# Backing up and restoring in Amazon DocumentDB Backing up and restoring Amazon DocumentDB (with MongoDB compatibility) continuously backs up your data to Amazon Simple Storage Service (Amazon S3) for 1–35 days so that you can quickly restore to any point within the backup retention period. Amazon DocumentDB also takes automatic snapshots of your data as part of this continuous backup process. **Note** These are service-managed Amazon S3 buckets and you will not have access to the backup files. If you want to control your own backups, follow the instructions on [Dumping, Restoring, Importing, and Exporting Data](https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore-dump_restore_import_export_data.html). You can also retain backup data beyond the backup retention period by creating a manual snapshot of your cluster's data. The backup process does not impact your cluster's performance. This section discusses the use cases for the backup capabilities in Amazon DocumentDB and shows you how to manage backups for your Amazon DocumentDB clusters. **Topics** + [ # Back up and restore: concepts ](backup_restore-nouns_verbs.md) + [ # Understanding backup storage usage ](backup_restore-understanding_backup_storage_usage.md) + [ # Dumping, restoring, importing, and exporting data ](backup_restore-dump_restore_import_export_data.md) + [ # Cluster snapshot considerations ](backup_restore-cluster_snapshot_considerations.md) + [ # Comparing automatic and manual snapshots ](backup_restore-compare_automatic_manual_snapshots.md) + [Creating a manual cluster snapshot](backup_restore-create_manual_cluster_snapshot.md) + [Copying a cluster snapshot](backup_restore-copy_cluster_snapshot.md) + [Sharing a cluster snapshot](backup_restore-share_cluster_snapshots.md) + [ # Restoring from a cluster snapshot ](backup_restore-restore_from_snapshot.md) + [ # Restoring to a point in time ](backup_restore-point_in_time_recovery.md) + [Deleting a cluster snapshot](backup_restore-delete_cluster_snapshot.md) # Back up and restore: concepts | Noun | Description | APIs (Verbs) | | --- | --- | --- | | Backup retention period | A period of time between 1 and 35 days for which you can perform a point-in-time restore. | `create-db-cluster` `modify-db-cluster` `restore-db-cluster-to-point-in-time` | | Amazon DocumentDB storage volume | Highly available and highly durable storage volume that replicates data six ways across three Availability Zones. An Amazon DocumentDB cluster is highly durable regardless of the number of instances in the cluster. | `create-db-cluster` `delete-db-cluster` | | Backup window | Period of time in the day in which automatic snapshots are taken. | `create-db-cluster` `describe-db-cluster` `modify-db-cluster` | | Automatic snapshot | Daily snapshots that are full backups of cluster and are automatically created by the continuous backup process in Amazon DocumentDB. | `restore-db-cluster-from-snapshot` `describe-db-cluster-snapshot-attributes` `describe-db-cluster-snapshots` | | Manual snapshot | Snapshots you create manually to retain full backups of a cluster beyond the backup period. | `create-db-cluster-snapshot` `copy-db-cluster-snapshot` `delete-db-cluster-snapshot` `describe-db-cluster-snapshot-attributes` `describe-db-cluster-snapshots` `modify-db-cluster-snapshot-attribute` | # Understanding backup storage usage Amazon DocumentDB backup storage consists of continuous backups within the backup retention period and manual snapshots outside the retention period. To control your backup storage usage, you can reduce the backup retention interval, remove old manual snapshots when they are no longer needed, or both. For general information about Amazon DocumentDB backups, see [Backing up and restoring in Amazon DocumentDB](backup_restore.md). For pricing information about Amazon DocumentDB backup storage, see [Amazon DocumentDB Pricing](https://aws.amazon.com/documentdb/pricing/). To control your costs, you can monitor the amount of storage consumed by continuous backups and manual snapshots that persist beyond the retention period. Then you can reduce the backup retention interval and remove manual snapshots when they are no longer needed. You can use the Amazon CloudWatch metrics `TotalBackupStorageBilled`, `SnapshotStorageUsed`, and `BackupRetentionPeriodStorageUsed` to review and monitor the amount of storage used by your Amazon DocumentDB backups, as follows: + `BackupRetentionPeriodStorageUsed` represents the amount of backup storage used for storing continuous backups at the current time. This metric value depends on the size of the cluster volume and the number of changes you make during the retention period. However, for billing purposes the metric does not exceed the cumulative cluster volume size during the retention period. For example, if your cluster size is 100 GiB and your retention period is two days, the maximum value for `BackRetentionPeriodStorageUsed` is 200 GiB (100 GiB \$1 100 GiB).   + `SnapshotStorageUsed` represents the amount of backup storage used for storing manual snapshots beyond the backup retention period. Manual snapshots taken within the retention period do not count against your backup storage. Similarly, automatic snapshots do not count against your backup storage. The size of each snapshot is the size of the cluster volume at the time you take the snapshot. The `SnapshotStorageUsed` value depends on the number of snapshots you keep and the size of each snapshot. For example, suppose that you have one snapshot outside the retention period and cluster volume size was 100 GiB when that snapshot was taken. The amount of `SnapshotStorageUsed` is 100 GiB.   + `TotalBackupStorageBilled` represents the sum of `BackupRetentionPeriodStorageUsed` and `SnapshotStorageUsed`, minus an amount of free backup storage equal to the size of cluster volume for one day. For example, if your cluster size is 100 GiB, you have one retention day, and you have one snapshot outside the retention period, the `TotalBackupStorageBilled` is 100 GiB (100 GiB \$1 100 GiB - 100 GiB).   + These metrics are computed independently for each Amazon DocumentDB cluster. You can monitor your Amazon DocumentDB clusters and build reports using CloudWatch metrics through the [CloudWatch console](https://console.aws.amazon.com/cloudwatch). For more information about how to use CloudWatch metrics, see [Monitoring Amazon DocumentDB](monitoring_docdb.md). # Dumping, restoring, importing, and exporting data You can use the `mongodump`, `mongorestore`, `mongoexport`, and `mongoimport` utilities to move data in and out of your Amazon DocumentDB cluster. This section discusses the purpose of each of these tools and configurations to help you achieve better performance. **Topics** + [ ## `mongodump` ](#backup_restore-dump_restore_import_export_data-mongodump) + [ ## `mongorestore` ](#backup_restore-dump_restore_import_export_data-mongorestore) + [ ## `mongoexport` ](#backup_restore-dump_restore_import_export_data-mongoexport) + [ ## `mongoimport` ](#backup_restore-dump_restore_import_export_data-mongoimport) + [ ## Tutorial ](#backup_restore-dump_restore_import_export_data-tutorial) ## `mongodump` The `mongodump` utility creates a binary (BSON) backup of a MongoDB database. The `mongodump` tool is the preferred method of dumping data from your source MongoDB deployment when looking to restore it into your Amazon DocumentDB cluster due to the size efficiencies achieved by storing the data in a binary format. Depending on the resources available on the instance or machine you are using to perform the command, you can speed up your `mongodump` by increasing the number of parallel collections dumped from the default 1 using the `--numParallelCollections` option. A good rule of thumb is to start with one worker per vCPU on your Amazon DocumentDB cluster's primary instance. **Note** We recommend MongoDB Database Tools up to and including version 100.6.1 for Amazon DocumentDB. You can access the MongoDB Database Tools downloads [here](https://www.mongodb.com/download-center/database-tools/releases/archive). ### Example usage The following is an example usage of the `mongodump` utility in the Amazon DocumentDB cluster, `sample-cluster`. ``` mongodump --ssl \ --host="sample-cluster.node.us-east-1.docdb.amazonaws.com:27017" \ --collection=sample-collection \ --db=sample-database \ --out=sample-output-file \ --numParallelCollections 4 \ --username=sample-user \ --password=abc0123 \ --sslCAFile global-bundle.pem ``` ## `mongorestore` The `mongorestore` utility enables you to restore a binary (BSON) backup of a database that was created with the `mongodump` utility. You can improve restore performance by increasing the number of workers for each collection during the restore with the `--numInsertionWorkersPerCollection` option (the default is 1). A good rule of thumb is to start with one worker per vCPU on your Amazon DocumentDB cluster's primary instance. ### Example usage The following is an example usage of the `mongorestore` utility in the Amazon DocumentDB cluster, `sample-cluster`. ``` mongorestore --ssl \ --host="sample-cluster.node.us-east-1.docdb.amazonaws.com:27017" \ --username=sample-user \ --password=abc0123 \ --sslCAFile global-bundle.pem ``` ## `mongoexport` The `mongoexport` tool exports data in Amazon DocumentDB to JSON, CSV, or TSV file formats. The `mongoexport` tool is the preferred method of exporting data that needs to be human or machine readable. **Note** `mongoexport` does not directly support parallel exports. However, it is possible to increase performance by executing multiple `mongoexport` jobs concurrently for different collections. ### Example usage The following is an example usage of the `mongoexport` tool in the Amazon DocumentDB cluster, `sample-cluster`. ``` mongoexport --ssl \ --host="sample-cluster.node.us-east-1.docdb.amazonaws.com:27017" \ --collection=sample-collection \ --db=sample-database \ --out=sample-output-file \ --username=sample-user \ --password=abc0123 \ --sslCAFile global-bundle.pem ``` ## `mongoimport` The `mongoimport` tool imports the contents of JSON, CSV, or TSV files into an Amazon DocumentDB cluster. You can use the `-–numInsertionWorkers` parameter to parallelize and speed up the import (the default is 1). ### Example usage The following is an example usage of the `mongoimport` tool in the Amazon DocumentDB cluster, `sample-cluster`. ``` mongoimport --ssl \ --host="sample-cluster.node.us-east-1.docdb.amazonaws.com:27017" \ --collection=sample-collection \ --db=sample-database \ --file= \ --numInsertionWorkers 4 \ --username=sample-user \ --password=abc0123 \ --sslCAFile global-bundle.pem ``` ## Tutorial The following tutorial describes how to use the `mongodump`, `mongorestore`, `mongoexport`, and `mongoimport` utilities to move data in and out of an Amazon DocumentDB cluster. 