Shared snapshot copy uses source KMS not destination KMS

[ghost]

I've just deployed the stacks in Source and Destination AWS accounts (separate accounts) and configured with KmsKeyDestination and KmsKeySource CMKs. Region in both accounts is eu-west-1.

I am surprised to see that the resultant local snapshot "copies" in the external (destination) account are encrypted with the KmsKeySource and haven't been re-encrypted with my specified KmsKeyDestination.

If I manually copy a shared snapshot I am able to specify the local CMK instead and the copy successfully uses it.

Anything I am missing? What should I look for? Anything I can try?

Thanks!

Karl

[ghost]

I did a bit of digging and altered the code in copy_local() to use _KMS_KEY_DEST_REGION in place of _KMS_KEY_SOURCE_REGION and I now get what I want/expect. It can't be this obvious though right?

def copy_local(snapshot_identifier, snapshot_object):
    client = boto3.client('rds', region_name=_REGION)

    tags = [{
            'Key': 'CopiedBy',
            'Value': 'Snapshot Tool for RDS'
        }]

    if snapshot_object['Encrypted']:
        logger.info('Copying encrypted snapshot %s locally' % snapshot_identifier)
        response = client.copy_db_snapshot(
            SourceDBSnapshotIdentifier = snapshot_object['Arn'],
            TargetDBSnapshotIdentifier = snapshot_identifier,
            KmsKeyId = _KMS_KEY_DEST_REGION, #_KMS_KEY_SOURCE_REGION,
            Tags = tags)

[mrcoronel]

Hi Karl, I see what you mean... I suppose the behaviour should be different whether you are copying cross-region or not. In your case, it appears you are only copying cross-account.

It's a great catch! But the fix may be a bit more complicated. I'd want to make I do not break cross-account + cross-region.

Thanks!

[ghost]

I had a hunch it was something like this. Ironically, my actual future use case is cross account + cross region (for full DR protection) -- I was merely testing in the meantime with the cross-account only use case. I think a generalised fix makes sense though of course! BTW, thanks for this project -- it is EXACTLY what I was looking for. It's the moon-on-a-stick for me :-) On 13 Feb 2020, at 13:59, mrcoronel <notifications@github.com<mailto:notifications@github.com>> wrote: Hi Karl, I see what you mean... I suppose the behaviour should be different whether you are copying cross-region or not. In your case, it appears you are only copying cross-account. It's a great catch! But the fix may be a bit more complicated. I'd want to make I do not break cross-account + cross-region. Thanks! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#60?email_source=notifications&email_token=ALQENMG6UWIG57EYZP36B3LRCURZHA5CNFSM4KT2L5U2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELUJZOY#issuecomment-585669819>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ALQENMHXPO5PPLXJUVOZK3LRCURZHANCNFSM4KT2L5UQ>.