# Sharing encrypted snapshots
<a name="share-encrypted-snapshot"></a>

You can share DB cluster snapshots that have been encrypted "at rest" using the AES-256 encryption algorithm, as described in [Encrypting Amazon Aurora resources](Overview.Encryption.md).

The following restrictions apply to sharing encrypted snapshots:
+ You can't share encrypted snapshots as public.
+ You can't share a snapshot that has been encrypted using the default KMS key of the AWS account that shared the snapshot.

  For more information about AWS KMS key management for Amazon RDS, see [AWS KMS key management](Overview.Encryption.Keys.md).

To work around the default KMS key issue, perform the following tasks:

1. [Create a customer managed key and give access to it](#share-encrypted-snapshot.cmk).

1. [Copy and share the snapshot from the source account](#share-encrypted-snapshot.share).

1. [Copy the shared snapshot in the target account](#share-encrypted-snapshot.target).

## Create a customer managed key and give access to it
<a name="share-encrypted-snapshot.cmk"></a>

First you create a custom KMS key in the same AWS Region as the encrypted DB cluster snapshot. While creating the customer managed key, you give access to it for another AWS account.

**To create a customer managed key and give access to it**

1. Sign in to the AWS Management Console from the source AWS account.

1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

1. To change the AWS Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**.

1. Choose **Create key**.

1. On the **Configure key** page:

   1. For **Key type**, select **Symmetric**.

   1. For **Key usage**, select **Encrypt and decrypt**.

   1. Expand **Advanced options**.

   1. For **Key material origin**, select **KMS**.

   1. For **Regionality**, select **Single-Region key**.

   1. Choose **Next**.

1. On the **Add labels** page:

   1. For **Alias**. enter a display name for your KMS key, for example **share-snapshot**.

   1. (Optional) Enter a description for your KMS key.

   1. (Optional) Add tags to your KMS key.

   1. Choose **Next**.

1. On the **Define key administrative permissions** page, choose **Next.**

1. On the **Define key usage permissions** page:

   1. For **Other AWS accounts**, choose **Add another AWS account**.

   1. Enter the ID of the AWS account to which you want to give access.

      You can give access to multiple AWS accounts.

   1. Choose **Next**.

1. Review your KMS key, then choose **Finish**.

## Copy and share the snapshot from the source account
<a name="share-encrypted-snapshot.share"></a>

Next you copy the source DB cluster snapshot to a new snapshot using the customer managed key. Then you share it with the target AWS account.

**To copy and share the snapshot**

1. Sign in to the AWS Management Console from the source AWS account.

1. Open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/)

1. In the navigation pane, choose **Snapshots**.

1. Select the DB cluster snapshot you want to copy.

1. For **Actions**, choose **Copy snapshot**.

1. On the **Copy snapshot** page:

   1. For **Destination Region**, choose the AWS Region where you created the customer managed key in the previous procedure.

   1. Enter the name of the DB cluster snapshot copy in **New DB Snapshot Identifier**.

   1. For **AWS KMS key**, choose the customer managed key that you created.  
![\[Choose the customer managed key.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/copy-encrypted-snapshot.png)

   1. Choose **Copy snapshot**.

1. When the snapshot copy is available, select it.

1. For **Actions**, choose **Share snapshot**.

1. On the **Snapshot permissions** page:

   1. Enter the **AWS account ID** with which you're sharing the snapshot copy, then choose **Add**.

   1. Choose **Save**.

   The snapshot is shared.

## Copy the shared snapshot in the target account
<a name="share-encrypted-snapshot.target"></a>

Now you can copy the shared snapshot in the target AWS account.

**To copy the shared snapshot**

1. Sign in to the AWS Management Console from the target AWS account.

1. Open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/)

1. In the navigation pane, choose **Snapshots**.

1. Choose the **Shared with me** tab.

1. Select the shared snapshot.

1. For **Actions**, choose **Copy snapshot**.

1. Choose your settings for copying the snapshot as in the previous procedure, but use an AWS KMS key that belongs to the target account.

   Choose **Copy snapshot**.