# Sharing a DB snapshot for Amazon RDS
Sharing a DB snapshot

Using Amazon RDS, you can share a manual DB snapshot in the following ways:
+ Sharing a manual DB snapshot, whether encrypted or unencrypted, enables authorized AWS accounts to copy the snapshot.
+ Sharing an unencrypted manual DB snapshot enables authorized AWS accounts to directly restore a DB instance from the snapshot instead of taking a copy of it and restoring from that. However, you can't restore a DB instance from a DB snapshot that is both shared and encrypted. Instead, you can make a copy of the DB snapshot and restore the DB instance from the copy.

**Note**  
To share an automated DB snapshot, create a manual DB snapshot by copying the automated snapshot, and then share that copy. This process also applies to AWS Backup–generated resources.

For more information on copying a snapshot, see [Copying a DB snapshot for Amazon RDS](USER_CopySnapshot.md). For more information on restoring a DB instance from a DB snapshot, see [Restoring to a DB instance](USER_RestoreFromSnapshot.md).

You can share a manual snapshot with up to 20 other AWS accounts.

The following limitations apply when you share manual snapshots with other AWS accounts:
+ When you restore a DB instance from a shared snapshot using the AWS Command Line Interface (AWS CLI) or Amazon RDS API, you must specify the Amazon Resource Name (ARN) of the shared snapshot as the snapshot identifier.
+ You can't share a DB snapshot that uses an option group with permanent or persistent options, except for Oracle DB instances that have the `Timezone` or `OLS` option (or both).

  A *permanent option* can't be removed from an option group. Option groups with persistent options can't be removed from a DB instance once the option group has been assigned to the DB instance.

  The following table lists permanent and persistent options and their related DB engines.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html)

  For Oracle DB instances, you can copy shared DB snapshots that have the `Timezone` or `OLS` option (or both). To do so, specify a target option group that includes these options when you copy the DB snapshot. The OLS option is permanent and persistent only for Oracle DB instances running Oracle version 12.2 or higher. For more information about these options, see [Oracle time zone](Appendix.Oracle.Options.Timezone.md) and [Oracle Label Security](Oracle.Options.OLS.md).
+ You can't share a snapshot of a Multi-AZ DB cluster.

See the following topics for information about sharing public snapshots, sharing encrypted snapshots, and stopping snapshot sharing.

**Topics**
+ [Sharing public snapshots for Amazon RDS](USER_ShareSnapshot.Public.md)
+ [Sharing encrypted snapshots for Amazon RDS](share-encrypted-snapshot.md)
+ [Stopping snapshot sharing for Amazon RDS](share-snapshot-stop.md)

## Sharing a snapshot


You can share a DB snapshot using the AWS Management Console, the AWS CLI, or the RDS API.

### Console


Using the Amazon RDS console, you can share a manual DB snapshot with up to 20 AWS accounts. You can also use the console to stop sharing a manual snapshot with one or more accounts.

**To share a manual DB snapshot by using the Amazon RDS console**

1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).

1. In the navigation pane, choose **Snapshots**.

1. Select the manual snapshot that you want to share.

1. For **Actions**, choose **Share snapshot**.

1. Choose one of the following options for **DB snapshot visibility**.
   + If the source is unencrypted, choose **Public** to permit all AWS accounts to restore a DB instance from your manual DB snapshot, or choose **Private** to permit only AWS accounts that you specify to restore a DB instance from your manual DB snapshot.
**Warning**  
If you set **DB snapshot visibility** to **Public**, all AWS accounts can restore a DB instance from your manual DB snapshot and have access to your data. Do not share any manual DB snapshots that contain private information as **Public**.  
For more information, see [Sharing public snapshots for Amazon RDS](USER_ShareSnapshot.Public.md).
   + If the source is encrypted, **DB snapshot visibility** is set as **Private** because encrypted snapshots can't be shared as public.
**Note**  
Snapshots that have been encrypted with the default AWS KMS key can't be shared. For information on how to work around this issue, see [Sharing encrypted snapshots for Amazon RDS](share-encrypted-snapshot.md).

1. For **AWS Account ID**, enter the AWS account identifier for an account that you want to permit to restore a DB instance from your manual snapshot, and then choose **Add**. Repeat to include additional AWS account identifiers, up to 20 AWS accounts.

   If you make an error when adding an AWS account identifier to the list of permitted accounts, you can delete it from the list by choosing **Delete** at the right of the incorrect AWS account identifier.  
![\[Permit AWS accounts to restore a manual DB snapshot\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/ShareSnapshot_add.png)

1. After you have added identifiers for all of the AWS accounts that you want to permit to restore the manual snapshot, choose **Save** to save your changes.

### AWS CLI


To share a DB snapshot, use the `aws rds modify-db-snapshot-attribute` command. Use the `--values-to-add` parameter to add a list of the IDs for the AWS accounts that are authorized to restore the manual snapshot.