1. **Prerequisites** — Before you begin, ensure that your Amazon DocumentDB cluster is provisioned and that you have access to an Amazon EC2 instance in the same VPC as your cluster. For more information, see [Connect using Amazon EC2](connect-ec2.md). To be able to use the mongo utility tools, you must have the mongodb-org-tools package installed in your EC2 instance, as follows. ``` sudo yum install mongodb-org-tools-4.0.18 ``` Because Amazon DocumentDB uses Transport Layer Security (TLS) encryption by default, you must also download the Amazon RDS certificate authority (CA) file to use the mongo shell to connect, as follows. ``` wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem ``` 1. **Download sample data** — For this tutorial, you will download some sample data that contains information about restaurants. ``` wget https://raw.githubusercontent.com/ozlerhakan/mongodb-json-files/master/datasets/restaurant.json ``` 1. **Import the sample data into Amazon DocumentDB ** — Since the data is in a logical JSON format, you will use the `mongoimport` utility to import the data into your Amazon DocumentDB cluster. ``` mongoimport --ssl \ --host="tutorialCluster.amazonaws.com:27017" \ --collection=restaurants \ --db=business \ --file=restaurant.json \ --numInsertionWorkers 4 \ --username= \ --password= \ --sslCAFile global-bundle.pem ``` 1. **Dump the data with `mongodump` ** — Now that you have data in your Amazon DocumentDB cluster, you can take a binary dump of that data using the `mongodump` utility. ``` mongodump --ssl \ --host="tutorialCluster.us-east-1.docdb.amazonaws.com:27017"\ --collection=restaurants \ --db=business \ --out=restaurantDump.bson \ --numParallelCollections 4 \ --username= \ --password= \ --sslCAFile global-bundle.pem ``` 1. **Drop the `restaurants` collection** — Before you restore the `restaurants` collection in the `business` database, you have to first drop the collection that already exists in that database, as follows. ``` use business ``` ``` db.restaurants.drop() ``` 1. **Restore the data with `mongorestore`** — With the binary dump of the data from Step 3, you can now use the `mongorestore` utility to restore your data to your Amazon DocumentDB cluster. ``` mongorestore --ssl \ --host="tutorialCluster.us-east-1.docdb.amazonaws.com:27017" \ --numParallelCollections 4 \ --username= \ --password= \ --sslCAFile global-bundle.pem restaurantDump.bson ``` 1. **Export the data using `mongoexport`** — To complete the tutorial, export the data from your cluster in the format of a JSON file, no different than the file you imported in Step 1. ``` mongoexport --ssl \ --host="tutorialCluster.node.us-east-1.docdb.amazonaws.com:27017" \ --collection=restaurants \ --db=business \ --out=restaurant2.json \ --username= \ --password= \ --sslCAFile global-bundle.pem ``` 1. **Validation** — You can validate that the output of Step 5 yields the same result as Step 1 with the following commands. ``` wc -l restaurant.json ``` Output from this command: ``` 2548 restaurant.json ``` ``` wc -l restaurant2.json ``` Output from this command: ``` 2548 restaurant2.json ``` # Cluster snapshot considerations Amazon DocumentDB creates daily automatic snapshots of your cluster during your cluster's backup window. Amazon DocumentDB saves the automatic snapshots of your cluster according to the backup retention period that you specify. If necessary, you can recover your cluster to any point in time during the backup retention period. Automatic snapshots don't occur while a copy operation is executing in the same Region for the same cluster. **Topics** + [ ## Backup storage ](#backup_restore-backup_storage) + [ ## Backup window ](#backup_restore-backup_window) + [ ## Backup retention period ](#backup_restore-backup_retention_period) + [ ## Copy cluster snapshot encryption ](#backup_restore-encryption) In addition to automatic cluster snapshots, you can also manually create a cluster snapshot. You can copy both automatic and manual snapshots. For more information, see [Creating a manual cluster snapshot](backup_restore-create_manual_cluster_snapshot.md) and [Copying Amazon DocumentDB cluster snapshots](backup_restore-copy_cluster_snapshot.md). **Note** Your cluster must be in the *available* state for an automatic snapshot to be taken. You can't share an Amazon DocumentDB automated cluster snapshot. As a workaround, you can create a manual snapshot by copying the automated snapshot, and then share that copy. For more information about copying a snapshot, see [Copying Amazon DocumentDB cluster snapshots](backup_restore-copy_cluster_snapshot.md). For more information about restoring a cluster from a snapshot, see [Restoring from a cluster snapshot](backup_restore-restore_from_snapshot.md). ## Backup storage Your Amazon DocumentDB backup storage for each AWS Region is composed of the backup storage needed for your backup retention period, which includes automatic and manual cluster snapshots in that Region. The default backup retention period is 1 day. For more information about backup storage pricing, see [Amazon DocumentDB Pricing](https://aws.amazon.com/documentdb/pricing/). When you delete a cluster, all of its automatic snapshots are deleted and cannot be recovered. However, manual snapshots are not deleted when you delete a cluster. if you choose to have Amazon DocumentDB create a final snapshot (manual snapshot) before your cluster is deleted, you can use the final snapshot to recover your cluster. For more information on snapshots and storage, see [Understanding backup storage usage](backup_restore-understanding_backup_storage_usage.md). ## Backup window Automatic snapshots occur daily during the preferred backup window. If the snapshot requires more time than allotted to the backup window, the backup process continues until it finishes, even though the backup window has ended. The backup window can't overlap with the weekly maintenance window for the cluster. If you don't specify a preferred backup window when you create the cluster, Amazon DocumentDB assigns a default 30-minute backup window. This window is chosen at random from an 8-hour block of time associated with your cluster's Region. You can change your preferred backup window by modifying the cluster. For more information, see [Modifying an Amazon DocumentDB cluster](db-cluster-modify.md). | Region Name | Region | UTC Time Block | | --- | --- | --- | | US East (Ohio) | us-east-2 | 03:00-11:00 | | US East (N. Virginia) | us-east-1 | 03:00-11:00 | | US West (Oregon) | us-west-2 | 06:00-14:00 | | Africa (Cape Town) | af-south-1 | 03:00–11:00 | | Asia Pacific (Hong Kong) | ap-east-1 | 06:00-14:00 | | Asia Pacific (Hyderabad) | ap-south-2 | 06:30–14:30 | | Asia Pacific (Malaysia) | ap-southeast-5 | 13:00-21:00 | | Asia Pacific (Mumbai) | ap-south-1 | 06:00-14:00 | | Asia Pacific (Osaka) | ap-northeast-3 | 12:00-20:00 | | Asia Pacific (Seoul) | ap-northeast-2 | 13:00-21:00 | | Asia Pacific (Singapore) | ap-southeast-1 | 14:00-22:00 | | Asia Pacific (Sydney) | ap-southeast-2 | 12:00-20:00 | | Asia Pacific (Jakarta) | ap-southeast-3 | 08:00-16:00 | | Asia Pacific (Melbourne) | ap-southeast-4 | 11:00-19:00 | | Asia Pacific (Thailand) | ap-southeast-7 | 15:00-23:00 | | Asia Pacific (Tokyo) | ap-northeast-1 | 13:00-21:00 | | Canada (Central) | ca-central-1 | 03:00-11:00 | | China (Beijing) | cn-north-1 | 06:00-14:00 | | China (Ningxia) | cn-northwest-1 | 06:00-14:00 | | Europe (Frankfurt) | eu-central-1 | 21:00-05:00 | | Europe (Zurich) | eu-central-2 | 02:00-10:00 | | Europe (Ireland) | eu-west-1 | 22:00-06:00 | | Europe (London) | eu-west-2 | 22:00-06:00 | | Europe (Milan) | eu-south-1 | 02:00-10:00 | | Europe (Paris) | eu-west-3 | 23:59-07:29 | | Europe (Spain) | eu-south-2 | 02:00–10:00 | | Europe (Stockholm) | eu-north-1 | 04:00–12:00 | | Mexico (Central) | mx-central-1 | 03:00-11:00 | | Middle East (UAE) | me-central-1 | 05:00–13:00 | | South America (São Paulo) | sa-east-1 | 00:00-08:00 | | Israel (Tel Aviv) | il-central-1 | 04:00-12:00 | | AWS GovCloud (US-East) | us-gov-east-1 | 17:00-01:00 | | AWS GovCloud (US-West) | us-gov-west-1 | 06:00-14:00 | ## Backup retention period The backup retention period is the number of days an automatic backup is retained before being automatically deleted. Amazon DocumentDB supports a backup retention period of 1–35 days. You can set the backup retention period when you create a cluster. If you don't explicitly set the backup retention period, the default backup retention period of 1 day is assigned to your cluster. After you create a cluster, you can modify the backup retention period by modifying the cluster using either the AWS Management Console or the AWS CLI. For more information, see [Modifying an Amazon DocumentDB