Posted On: Nov 3, 2021

Amazon Relational Database Service (Amazon RDS) now offers the ability to specify an Amazon Key Management Service (KMS) customer master key (CMK) from a different account when exporting an Amazon RDS Snapshot to Amazon S3. This option helps customers organize and consolidate their KMS keys by eliminating the need to create keys in each account that has snapshots.

Snapshot export extracts data from snapshots and stores it in an Amazon S3 bucket in Apache Parquet format. Exported data can be analyzed using tools such as Amazon Athena. RDS secures the exported data by encrypting it with a KMS key while exporting to S3. Now, when you setup the task for exporting the snapshot data, you can specify a KMS key that is shared with the account where the snapshot currently resides. This can help you organize KMS keys in a centralized account.

Cross account KMS keys for snapshot exports is available in Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about these keys and how to configure them, see the Amazon Web Services Key Management Service Developer Guide.