**Example of sharing a snapshot with a single account**  
The following example enables AWS account identifier `123456789012` to restore the DB snapshot named `db7-snapshot`.  
For Linux, macOS, or Unix:  

```
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier db7-snapshot \
--attribute-name restore \
--values-to-add 123456789012
```
For Windows:  

```
aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier db7-snapshot ^
--attribute-name restore ^
--values-to-add 123456789012
```

**Example of sharing a snapshot with multiple accounts**  
The following example enables two AWS account identifiers, `111122223333` and `444455556666`, to restore the DB snapshot named `manual-snapshot1`.  
For Linux, macOS, or Unix:  

```
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier manual-snapshot1 \
--attribute-name restore \
--values-to-add {"111122223333","444455556666"}
```
For Windows:  

```
aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier manual-snapshot1 ^
--attribute-name restore ^
--values-to-add "[\"111122223333\",\"444455556666\"]"
```
When using the Windows command prompt, you must escape double quotes (") in JSON code by prefixing them with a backslash (\$1).

To list the AWS accounts enabled to restore a snapshot, use the [https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-snapshot-attributes.html](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-snapshot-attributes.html) AWS CLI command.

### RDS API


You can also share a manual DB snapshot with other AWS accounts by using the Amazon RDS API. To do so, call the [https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html) operation. Specify `restore` for `AttributeName`, and use the `ValuesToAdd` parameter to add a list of the IDs for the AWS accounts that are authorized to restore the manual snapshot. 

To make a manual snapshot public and restorable by all AWS accounts, use the value `all`. However, take care not to add the `all` value for any manual snapshots that contain private information that you don't want to be available to all AWS accounts. Also, don't specify `all` for encrypted snapshots, because making such snapshots public isn't supported.

To list all of the AWS accounts permitted to restore a snapshot, use the [https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBSnapshotAttributes.html](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBSnapshotAttributes.html) API operation.

# Sharing public snapshots for Amazon RDS
Sharing public snapshots

You can share an unencrypted manual snapshot as public, which makes the snapshot available to all AWS accounts. Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot.

When a snapshot is shared publicly, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it.

You aren't billed for the backup storage of public snapshots owned by other accounts. You're billed only for snapshots that you own.

If you copy a public snapshot, you own the copy. You're billed for the backup storage of your snapshot copy. If you create a DB instance from a public snapshot, you're billed for that DB instance. For Amazon RDS pricing information, see the [Amazon RDS product page](https://aws.amazon.com/rds/pricing).

You can delete only the public snapshots that you own. To delete a shared or public snapshot, make sure to log into the AWS account that owns the snapshot.

## Viewing public snapshots owned by other AWS accounts


You can view public snapshots owned by other accounts in a particular AWS Region on the **Public** tab of the **Snapshots** page in the Amazon RDS console. Your snapshots (those owned by your account) don't appear on this tab.

**To view public snapshots**

1. Open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).

1. In the navigation pane, choose **Snapshots**.

1. Choose the **Public** tab.

   The public snapshots appear. You can see which account owns a public snapshot in the **Owner** column.
**Note**  
You might have to modify the page preferences, by selecting the gear icon at the upper right of the **Public snapshots** list, to see this column.

## Viewing your own public snapshots


You can use the following AWS CLI command (Unix only) to view the public snapshots owned by your AWS account in a particular AWS Region.

```
aws rds describe-db-snapshots --snapshot-type public --include-public | grep account_number
```

The output returned is similar to the following example if you have public snapshots.

```
"DBSnapshotArn": "arn:aws:rds:us-east-1:123456789012:snapshot:mysnapshot1",
"DBSnapshotArn": "arn:aws:rds:us-east-1:123456789012:snapshot:mysnapshot2",
```

**Note**  
You might see duplicate entries for `DBSnapshotIdentifier` or `SourceDBSnapshotIdentifier`.

## Sharing public snapshots from deprecated DB engine versions


Restoring or copying public snapshots from deprecated DB engine versions isn't supported.

The RDS for Oracle and RDS for PostgreSQL DB engines support upgrading DB snapshot engine versions directly. You can upgrade your snapshots, then re-share them publicly. For more information, see the following:
+ [Upgrading an Oracle DB snapshot](USER_UpgradeDBSnapshot.Oracle.md)
+ [Upgrading a PostgreSQL DB snapshot engine version](USER_UpgradeDBSnapshot.PostgreSQL.md)

For other DB engines, perform the following steps to make your existing unsupported public snapshot available to restore or copy:

1. Mark the snapshot as private.

1. Restore the snapshot.

1. Upgrade the restored DB instance to a supported engine version.

1. Create a new snapshot.

1. Re-share the snapshot publicly.

# Sharing encrypted snapshots for Amazon RDS
Sharing encrypted snapshots

You can share DB snapshots that have been encrypted "at rest" using the AES-256 encryption algorithm, as described in [Encrypting Amazon RDS resources](Overview.Encryption.md).