cluster](db-cluster-modify.md). ## Copy cluster snapshot encryption Cluster and snapshot encryption is based on a KMS encryption key. The KMS key ID is the Amazon Resource Name (ARN), KMS key identifier, or the KMS key alias for the KMS encryption key. The following guidelines and limitations apply: + Encryption is inferred from the cluster when creating a snapshot. If the cluster is encrypted, the snapshot of that cluster is encrypted with the same KMS key. If the cluster is not encrypted, the snapshot is not encrypted. + If you copy an encrypted cluster snapshot from your Amazon Web Services account, you can specify a value for `KmsKeyId` to encrypt the copy with a new KMS encryption key. If you don't specify a value for `KmsKeyId` , then the copy of the cluster snapshot is encrypted with the same KMS key as the source cluster snapshot. + If you copy an encrypted cluster snapshot that is shared from another Amazon Web Services account, then you must specify a value for `KmsKeyId`. + To copy an encrypted cluster snapshot to another Amazon Web Services Region, set `KmsKeyId` to the KMS key ID that you want to use to encrypt the copy of the cluster snapshot in the destination Region. KMS encryption keys are specific to the Amazon Web Services Region that they are created in, and you can't use encryption keys from one Amazon Web Services Region in another Amazon Web Services Region. + If you copy an unencrypted cluster snapshot and specify a value for the `KmsKeyId` parameter, an error is returned. # Comparing automatic and manual snapshots The following are key features of Amazon DocumentDB (with MongoDB compatibility) automatic and manual snapshots. **Amazon DocumentDB automatic snapshots have the following key features:** + **Automatic snapshot naming** — Automatic snapshot names follow the pattern `rds:-yyyy-mm-dd-hh-mm`, with `yyyy-mm-dd-hh-mm` representing the date and time the snapshot was created. + **Created automatically on a schedule** — When you create or modify a cluster, you can set the *backup retention period* to an integer value from 1 to 35 days. By default, new clusters have a backup retention period of 1 day. The backup retention period defines the number of days that automatic snapshots are kept before being automatically deleted. You can't disable automatic backups on Amazon DocumentDB clusters. In addition to setting the backup retention period, you also set the *backup window*, the time of day during which automatic snapshots are created. + **Deleting automatic snapshots** — Automatic snapshots are deleted when you delete the automatic snapshot's cluster. You can't manually delete an automatic snapshot. + **Incremental** — During the backup retention period, database updates are recorded so that there is an incremental record of changes. + **Restoring from an automatic snapshot** — You can restore from an automatic snapshot using the AWS Management Console or the AWS CLI. When you restore from a snapshot using the AWS CLI, you must add instances separately after the cluster is *available*. + **Sharing** — You can't share an Amazon DocumentDB automated cluster snapshot. As a workaround, you can create a manual snapshot by copying the automated snapshot, and then share that copy. For more information about copying a snapshot, see [Copying Amazon DocumentDB cluster snapshots](backup_restore-copy_cluster_snapshot.md). For more information about restoring a cluster from a snapshot, see [Restoring from a cluster snapshot](backup_restore-restore_from_snapshot.md). + **You can restore from any point within the backup retention period** — Because database updates are incrementally recorded, you can restore your cluster to any point in time within the backup retention period. When you restore from an automatic snapshot or from a point-in-time restore using the AWS CLI, you must add instances separately after the cluster is *available*. **Amazon DocumentDB manual snapshots have the following key features:** + **Created on demand** — Amazon DocumentDB manual snapshots are created on demand using the Amazon DocumentDB Management Console or AWS CLI. + **Deleting a manual snapshot** —A manual snapshot is deleted only when you explicitly delete it using either the Amazon DocumentDB console or AWS CLI. A manual snapshot is not deleted when you delete its cluster. + **Full backups** — When a manual snapshot is taken, a full backup of your cluster's data is created and stored. + **Manual snapshot naming** — You specify the manual snapshot name. Amazon DocumentDB does not add a `datetime` stamp to the name, so you must add that information if you want it included in the name. + **Restoring from a manual snapshot** —You can restore from a manual snapshot using the console or the AWS CLI. When you restore from a snapshot using the AWS CLI, you must add instances separately after the cluster is *available*. + **Service Quotas** — You are limited to a maximum of 100 manual snapshots per AWS Region. + **Sharing** — You can share manual cluster snapshots, which can be copied by authorized AWS accounts. You can share encrypted or unencrypted manual snapshots. For more information about copying a snapshot, see [Copying Amazon DocumentDB cluster snapshots](backup_restore-copy_cluster_snapshot.md). + **You restore to when the manual snapshot was taken** —When you restore from a manual snapshot, you restore to when the manual snapshot was taken. When you restore from a snapshot using the AWS CLI, you must add instances separately after the cluster is *available*. # Creating a manual cluster snapshot Creating a manual cluster snapshot You can create a manual snapshot using either the AWS Management Console or AWS CLI. The amount of time it takes to create a snapshot varies with the size of your databases. When you create a snapshot, you must do the following: 1. Identify which cluster to back up. 1. Give your snapshot a name. This allows you to restore from it later. ------ #### [ Using the AWS Management Console ] To create a manual snapshot using the AWS Management Console, you can follow either method below. 1. **Method 1:** 1. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at [https://console.aws.amazon.com/docdb](https://console.aws.amazon.com/docdb). 1. In the navigation pane, choose **Snapshots**. **Tip** If you don't see the navigation pane on the left side of your screen, choose the menu icon (![\[Hamburger menu icon with three horizontal lines.\]](http://docs.aws.amazon.com/documentdb/latest/developerguide/images/docdb-menu-icon.png)) in the upper-left corner of the page. 1. On the **Snapshots** page, choose **Create**. 1. On the **Create cluster snapshot** page: 1. **Cluster identifier** — From the drop-down list of clusters, choose the cluster that you want to create a snapshot of. 1. **Snapshot identifier** — Enter a name for your snapshot. Snapshot naming constraints: + Length is [1–255] letters, numbers, or hyphens. + First character must be a letter. + Cannot end with a hyphen or contain two consecutive hyphens. + Must be unique for all clusters (across Amazon RDS, Amazon Neptune, and Amazon DocumentDB) per AWS account, per Region. 1. Choose **Create**. 1. **Method 2:** 1. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at [https://console.aws.amazon.com/docdb](https://console.aws.amazon.com/docdb). 1. In the navigation pane, choose **Clusters**. **Tip** If you don't see the navigation pane on the left side of your screen, choose the menu icon (![\[Hamburger menu icon with three horizontal lines.\]](http://docs.aws.amazon.com/documentdb/latest/developerguide/images/docdb-menu-icon.png)) in the upper-left corner of the page. 1. On the **Clusters** page, choose the button to the left of the cluster that you want to snapshot. 1. From the **Actions** menu, choose **Take snapshot**. 1. On the **Create cluster snapshot** page: 1. **Snapshot identifier** — Enter a name for your snapshot. Snapshot naming constraints: + Length is [1–63] letters, numbers, or hyphens. + First character must be a letter. + Cannot end with a hyphen or contain two consecutive hyphens. + Must be unique for all clusters (across Amazon RDS, Amazon Neptune, and Amazon DocumentDB) per AWS account, per Region. 1. Choose **Create**. ------ #### [ Using the AWS CLI ] To create a cluster snapshot using the AWS CLI, use the `create-db-cluster-snapshot` operation with the following parameters. **Parameters** + **--db-cluster-identifier** — Required. The name of the cluster that you are taking a snapshot of. This cluster must exist and be *available*. + **--db-cluster-snapshot-identifier** — Required. The name of the manual snapshot that you are creating. The following example creates a snapshot named `sample-cluster-snapshot` for a cluster named `sample-cluster`. For Linux, macOS, or Unix: ``` aws docdb create-db-cluster-snapshot \ --db-cluster-identifier sample-cluster \ --db-cluster-snapshot-identifier sample-cluster-snapshot ``` For Windows: ``` aws docdb create-db-cluster-snapshot ^ --db-cluster-identifier sample-cluster ^ --db-cluster-snapshot-identifier sample-cluster-snapshot ``` Output from this operation looks something like the following. ``` { "DBClusterSnapshot": { "AvailabilityZones": [ "us-east-1a", "us-east-1b", "us-east-1c" ], "DBClusterSnapshotIdentifier": "sample-cluster-snapshot", "DBClusterIdentifier": "sample-cluster", "SnapshotCreateTime": "2020-04-24T04:59:08.475Z", "Engine": "docdb", "Status": "creating", "Port": 0, "VpcId": "vpc-abc0123", "ClusterCreateTime": "2020-01-10T22:13:38.261Z", "MasterUsername": "master-user", "EngineVersion": "4.0.0", "SnapshotType": "manual", "PercentProgress": 0, "StorageEncrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1::key/sample-key", "DBClusterSnapshotArn": "arn:aws:rds:us-east-1::cluster-snapshot:sample-cluster-snapshot" } } ``` ------ # Copying Amazon DocumentDB cluster snapshots Copying a cluster snapshot In Amazon DocumentDB, you can copy snapshots within the same AWS Region or to a different AWS Region. You can also copy shared snapshots to your account in the same AWS Region or in a different AWS Region. For more information on sharing snapshots, see [Sharing Amazon DocumentDB cluster snapshots](backup_restore-share_cluster_snapshots.md). **Note** Amazon DocumentDB bills you based upon the amount of backup and snapshot data you keep and the period of time that you keep it. For more information about the storage associated with Amazon DocumentDB backups and snapshots, see [Understanding backup storage usage](backup_restore-understanding_backup_storage_usage.md). For pricing information about Amazon DocumentDB storage, see [Amazon DocumentDB Pricing](https://aws.amazon.com/documentdb/pricing/). **Topics** + [ ## Copying shared snapshots ](#backup_restore-copy_shared_cluster_snapshot) + [ ## Copying snapshots across AWS Regions ](#backup_restore-copy_snapshot_across_regions) + [ ## Limitations ](#backup_restore-copy_cluster_snapshot-limitations) + [ ## Handling encryption ](#backup_restore-copy_cluster_snapshot-handle_encryption) + [ ## Parameter group considerations ](#backup_restore-copy_cluster_snapshot-parameter_group_considerations) + [ ## Copying a cluster snapshot ](#backup_restore-copy_a_cluster_snapshot) ## Copying shared snapshots You can copy snapshots shared to you by other AWS accounts. If you are copying an encrypted snapshot that has been shared from another AWS account, you must have access to the AWS KMS encryption key that was used to encrypt the snapshot. For more information, see [Handling encryption](#backup_restore-copy_cluster_snapshot-handle_encryption). ## Copying snapshots across AWS Regions When you copy a snapshot to an AWS Region that is different from the source snapshot's AWS Region, each copy is a full snapshot. A full snapshot copy contains all of the data and meta data required to restore the Amazon DocumentDB cluster. ## Limitations The following are some limitations when you copy snapshots: + If you delete a source snapshot before the target snapshot becomes available, the snapshot copy may fail. Verify that the target snapshot has a status of `AVAILABLE` before you delete a source snapshot. + You can have up to five snapshot copy requests in progress to a single destination Region per account. + Depending on the AWS Regions involved and the amount of data to be copied, a cross-region snapshot copy can take hours to complete. In some cases, there might be a large number of cross-region snapshot copy requests from a given source AWS Region. In these cases, Amazon DocumentDB might put new cross-region copy requests from that source AWS Region into a queue until some in-progress copies complete. No progress information is displayed about copy requests while they are in the queue. Progress information is displayed when the copy starts. ## Handling encryption You can copy a snapshot that has been encrypted using an AWS KMS encryption key. If you copy an encrypted snapshot, the copy of the snapshot must also be encrypted. If you copy an encrypted snapshot within the same AWS Region, you can encrypt the copy with the same AWS KMS encryption key as the original snapshot, or you can specify a different AWS KMS encryption key. If you copy an encrypted snapshot across Regions, you can't use the same AWS KMS encryption key for the copy as used for the source snapshot, because AWS KMS keys are Region-specific. Instead, you must specify an AWS KMS key valid in the destination AWS Regionn. The source snapshot remains encrypted throughout the copy process. For more information, see [Data protection in Amazon DocumentDB](security.data-protection.md). **Note** For Amazon DocumentDB cluster snapshots, you can't encrypt an unencrypted cluster snapshot when you copy the snapshot. ## Parameter group considerations When you copy a snapshot across Regions, the copy doesn't include the parameter group used by the original Amazon DocumentDB cluster. When you restore a snapshot to create a new cluster, that cluster gets the default parameter group for the AWS Region it is created in. To give the new cluster the same parameters as the original, you must do the following: 1. In the destination AWS Region, [ create an Amazon DocumentDB cluster parameter group](https://docs.aws.amazon.com/documentdb/latest/developerguide/cluster_parameter_groups-create.html) with the same settings as the original cluster. If one already exists in the new AWS Region, you can use that one. 1. After you restore the snapshot in the destination AWS Region, modify the new Amazon DocumentDB cluster and add the new or existing parameter group from the previous step. For more information, see [Modifying an Amazon DocumentDB cluster](db-cluster-modify.md). ## Copying a cluster snapshot You can copy an Amazon DocumentDB cluster using the AWS Management Console or the AWS CLI, as follows. ------ #### [ Using the AWS Management Console ] To make a copy of a cluster snapshot using the AWS Management Console, complete the following steps. This procedure works for copying encrypted or unencrypted cluster snapshots, in the same AWS Region or across Regions. 1. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at [https://console.aws.amazon.com/docdb](https://console.aws.amazon.com/docdb). 1. In the navigation pane, choose **Snapshots**, and then choose the button to the left of the snapshot that you want to copy. **Tip** If you don't see the navigation pane on the left side of your screen, choose the menu icon (![\[Hamburger menu icon with three horizontal lines.\]](http://docs.aws.amazon.com/documentdb/latest/developerguide/images/docdb-menu-icon.png)) in the upper-left corner of the page. 1. From the **Actions** menu, choose **Copy**. 1. In the resulting **Make Copy of cluster snapshot** page, complete the **Settings** section. 1. **Destination Region** — Optional. To copy the cluster snapshot to a different AWS Region, choose that AWS Region for **Destination Region**. 1. **New snapshot identifier** — Enter a name for the new snapshot. Target snapshot naming constraints: + Cannot be the name of an existing snapshot. + Length is [1—63] letters, numbers, or hyphens. + First character must be a letter. + Cannot end with a hyphen or contain two consecutive hyphens. + Must be unique for all clusters across Amazon RDS, Neptune, and Amazon DocumentDB per AWS account, per Region. 1. **Copy tags** — To copy any tags you have on your source snapshot to your snapshot copy, choose **Copy tags**. 1. Complete the **Encryption-at-rest** section. 1. **Encryption at rest** — If your snapshot is not encrypted, these options are not available to you because you cannot create an encrypted copy from an unencrypted snapshot. If your snapshot is encrypted, you can change the AWS KMS key used during encryption at rest. For more information about encrypting snapshot copies, see [Copy cluster snapshot encryption](backup_restore-cluster_snapshot_considerations.md#backup_restore-encryption). For more information about encryption at rest, see [Encrypting Amazon DocumentDB data at rest](encryption-at-rest.md). 1. **AWS KMS Key** — From the drop-down list, choose one of the following: + **(default) aws/rds** — The account number and AWS KMS key ID are listed following this option. + **** — If you created a key, it is listed and available for you to choose. + **Enter a key ARN** — In the **ARN** box, enter the Amazon Resource Name (ARN) for your AWS KMS key. The format of the ARN is `arn:aws:kms:::key/ `. 1. To make a copy of the selected snapshot, choose **Copy snapshot**. Alternatively, you can choose **Cancel** to not make a copy of the snapshot. ------ #### [ Using the AWS CLI ] To make a copy of an unencrypted cluster snapshot using the AWS CLI, use the `copy-db-cluster-snapshot` operation with the following parameters. If you are copying the snapshot to another AWS Region, run the command in the AWS Region to which the snapshot will be copied. + **--source-db-cluster-snapshot-identifier** — Required. The identifier of the cluster snapshot to make a copy of. The cluster snapshot must exist and be in the available state. If you are copying the snapshot to another AWS Region or if you are copying a shared cluster snapshot, this identifier must be in the ARN format of the source cluster snapshot. This parameter is not case sensitive. + **--target-db-cluster-snapshot-identifier** — Required. The identifier of the new cluster snapshot to create from the source cluster snapshot. This parameter is not case sensitive. Target snapshot naming constraints: + Cannot be the name of an existing snapshot. + Length is [1—63] letters, numbers, or hyphens. + First character must be a letter. + Cannot end with a hyphen or contain two consecutive hyphens. + Must be unique for all clusters across Amazon RDS, Neptune, and Amazon DocumentDB per AWS account, per Region. + **--source-region** — If you are copying the snapshot to another AWS Region, specify the AWS Region that the encrypted cluster snapshot will be copied from. If you're copying the snapshot to another AWS Region and you don't specify `--source-region`, you must specify the `pre-signed-url` option instead. The `pre-signed-url` value must be a URL that contains a Signature Version 4 signed request for the `CopyDBClusterSnapshot` action to be called in the source AWS Region where the cluster snapshot is copied from. To learn more about the `pre-signed-url`, see [ CopyDBClusterSnapshot](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CopyDBClusterSnapshot.html). + **--kms-key-id** — The KMS key identifier for the key to use to encrypt the copy of the cluster snapshot. If you are copying