Restoring an Encrypted Postgres RDS DB to a Different AWS Account
While not a very common scenario, occasionally one may need to migrate an RDS database from one AWS account to another. AWS offers an easy and fast way of doing this; however, if your database is encrypted, you will have to perform a few extra steps that may not immediately obvious.
AWS KMS and RDS Snapshots
RDS backups are stored as snapshots. These snapshots can be copied from region to region and even shared between AWS accounts. These snapshots are encrypted using the same encryption key that is used to encrypt your database, by default.
An encrypted RDS database is encrypted by a key generated via AWS Key Management Service. AWS accounts have a default encryption key that is used for this purpose if no other keys have been created within the account. This “default” key is only available to the account it was created in. AWS does not allow other accounts to access this key. In order to allow your destination AWS account to restore your snapshot, you will need to create a new key and share it with your destination account. These steps can be done from the AWS KMS console.
Once you have generated your new encryption key, from the RDS console, select the snapshot you will be restoring into your destination AWS account. “Copy” this snapshot using the Actions button:
Select your new encryption key to encrypt the snapshot:
Once your snapshot has been copied using your shared encryption key, you can share it with your destination AWS account:
Switch over to your other AWS account and you will be able to view the snapshot from your “Shared with me” snapshot list:
You should then be good to go! You can now restore this snapshot into a new RDS instance.