The following restrictions apply to sharing encrypted snapshots:
+ You can't share encrypted snapshots as public.
+ You can't share Oracle or Microsoft SQL Server snapshots that are encrypted using Transparent Data Encryption (TDE).
+ You can't share a snapshot that has been encrypted using the default KMS key of the AWS account that shared the snapshot.

  For more information about AWS KMS key management for Amazon RDS, see [AWS KMS key management](Overview.Encryption.Keys.md).

To work around the default KMS key issue, perform the following tasks:

1. [Create a customer managed key and give access to it](#share-encrypted-snapshot.cmk).

1. [Copy and share the snapshot from the source account](#share-encrypted-snapshot.share).

1. [Copy the shared snapshot in the target account](#share-encrypted-snapshot.target).

## Create a customer managed key and give access to it


First you create a custom KMS key in the same AWS Region as the encrypted DB snapshot. While creating the customer managed key, you give access to it for another AWS account.

**Note**  
You can also use a KMS key from another AWS account when the key policy grants access to the source and target accounts.

**To create a customer managed key and give access to it**

1. Sign in to the AWS Management Console from the source AWS account.

1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

1. To change the AWS Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**.

1. Choose **Create key**.

1. On the **Configure key** page:

   1. For **Key type**, select **Symmetric**.

   1. For **Key usage**, select **Encrypt and decrypt**.

   1. Expand **Advanced options**.

   1. For **Key material origin**, select **KMS**.

   1. For **Regionality**, select **Single-Region key**.

   1. Choose **Next**.

1. On the **Add labels** page:

   1. For **Alias**. enter a display name for your KMS key, for example **share-snapshot**.

   1. (Optional) Enter a description for your KMS key.

   1. (Optional) Add tags to your KMS key.

   1. Choose **Next**.

1. On the **Define key administrative permissions** page, choose **Next.**

1. On the **Define key usage permissions** page:

   1. For **Other AWS accounts**, choose **Add another AWS account**.

   1. Enter the ID of the AWS account to which you want to give access.

      You can give access to multiple AWS accounts.

   1. Choose **Next**.

1. Review your KMS key, then choose **Finish**.

## Copy and share the snapshot from the source account


Next you copy the source DB snapshot to a new snapshot using the customer managed key. Then you share it with the target AWS account.

**To copy and share the snapshot**

1. Sign in to the AWS Management Console from the source AWS account.

1. Open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/)

1. In the navigation pane, choose **Snapshots**.

1. Select the DB snapshot you want to copy.

1. For **Actions**, choose **Copy snapshot**.

1. On the **Copy snapshot** page:

   1. For **Destination Region**, choose the AWS Region where you created the customer managed key in the previous procedure.

   1. Enter the name of the DB snapshot copy in **New DB Snapshot Identifier**.

   1. For **AWS KMS key**, choose the customer managed key that you created.  
![\[Choose the customer managed key.\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/copy-encrypted-snapshot.png)

   1. Choose **Copy snapshot**.

1. When the snapshot copy is available, select it.

1. For **Actions**, choose **Share snapshot**.

1. On the **Snapshot permissions** page:

   1. Enter the **AWS account ID** with which you're sharing the snapshot copy, then choose **Add**.

   1. Choose **Save**.

   The snapshot is shared.

## Copy the shared snapshot in the target account


Now you can copy the shared snapshot in the target AWS account.

**To copy the shared snapshot**

1. Sign in to the AWS Management Console from the target AWS account.

1. Open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/)

1. In the navigation pane, choose **Snapshots**.

1. Choose the **Shared with me** tab.

1. Select the shared snapshot.

1. For **Actions**, choose **Copy snapshot**.

1. Choose your settings for copying the snapshot as in the previous procedure, but use an AWS KMS key that belongs to the target account.

   Choose **Copy snapshot**.

# Stopping snapshot sharing for Amazon RDS
Stopping snapshot sharing

To stop sharing a DB snapshot, you remove permission from the target AWS account.

## Console


**To stop sharing a manual DB snapshot with an AWS account**

1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).

1. In the navigation pane, choose **Snapshots**.

1. Select the manual snapshot that you want to stop sharing.

1. Choose **Actions**, and then choose **Share snapshot**.

1. To remove permission for an AWS account, choose **Delete** for the AWS account identifier for that account from the list of authorized accounts.

1. Choose **Save** to save your changes.

## CLI


To remove an AWS account identifier from the list, use the `--values-to-remove` parameter.

**Example of stopping snapshot sharing**  
The following example prevents AWS account ID 444455556666 from restoring the snapshot.  
For Linux, macOS, or Unix:  

```
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier manual-snapshot1 \
--attribute-name restore \
--values-to-remove 444455556666
```
For Windows:  

```
aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier manual-snapshot1 ^
--attribute-name restore ^
--values-to-remove 444455556666
```

## RDS API


To remove sharing permission for an AWS account, use the [https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBClusterSnapshotAttribute.html](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBClusterSnapshotAttribute.html) operation with `AttributeName` set to `restore` and the `ValuesToRemove` parameter. To mark a manual snapshot as private, remove the value `all` from the values list for the `restore` attribute.