an encrypted cluster snapshot to another AWS Region, this parameter is required. You must specify a KMS key for the destination AWS Region. If you are copying an encrypted cluster snapshot in the same AWS Region, the AWS KMS key parameter is optional. The copy of the cluster snapshot is encrypted with the same AWS KMS key as the source cluster snapshot. If you want to specify a new AWS KMS encryption key to use to encrypt the copy, you can do so using this parameter. + **--copy-tags** — Optional. The tags and values to be copied over. To cancel a copy operation once it's in progress, you can delete the target cluster snapshot identified by `--target-db-cluster-snapshot-identifier` or `TargetDBClusterSnapshotIdentifier` while that cluster snapshot is in **copying** status. **Example** **Example 1: Copy an unencrypted snapshot to the same Region** The following AWS CLI example creates a copy of `sample-cluster-snapshot` named `sample-cluster-snapshot-copy` in the same AWS Region as the source snapshot. When the copy is made, all tags on the original snapshot are copied to the snapshot copy. For Linux, macOS, or Unix: ``` aws docdb copy-db-cluster-snapshot \ --source-db-cluster-snapshot-identifier sample-cluster-snapshot \ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy \ --copy-tags ``` For Windows: ``` aws docdb copy-db-cluster-snapshot ^ --source-db-cluster-snapshot-identifier sample-cluster-snapshot ^ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy ^ --copy-tags ``` Output from this operation looks something like the following. ``` { "DBClusterSnapshot": { "AvailabilityZones": [ "us-east-1a", "us-east-1b", "us-east-1c" ], "DBClusterSnapshotIdentifier": "sample-cluster-snapshot-copy", "DBClusterIdentifier": "sample-cluster", "SnapshotCreateTime": "2020-03-27T08:40:24.805Z", "Engine": "docdb", "Status": "copying", "Port": 0, "VpcId": "vpc-abcd0123", "ClusterCreateTime": "2020-01-10T22:13:38.261Z", "MasterUsername": "master-user", "EngineVersion": "4.0.0", "SnapshotType": "manual", "PercentProgress": 0, "StorageEncrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1:111122223333:key/sample-key-id", "DBClusterSnapshotArn": "arn:aws:rds:us-east-1:111122223333:cluster-snapshot:sample-cluster-snapshot-copy", "SourceDBClusterSnapshotArn": "arn:aws:rds:us-east-1:111122223333:cluster-snapshot:sample-cluster-snapshot" } } ``` **Example** **Example 2: Copy an unencrypted snapshot across AWS Regions** The following AWS CLI example creates a copy of `sample-cluster-snapshot`, which has the ARN `arn:aws:rds:us-east-1:123456789012:cluster-snapshot:sample-cluster-snapshot`. This copy is named named `sample-cluster-snapshot-copy` and is in the AWS Region in which the command is run. For Linux, macOS, or Unix: ``` aws docdb copy-db-cluster-snapshot \ --source-db-cluster-snapshot-identifier arn:aws:rds:us-east-1:123456789012:cluster-snapshot:sample-cluster-snapshot \ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy ``` For Windows: ``` aws docdb copy-db-cluster-snapshot ^ --source-db-cluster-snapshot-identifier arn:aws:rds:us-east-1:123456789012:cluster-snapshot:sample-cluster-snapshot ^ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy ``` Output from this operation looks something like the following. ``` { "DBClusterSnapshot": { "AvailabilityZones": [ "us-east-1a", "us-east-1b", "us-east-1c" ], "DBClusterSnapshotIdentifier": "sample-cluster-snapshot-copy", "DBClusterIdentifier": "sample-cluster", "SnapshotCreateTime": "2020-04-29T16:45:51.239Z", "Engine": "docdb", "AllocatedStorage": 0, "Status": "copying", "Port": 0, "VpcId": "vpc-abc0123", "ClusterCreateTime": "2020-04-28T16:43:00.294Z", "MasterUsername": "master-user", "EngineVersion": "4.0.0", "LicenseModel": "docdb", "SnapshotType": "manual", "PercentProgress": 0, "StorageEncrypted": false, "DBClusterSnapshotArn": "arn:aws:rds:us-east-1:123456789012:cluster-snapshot:sample-cluster-snapshot-copy", "SourceDBClusterSnapshotArn": "arn:aws:rds:us-east-1:123456789012:cluster-snapshot:sample-cluster-snapshot", } } ``` **Example** **Example 3: Copy an encrypted snapshot across AWS Regions** The following AWS CLI example creates a copy of `sample-cluster-snapshot` from the us-west-2 Region to the us-east-1 Region. This command is called in the us-east-1 Region. For Linux, macOS, or Unix: ``` aws docdb copy-db-cluster-snapshot \ --source-db-cluster-snapshot-identifier arn:aws:rds:us-west-2:123456789012:cluster-snapshot:sample-cluster-snapshot \ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy \ --source-region us-west-2 \ --kms-key-id sample-us-east-1-key ``` For Windows: ``` aws docdb copy-db-cluster-snapshot ^ --source-db-cluster-snapshot-identifier arn:aws:rds:us-west-2:123456789012:cluster-snapshot:sample-cluster-snapshot ^ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy ^ --source-region us-west-2 ^ --kms-key-id sample-us-east-1-key ``` Output from this operation looks something like the following. ``` { "DBClusterSnapshot": { "AvailabilityZones": [], "DBClusterSnapshotIdentifier": "sample-cluster-snapshot-copy", "DBClusterIdentifier": "sample-cluster", "SnapshotCreateTime": "2020-04-29T16:45:53.159Z", "Engine": "docdb", "AllocatedStorage": 0, "Status": "copying", "Port": 0, "ClusterCreateTime": "2020-04-28T16:43:07.129Z", "MasterUsername": "chimera", "EngineVersion": "4.0.0", "LicenseModel": "docdb", "SnapshotType": "manual", "PercentProgress": 0, "StorageEncrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/0846496a-d48e-41c4-9353-86d8301d7e35", "DBClusterSnapshotArn": "arn:aws:rds:us-east-1:123456789012:cluster-snapshot:sample-cluster-snapshot-copy", "SourceDBClusterSnapshotArn": "arn:aws:rds:us-west-2:123456789012:cluster-snapshot:sample-cluster-snapshot", } } ``` **Example** **Example 4: Copy an unencrypted shared snapshot across AWS Regions** The following AWS CLI example, account - `123456789012`, creates a copy of an unencrypted cluster snapshot `sample-cluster-snapshot` shared by account - `999999999999` from the us-east-1 Region to the us-west-2 Region. This command is called in the us-west-2 Region. For more information on sharing snapshots, see [Sharing a snapshot](backup_restore-share_cluster_snapshots.md#backup_restore-share_snapshots). For Linux, macOS, or Unix: ``` aws docdb copy-db-cluster-snapshot \ --region us-west-2 \ --source-db-cluster-snapshot-identifier arn:aws:rds:us-east-1:999999999999:cluster-snapshot:sample-cluster-snapshot \ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy ``` For Windows: ``` aws docdb copy-db-cluster-snapshot ^ --region us-west-2 ^ --source-db-cluster-snapshot-identifier arn:aws:rds:us-east-1:999999999999:cluster-snapshot:sample-cluster-snapshot ^ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy ``` Output from this operation looks something like the following. ``` { "DBClusterSnapshots": [ { "AvailabilityZones": [], "DBClusterSnapshotIdentifier": "sample-cluster-snapshot-copy", "DBClusterIdentifier": "sample-cluster", "SnapshotCreateTime": "2025-08-22T11:27:00.497000+00:00", "Engine": "docdb", "Status": "copying", "Port": 0, "ClusterCreateTime": "2024-07-02T16:44:50.246000+00:00", "MasterUsername": "master-user", "EngineVersion": "5.0.0", "SnapshotType": "manual", "PercentProgress": 0, "StorageEncrypted": false, "DBClusterSnapshotArn": "arn:aws:rds:us-west-2:123456789012:cluster-snapshot:sample-cluster-snapshot-copy", "SourceDBClusterSnapshotArn": "arn:aws:rds:us-east-1:999999999999:cluster-snapshot:sample-cluster-snapshot" } ] } ``` **Example** **Example 5: Copy an encrypted shared snapshot across AWS Regions** The following AWS CLI example, account - `123456789012` creates a copy of an encrypted cluster snapshot `sample-cluster-snapshot` shared by account - `999999999999` from the us-east-1 Region to the us-west-2 Region. The target snapshot is encrypted with a customer managed KMS key - `arn:aws:kms:us-west-2:123456789012:key/6c1f3264-1797-472b-ba37-03011e682d28`. This command is called in the us-west-2 Region. For more information on sharing snapshots, see [Sharing a snapshot](backup_restore-share_cluster_snapshots.md#backup_restore-share_snapshots). For Linux, macOS, or Unix: ``` aws docdb copy-db-cluster-snapshot \ --region us-west-2 \ --source-db-cluster-snapshot-identifier arn:aws:rds:us-east-1:999999999999:cluster-snapshot:sample-cluster-snapshot \ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy \ --kms-key-id arn:aws:kms:us-west-2:123456789012:key/6c1f3264-1797-472b-ba37-03011e682d28 ``` For Windows: ``` aws docdb copy-db-cluster-snapshot ^ --region us-west-2 ^ --source-db-cluster-snapshot-identifier arn:aws:rds:us-east-1:999999999999:cluster-snapshot:sample-cluster-snapshot ^ --target-db-cluster-snapshot-identifier sample-cluster-snapshot-copy ^ --kms-key-id arn:aws:kms:us-west-2:123456789012:key/6c1f3264-1797-472b-ba37-03011e682d28 ``` Output from this operation looks something like the following. ``` { "DBClusterSnapshots": [ { "AvailabilityZones": [], "DBClusterSnapshotIdentifier": "sample-cluster-snapshot-copy", "DBClusterIdentifier": "sample-cluster", "SnapshotCreateTime": "2025-08-22T11:27:00.497000+00:00", "Engine": "docdb", "Status": "copying", "Port": 0, "ClusterCreateTime": "2024-07-02T16:44:50.246000+00:00", "MasterUsername": "master-user", "EngineVersion": "5.0.0", "SnapshotType": "manual", "PercentProgress": 0, "StorageEncrypted": true, "KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/6c1f3264-1797-472b-ba37-03011e682d28", "DBClusterSnapshotArn": "arn:aws:rds:us-west-2:123456789012:cluster-snapshot:sample-cluster-snapshot-copy", "SourceDBClusterSnapshotArn": "arn:aws:rds:us-east-1:999999999999:cluster-snapshot:sample-cluster-snapshot" } ] } ``` **Note** For more information about encrypting snapshot copies, see [Copy cluster snapshot encryption](backup_restore-cluster_snapshot_considerations.md#backup_restore-encryption). For