Relational Database Service (Amazon RDS) snapshot was encrypted using the default AWS managed key, you cannot share the snapshot. In this case, you must copy the snapshot using a customer managed key, and then share the snapshot with the target account. This automation performs these steps using the value you specify in the SnapshotName parameter, or the latest snapshot found for the selected Amazon RDS DB instance or cluster.

Note

If you do not specify a value for the KMSKey parameter, the automation creates a new AWS KMS customer managed key in your account that is used to encrypt the snapshot.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Databases

Parameters

  • AccountIds

    Type: StringList

    Description: (Required) Comma-separated list of account IDs to share the snapshot with.

  • AutomationAssumeRole

    Type: String

    Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.

  • Database

    Type: String

    Description: (Required) The name of the Amazon RDS DB instance or cluster whose snapshot you want to share. This parameter is optional if you specify a value for the SnapshotName parameter.

  • KMSKey

    Type: String

    Description: (Optional) The full Amazon Resource Name (ARN) of the AWS KMS customer managed key used to encrypt the snapshot.

  • SnapshotName

    Type: String

    Description: (Optional) The ID of the DB cluster or instance snapshot that you want to use.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.

  • ssm:StartAutomationExecution

  • rds:DescribeDBInstances

  • rds:DescribeDBSnapshots

  • rds:CopyDBSnapshot

  • rds:ModifyDBSnapshotAttribute

The AutomationAssumeRole requires the following actions to successfully start the runbook for a DB cluster.

  • ssm:StartAutomationExecution

  • rds:DescribeDBClusters

  • rds:DescribeDBClusterSnapshots

  • rds:CopyDBClusterSnapshot

  • rds:ModifyDBClusterSnapshotAttribute

The IAM role used to run the automation must be added as a key user to use the KMS key specified in the ARNKmsKey parameter. For information about adding key users to a KMS key, see Changing a key policy in the AWS Key Management Service Developer Guide.

The AutomationAssumeRole requires the following additional actions to successfully start the runbook if you do not specify a value for the KMSKey parameter.

  • kms:CreateKey

  • kms:ScheduleKeyDeletion

Document Steps

  1. aws:executeScript - Checks whether a value was provided for the KMSKey parameter, and creates a AWS KMS customer managed key if no value is found.

  2. aws:branch - Checks whether a value was provided for the SnapshotName parameter, and branches accordingly.

  3. aws:executeAwsApi - Checks whether the snapshot provided is from a DB instance.

  4. aws:executeScript - Formats the SnapshotName parameter replacing colons with a hyphen.

  5. aws:executeAwsApi - Copies the snapshot using the specified KMSKey.

  6. aws:waitForAwsResourceProperty - Waits for the copy snapshot operation to complete.

  7. aws:executeAwsApi - Shares the new snapshot with the AccountIds specified.

  8. aws:executeAwsApi - Checks whether the snapshot provided is from a DB cluster.

  9. aws:executeScript - Formats the SnapshotName parameter replacing colons with a hyphen.

  10. aws:executeAwsApi - Copies the snapshot using the specified KMSKey.

  11. aws:waitForAwsResourceProperty - Waits for the copy snapshot operation to complete.

  12. aws:executeAwsApi - Shares the new snapshot with the AccountIds specified.

  13. aws:executeAwsApi - Checks whether the value provided for the Database parameter is a DB instance.

  14. aws:executeAwsApi - Checks whether the value provided for the Database parameter is a DB cluster.

  15. aws:executeAwsApi - Retrieves a list of snapshots for the specified Database.

  16. aws:executeScript - Determines the latest snapshot available from the list assembled in the previous step.

  17. aws:executeAwsApi - Copies the DB instance snapshot using the specified KMSKey.

  18. aws:waitForAwsResourceProperty - Waits for the copy snapshot operation to complete.

  19. aws:executeAwsApi - Shares the new snapshot with the AccountIds specified.

  20. aws:executeAwsApi - Retrieves a list of snapshots for the specified Database.

  21. aws:executeScript - Determines the latest snapshot available from the list assembled in the previous step.

  22. aws:executeAwsApi - Copies the DB instance snapshot using the specified KMSKey.

  23. aws:waitForAwsResourceProperty - Waits for the copy snapshot operation to complete.

  24. aws:executeAwsApi - Shares the new snapshot with the AccountIds specified.

  25. aws:executeScript - Deletes the AWS KMS customer managed key created by the automation if you did not specify a value for the KMSKey parameter and the automation fails.