I am trying to copy or share the DocumentDB cluster from one AWS account to other, but the existing cluster is encrypted so I am not able to do share it with other accounts, so is there any way we can make existing cluster unencrypted and then share it to the other account?
Asked
Active
Viewed 341 times
2 Answers
1
I believe this will be as a result of the following limitation for DocumentDB (and other services).
You can't share a snapshot that has been encrypted using the default AWS KMS encryption key of the account that shared the snapshot.
When you create a snapshot make sure to select a custom encryption key, and ensure you grant access to the account you intend to share to via the key policy.
More information is available in the Sharing Amazon DocumentDB Cluster Snapshots documentation.
Chris Williams
- 32,215
- 4
- 30
- 68
-
I just tested copying a snapshot with the default KMS to another region, restore it and it worked. I will review this with the DocumentDB team. – herbertgoto Aug 28 '20 at 16:47
-
Interesting, although in OPs case it is same region different account :) – Chris Williams Aug 28 '20 at 16:53
-
It works in same account. For different account it does not. – herbertgoto Aug 28 '20 at 17:40
0
The recommended approach is to do a cross-region copy of your snapshot using a KMS key from the other region.
If you still want to follow the unencrypted approach, you will need to create an unencrypted cluster and restoring data from the encrypted one with a dump.
herbertgoto
- 339
- 1
- 5
-
-
1https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore-dump_restore_import_export_data.html – herbertgoto Sep 04 '20 at 12:35