more information about encryption at rest, see [Encrypting Amazon DocumentDB data at rest](encryption-at-rest.md). ------ # Sharing Amazon DocumentDB cluster snapshots Sharing a cluster snapshot Using Amazon DocumentDB, you can share a manual cluster snapshot in the following ways: + Sharing a manual cluster snapshot, whether encrypted or unencrypted, enables authorized AWS accounts to copy the snapshot. + Sharing a manual cluster snapshot, whether encrypted or unencrypted, enables authorized AWS accounts to directly restore a cluster from the snapshot instead of taking a copy of it and restoring from that. **Note** To share an automated cluster snapshot, create a manual cluster snapshot by copying the automated snapshot, and then share that copy. This process also applies to AWS Backup–generated resources. You can share a manual snapshot with up to 20 other AWS accounts. You can also share an unencrypted manual snapshot as public, which makes the snapshot available to all accounts. When sharing a snapshot as public, ensure that none of your private information is included in any of your public snapshots. When sharing manual snapshots with other AWS accounts, and you restore a cluster from a shared snapshot using the AWS CLI or the Amazon DocumentDB API, you must specify the Amazon Resource Name (ARN) of the shared snapshot as the snapshot identifier. ## Sharing an encrypted snapshot The following restrictions apply to sharing encrypted snapshots: + You can't share encrypted snapshots as public. + You can't share a snapshot that has been encrypted using the default AWS KMS encryption key of the account that shared the snapshot. Follow these steps to share encrypted snapshots. 1. Share the AWS Key Management Service (AWS KMS) encryption key that was used to encrypt the snapshot with any accounts that you want to be able to access the snapshot. You can share AWS KMS encryption keys with another AWS accounts by adding the other accounts to the AWS KMS key policy. For details on updating a key policy, see [ Using Key Policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*. For an example of creating a key policy, see [Creating an IAM policy to enable copying of the encrypted snapshot](#backup_restore-share_encrypted_snapshots-create_key_policy) later in this topic. 1. Use the AWS CLI, [as shown below](#backup_restore-share_snapshots), to share the encrypted snapshot with the other accounts. ### Allowing access to an AWS KMS encryption key For another AWS account to copy an encrypted snapshot shared from your account, the account that you share your snapshot with must have access to the AWS KMS key that encrypted the snapshot. To allow another account access to an AWS KMS key, update the key policy for the AWS KMS key with the ARN of the account that you are sharing to as a principal in the AWS KMS key policy. Then allow the `kms:CreateGrant` action. After you give an account access to your AWS KMS encryption key, to copy your encrypted snapshot, that account must create an AWS Identity and Access Management (IAM) user if it doesn’t already have one. In addition, that account must also attach an IAM policy to that IAM user that allows the user to copy an encrypted snapshot using your AWS KMS key. The account must be an IAM user and cannot be a root AWS account identity due to AWS KMS security restrictions. In the following key policy example, user 123451234512 is the owner of the AWS KMS encryption key. User 123456789012 is the account that the key is being shared with. This updated key policy gives the account access to the AWS KMS key. It does this by including the ARN for the root AWS account identity for user 123456789012 as a principal for the policy, and by allowing the `kms:CreateGrant` action. ------ #### [ JSON ] **** ``` { "Id": "key-policy-1", "Version":"2012-10-17", "Statement": [ { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::123451234512:user/KeyUser", "arn:aws:iam::123456789012:root" ]}, "Action": [ "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*"}, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::123451234512:user/KeyUser", "arn:aws:iam::123456789012:root" ]}, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}} } ] } ``` ------ ### Creating an IAM policy to enable copying of the encrypted snapshot When the external AWS account has access to your AWS KMS key, the owner of that account can create a policy to allow an IAM user that is created for the account to copy an encrypted snapshot that is encrypted with that AWS KMS key. The following example shows a policy that can be attached to an IAM user for AWS account 123456789012. The policy enables the IAM user to copy a shared snapshot from account 123451234512 that has been encrypted with the AWS KMS key `c989c1dd-a3f2-4a5d-8d96-e793d082ab26` in the us-west-2 Region. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowUseOfTheKey", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:CreateGrant", "kms:RetireGrant" ], "Resource": ["arn:aws:kms:us-west-2:123451234512:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26"] }, { "Sid": "AllowAttachmentOfPersistentResources", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": ["arn:aws:kms:us-west-2:123451234512:key/c989c1dd-a3f2-4a5d-8d96-e793d082ab26"], "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] } ``` ------ For details on updating a key policy, see [ Using Key Policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*. ## Sharing a snapshot You can share an Amazon DocumentDB manual cluster snapshot (or a copy of an automated snapshot) using the AWS Management Console or the AWS CLI: ------ #### [ Using the AWS Management Console ] To share a snapshot using the AWS Management Console, complete the following steps: 1. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at [https://console.aws.amazon.com/docdb](https://console.aws.amazon.com/docdb). 1. In the navigation pane, choose **Snapshots**. 1. Select the manual snapshot that you want to share. 1. In the **Actions** drop-down menu, choose Share. 1. Choose one of the following options for **DB snapshot visibility**: + If the source is unencrypted, choose **Public** to permit all AWS accounts to restore a cluster from your manual snapshot. Or choose **Private** to permit only AWS accounts that you specify to restore a cluster from your manual snapshot. **Warning** If you set **DB snapshot visibility** to **Public**, all AWS accounts can restore a cluster from your manual snapshot and have access to your data. Do not share any manual cluster snapshots that contain private information as **Public**. + If the source is encrypted, **DB snapshot visibility** is set as **Private** because encrypted snapshots can't be shared as public. **Note** Snapshots that have been encrypted with the default AWS KMS key can't be shared. 1. For **AWS Account ID**, enter the AWS account identifier for an account that you want to permit to restore a cluster from your manual snapshot, and then choose **Add**. Repeat to include additional AWS account identifiers, up to 20 AWS accounts. If you make an error when adding an AWS account identifier to the list of permitted accounts, you can delete it from the list by choosing **Delete** at the right of the incorrect AWS account identifier. ![\[Diagram: share snapshot preferences\]](http://docs.aws.amazon.com/documentdb/latest/developerguide/images/share-snapshot.png) 1. After you have added identifiers for all of the AWS accounts that you want to permit to restore the manual snapshot, choose **Save** to save your changes. ------ #### [ Using the AWS CLI ] To share a snapshot using the AWS CLI, use the Amazon DocumentDB `modify-db-snapshot-attribute` operation. Use the `--values-to-add` parameter to add a list of the IDs for the AWS accounts that are authorized to restore the manual snapshot. The following example permits two AWS account identifiers, 123451234512 and 123456789012, to restore the snapshot named `manual-snapshot1`. It also removes the `all` attribute value to mark the snapshot as private. For Linux, macOS, or Unix: ``` aws docdb modify-db-cluster-snapshot-attribute \ --db-cluster-snapshot-identifier sample-cluster-snapshot \ --attribute-name restore \ --values-to-add '["123451234512","123456789012"]' ``` For Windows: ``` aws docdb modify-db-cluster-snapshot-attribute ^ --db-cluster-snapshot-identifier sample-cluster-snapshot ^ --attribute-name restore ^ --values-to-add '["123451234512","123456789012"]' ``` Output from this operation looks something like the following. ``` { "DBClusterSnapshotAttributesResult": { "DBClusterSnapshotIdentifier": "sample-cluster-snapshot", "DBClusterSnapshotAttributes": [ { "AttributeName": "restore", "AttributeValues": [ "123451234512", "123456789012" ] } ] } } ``` To remove an AWS account identifier from the list, use the `--values-to-remove` parameter. The following example prevents AWS account ID 123456789012 from restoring the snapshot. For Linux, macOS, or Unix: ``` aws docdb modify-db-cluster-snapshot-attribute \ --db-cluster-snapshot-identifier sample-cluster-snapshot \ --attribute-name restore \ --values-to-remove '["123456789012"]' ``` For Windows: ``` aws docdb modify-db-cluster-snapshot-attribute ^ --db-cluster-snapshot-identifier sample-cluster-snapshot ^ --attribute-name restore ^ --values-to-remove '["123456789012"]' ``` Output from this operation looks something like the following. ``` { "DBClusterSnapshotAttributesResult": { "DBClusterSnapshotIdentifier": "sample-cluster-snapshot", "DBClusterSnapshotAttributes": [ { "AttributeName": "restore", "AttributeValues": [ "123451234512" ] } ] } } ``` ------ # Restoring from a cluster snapshot Amazon DocumentDB (with MongoDB compatibility) creates a cluster snapshot of your storage volume. You can create a new cluster by restoring from a cluster snapshot. When you restore the cluster, you provide the name of the cluster snapshot to restore from and a name for the new cluster that is created by the restore. You can't restore from a snapshot to an existing cluster because a new cluster is created when you restore. When you are restoring a cluster from a cluster snapshot: + This action restores only the cluster, and not the instances for that cluster. You must invoke the `create-db-instance` action to create instances for the restored cluster, specifying the identifier of the restored cluster in `--db-cluster-identifier`. You can create instances only after the cluster is *available*. + You cannot restore an encrypted snapshot to an unencrypted cluster. However, you can restore an unencrypted snapshot to an encrypted cluster by specifying the AWS KMS key. + To restore a cluster from an encrypted snapshot, you must have access to the AWS KMS key. **Note** You cannot restore a 3.6 cluster to a 4.0 cluster but you can migrate from one cluster version to another. For more information, go to [Migrating to Amazon DocumentDB](docdb-migration.md). ------ #### [ Using the AWS Management Console ] The following procedure shows how to restore an Amazon DocumentDB cluster from a cluster snapshot using the Amazon DocumentDB Management Console. 1. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at [https://console.aws.amazon.com/docdb](https://console.aws.amazon.com/docdb). 1. In the navigation pane, choose **Snapshots**, and then choose the button to the left of the snapshot that you want to use to restore a cluster. **Tip** If you don't see the navigation pane on the left side of your screen, choose the menu icon (![\[Hamburger menu icon with three horizontal lines.\]](http://docs.aws.amazon.com/documentdb/latest/developerguide/images/docdb-menu-icon.png)) in the upper-left corner of the page. 1. On the **Actions** menu, choose **Restore**. 1. On the **Restore snapshot** page, complete the **Configuration** section. 1. **Cluster identifier** — The name for the new cluster. You can accept the Amazon DocumentDB supplied name or type a name that you prefer. The Amazon DocumentDBsupplied name is in the format of `docdb-` plus a UTC timestamp; for example, `docdb-yyyy-mm-dd-hh-mm-ss`. 1. **Instance class** — The instance class for the new cluster. You can accept the default instance class or choose an instance class from the drop-down list. 1. **Number of instances** — The number of instances you want created with this cluster. You can accept the default of 3 instances (1 primary read/write and 2 read-only replicas) or choose the number of instances from the drop-down list. 1. For **Cluster storage configuration**, choose a storage option. **Note** **Amazon DocumentDB I/O-Optimized** storage configuration is only available on the Amazon DocumentDB 5.0 and 8.0 engine versions. 1. If you are satisfied with the cluster configuration, choose **Restore cluster** and wait while your cluster is restored. 1. If you prefer to change some configurations, such as specifying a non-default Amazon VPC or security group, choose **Show advanced settings** from the bottom left of the page, and then continue with the following steps. 1. Complete the **Network settings** section. + **Virtual Private Cloud (VPC)** — Accept the current VPC, or choose a VPC from the drop-down list. + **Subnet Group** — Accept the `default` subnet group, or choose one from the drop-down list. + **VPC Security Groups** — Accept the `default (VPC)` security group, or choose one from the list. 1. Complete the **Cluster options** section. + **Database port** — Accept the default port, `27017`, or use the up or down arrow to set the port that you want to use for application connections. 1. Complete the **Encryption** section. + **Encryption at rest** — If your snapshot is encrypted, these options are not available to you. If it is not encrypted, you can choose one of the following: + To encrypt all your cluster's data, choose **Enable encryption-at-rest**. If you choose this option, you must designate a KMS key. + To not encrypt your cluster's data, choose **Disable encryption-at-rest**. If you choose this option, you are finished with the encryption section. + **AWS KMS Key** — Choose one of the following from the drop-down list: + **(default) aws/rds** — The account number and AWS KMS key ID are listed following this option. + **Customer-managed key** — This option is available only if you created an IAM encryption key in the AWS Identity and Access Management (IAM) console. You can choose the key to encrypt your cluster. + **Enter a key ARN** — In the **ARN** box, enter the Amazon Resource Name (ARN) for your AWS KMS key. The format of the ARN is `arn:aws:kms:::key/`. 1. Complete the **Log exports** section. + **Select the log types to publish to CloudWatch** — Choose one of the following: + **Enabled** — Enables your cluster to export DDL logging to Amazon CloudWatch Logs. + **Disabled** — Prevents your cluster from exporting DDL logs to Amazon CloudWatch Logs. **Disabled** is the default. + **IAM role**—From the list, choose *RDS Service Linked Role*. 1. Complete the **Tags** section. + **Add Tag** — In the *Key* box, enter the name for the tag for your cluster. In the *Value* box, optionally enter the tag value. Tags are used with AWS Identity and Access Management (IAM) policies to manage access to Amazon DocumentDB resources and to control what actions can be applied to the resources. 1. Complete the **Deletion protection** section. + **Enable deletion protection** — Protects the cluster from being accidentally deleted. While this option is enabled, you can't delete the cluster. 1. Choose **Restore cluster**. ------ #### [ Using the AWS CLI ] To restore a cluster from a snapshot using the AWS CLI, use the `restore-db-cluster-from-snapshot` operation with the following parameters. For more information, see [RestoreDBClusterFromSnapshot](API_RestoreDBClusterFromSnapshot.md). + **--db-cluster-identifier** — Required. The name of the cluster that is created by the operation. A cluster by this name cannot exist before this operation. Cluster naming constraints: + Length is [1—63] letters, numbers, or hyphens. + First character must be a letter. + Cannot end with a hyphen or contain two consecutive hyphens. + Must be unique for all clusters across Amazon RDS, Neptune, and Amazon DocumentDB per AWS account, per Region. + **--snapshot-identifier** — Required. The name of the snapshot used to restore from. A snapshot by this name must exist and be in the *available* state. + **--engine** — Required. Must be `docdb`. + **--storage-type standard \$1 iopt1** — Optional. Default: `standard`. + **--kms-key-id** — Optional. The ARN of the AWS KMS key identifier to use when restoring an encrypted snapshot or encrypting a cluster when restoring from an unencrypted snapshot. Supplying the AWS KMS key ID results in the restored cluster being encrypted with the AWS KMS key, whether or not the snapshot was encrypted. The format of the `--kms-key-id` is `arn:aws:kms:::key/`. If you do not specify a value for the `--kms-key-id` parameter, then the following occurs: + If the snapshot in `--snapshot-identifier` is encrypted, then the restored cluster is encrypted using the same AWS KMS key that was used to encrypt the snapshot. + If the snapshot in `--snapshot-identifier` is not encrypted, then the restored cluster is not encrypted. For Linux, macOS, or Unix: ``` aws docdb restore-db-cluster-from-snapshot \ --db-cluster-identifier sample-cluster-restore \ --snapshot-identifier sample-cluster-snapshot \ --engine docdb \ --kms-key-id arn:aws:kms:us-east-1:123456789012:key/SAMPLE-KMS-KEY-ID ``` For Windows: ``` aws docdb restore-db-cluster-from-snapshot ^ --db-cluster-identifier sample-cluster-restore ^ --snapshot-identifier sample-cluster-snapshot ^ --engine docdb ^ --kms-key-id arn:aws:kms:us-east-1:123456789012:key/SAMPLE-KMS-KEY-ID ``` Output from this operation looks something like the following. ``` { "DBCluster": { "AvailabilityZones": [ "us-east-1c", "us-east-1b", "us-east-1a" ], "BackupRetentionPeriod": 1, "DBClusterIdentifier": "sample-cluster-restore", "DBClusterParameterGroup": "default.docdb4.0", "DBSubnetGroup": "default", "Status": "creating", "Endpoint": "sample-cluster-restore.cluster-node.us-east-1.docdb.amazonaws.com", "ReaderEndpoint": "sample-cluster-restore.cluster-node.us-east-1.docdb.amazonaws.com", "MultiAZ": false, "Engine": "docdb", "EngineVersion": "4.0.0", "Port": 27017, "MasterUsername": "", "PreferredBackupWindow": "02:00-02:30", "PreferredMaintenanceWindow": "tue:09:50-tue:10:20", "DBClusterMembers": [], "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-abcdefgh", "Status": "active" } ], "HostedZoneId": "ABCDEFGHIJKLM", "StorageEncrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1::key/", "DbClusterResourceId": "cluster-ABCDEFGHIJKLMNOPQRSTUVWXYZ", "DBClusterArn": "arn:aws:rds:us-east-1::cluster:sample-cluster-restore", "AssociatedRoles": [], "ClusterCreateTime": "2020-04-01T01:43:40.871Z", "DeletionProtection": true } } ``` After the cluster status is *available*, create at least one instance for the cluster. For Linux, macOS, or Unix: ``` aws docdb create-db-instance \ --db-cluster-identifier sample-cluster-restore \ --db-instance-identifier sample-cluster-restore-instance \ --availability-zone us-east-1b \ --promotion-tier 2 \ --db-instance-class db.r5.large \ --engine docdb ``` For Windows: ``` aws docdb create-db-instance ^ --db-cluster-identifier sample-cluster-restore ^ --db-instance-identifier sample-cluster-restore-instance ^ --availability-zone us-east-1b ^ --promotion-tier 2 ^ --db-instance-class db.r5.large ^ --engine docdb ``` Output from this operation looks something like the following. ``` { "DBInstance": { "DBInstanceIdentifier": "sample-cluster-restore-instance", "DBInstanceClass": "db.r5.large", "Engine": "docdb", "DBInstanceStatus": "creating", "PreferredBackupWindow": "02:00-02:30", "BackupRetentionPeriod": 1, "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-abcdefgh", "Status": "active" } ], "AvailabilityZone": "us-west-2b", "DBSubnetGroup": { "DBSubnetGroupName": "default", "DBSubnetGroupDescription": "default", "VpcId": "vpc-6242c31a", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-abcdefgh", "SubnetAvailabilityZone": { "Name": "us-west-2a" }, "SubnetStatus": "Active" }, { ... } ] }, "PreferredMaintenanceWindow": "fri:09:43-fri:10:13", "PendingModifiedValues": {}, "EngineVersion": "4.0.0", "AutoMinorVersionUpgrade": true, "PubliclyAccessible": false, "DBClusterIdentifier": "sample-cluster-restore", "StorageEncrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1::key/", "DbiResourceId": "db-ABCDEFGHIJKLMNOPQRSTUVWXYZ", "CACertificateIdentifier": "rds-ca-2019", "PromotionTier": 2, "DBInstanceArn": "arn:aws:rds:us-east-1::db:sample-cluster-restore-instance" } } ``` ------ # Restoring to a point in time You can restore a cluster to any point in time that is within the cluster's backup retention period using the AWS Management Console or AWS Command Line Interface (AWS CLI). **Note** You cannot conduct a point-in-time restore of a 3.6 cluster to a 4.0 cluster but you can migrate from one cluster version to another. For more information, go to [Migrating to Amazon DocumentDB](docdb-migration.md). Keep the following in mind when restoring a cluster to a point in time. + The new cluster is created with the same configuration as the source cluster, except that the new cluster is created with the default parameter group. To set the new cluster's parameter group to the source cluster's parameter group, modify the cluster after it is *available*. For more information on modifying a cluster, see [Modifying an Amazon DocumentDB cluster](db-cluster-modify.md). ------ #### [ Using the AWS Management Console ] You can restore a cluster to a point-in-time within its backup retention period by completing the following using the AWS Management Console. 1. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at [https://console.aws.amazon.com/docdb](https://console.aws.amazon.com/docdb). 1. In the navigation pane, choose **Clusters**. In the list of clusters, choose the button to the left of the cluster that you want to restore. **Tip** If you don't see the navigation pane on the left side of your screen, choose the menu icon (![\[Hamburger menu icon with three horizontal lines.\]](http://docs.aws.amazon.com/documentdb/latest/developerguide/images/docdb-menu-icon.png)) in the upper-left corner of the page. 1. On the **Actions** menu, choose **Restore to point in time**. 1. Complete the **Restore time** section, which specifies the date and time to restore to. 1. **Restore date**—Choose or enter a date that is between the **Earliest restore time** and the **Latest restore time**. 1. **Restore time**—Choose or enter the hour, minute, and seconds that are between the **Earliest restore time** and the **Latest restore time**. 1. Complete the **Configuration** section. 1. **Cluster identifier** — Accept the default identifier, or enter an identifier that you prefer. Cluster naming constraints: + Length is [1—63] letters, numbers, or hyphens. + First character must be a letter. + Cannot end with a hyphen or contain two consecutive hyphens. + Must be unique for all clusters across Amazon RDS, Neptune and Amazon DocumentDB per AWS account, per Region. 1. **Instance class** — From the drop-down list, choose the instance class that you want for the cluster's instances. 1. **Number of instances** — From the drop-down list, choose the number of instances that you want created when the cluster is restored. 1. For **Cluster storage configuration**, choose a storage option. **Note** **Amazon DocumentDB I/O-Optimized** storage configuration is only available on the Amazon DocumentDB 5.0 and 8.0 engine versions. 1. Optional. To configure the network settings, cluster options, and enable log exports, choose **Show advanced settings**, and then complete the following sections. Otherwise, continue with the next step. + **Network settings** 1. **Virtual Private Cloud (VPC)** — From the drop-down list, choose the VPC that you want to use for this cluster. 1. **Subnet group** — From the drop-down list, choose the subnet group for this cluster. 1. **VPC security groups** — From the drop-down list, choose the VPC security groups for this cluster.   + **Cluster options** 1. **Port** — Accept the default port (27017), or use the up and down arrows to set the port for communicating with this cluster.   + **Log exports** 1. **Audit logs** — Select this option to enable exporting audit logs to Amazon CloudWatch Logs. If you select this option, you must enable `audit_logs` in the cluster's custom parameter group. For more information, see [Auditing Amazon DocumentDB events](event-auditing.md). 1. **Profiler logs** — Select this option to enable exporting operation profiler logs to Amazon CloudWatch Logs. If you select this option, you must also modify the following parameters in the cluster's custom parameter group: + `profiler` — Set to `enabled`. + `profiler_threshold_ms` — Set to a value `[0-INT_MAX]` to set the threshold for profiling operations. + `profiler_sampling_rate` — Set to a value `[0.0-1.0]` to set the percentage of slow operations to profile. For more information, see [Profiling Amazon DocumentDB operations](profiling.md). 1. **Profiler logs** — Export profiler logs to Amazon CloudWatch 1. **IAM role** — From the drop-down list, choose *RDS Service Linked Role*. + **Tags** 1. **Add Tag** — In the *Key* box, enter the name for the tag for your cluster. In the *Value* box, optionally enter the tag value. Tags are used with AWS Identity and Access Management (IAM) policies to manage access to Amazon DocumentDB resources and to control what actions can be applied to the resources. + **Deletion protection** 1. **Enable deletion protection** — Protects the cluster from being accidentally deleted. While this option is enabled, you can't delete the cluster. 1. To restore the cluster, choose **Create cluster**. Alternatively, you can choose **Cancel** to cancel the operation. ------ #### [ Using the AWS CLI ] To restore a cluster to a point in time using the snapshot's backup retention period, use the `restore-db-cluster-to-point-in-time` operation with the following parameters. + **--db-cluster-identifier**— Required. The name of the new cluster to be created. This cluster cannot exist before the operation. The parameter value must meet the following constraints. Cluster naming constraints: + Length is [1—63] letters, numbers, or hyphens. + First character must be a letter. + Cannot end with a hyphen or contain two consecutive hyphens. + Must be unique for all clusters across Amazon RDS, Neptune and Amazon DocumentDB per AWS account, per Region. + **--restore-to-time** — The UTC date and time to restore the cluster to. For example, `2018-06-07T23:45:00Z`. Time Constraints: + Must be before the latest restorable time for the cluster. + Must be specified if the `--use-latest-restorable-time` parameter is not provided. + Cannot be specified if the `--use-latest-restorable-time` parameter is `true`. + Cannot be specified if the `--restore-type` parameter value is `copy-on-write`. + **--source-db-cluster-identifier** — The name of the source cluster from which to restore. This cluster must exist and be available. + **--use-latest-restorable-time** or **--no-use-latest-restorable-time** — Whether to restore to the latest restorable backup time. Cannot be specified if the `--restore-to-time` parameter is provided. + **--storage-type standard \$1 iopt1** — Optional. Default: `standard`. The AWS CLI operation `restore-db-cluster-to-point-in-time` only restores the cluster, not the instances for that cluster. You must invoke the `create-db-instance` operation to create instances for the restored cluster, specifying the identifier of the restored cluster in `--db-cluster-identifier`. You can create instances only after the `restore-db-cluster-to-point-in-time` operation has completed and the restored cluster is *available*. **Example** The following example creates `sample-cluster-restored` from the snapshot `sample-cluster-snapshot` to the latest restorable time. For Linux, macOS, or Unix: ``` aws docdb restore-db-cluster-to-point-in-time \ --db-cluster-identifier sample-cluster-restored \ --source-db-cluster-identifier sample-cluster-snapshot \ --use-latest-restorable-time ``` For Windows: ``` aws docdb restore-db-cluster-to-point-in-time ^ --db-cluster-identifier sample-cluster-restored ^ --source-db-cluster-identifier sample-cluster-snapshot ^ --use-latest-restorable-time ``` **Example** The following example creates `sample-cluster-restored` from the snapshot `sample-cluster-snapshot` to 03:15 on December 11, 2018 (UTC), which is within the backup retention period of `sample-cluster`. For Linux, macOS, or Unix: ``` aws docdb restore-db-cluster-to-point-in-time \ --db-cluster-identifier sample-cluster-restore \ --source-db-cluster-identifier sample-cluster \ --restore-to-time 2020-05-12T03:15:00Z ``` For Windows: ``` aws docdb restore-db-cluster-to-point-in-time ^ --db-cluster-identifier sample-cluster-restore ^ --source-db-cluster-identifier sample-cluster ^ --restore-to-time 2020-05-12T03:15:00Z ``` Output from this operation looks something like the following. ``` { "DBCluster": { "AvailabilityZones": [ "us-east-1c", "us-west-2b", "us-west-2a" ], "BackupRetentionPeriod": 1, "DBClusterIdentifier": "sample-cluster-restored", "DBClusterParameterGroup": "sample-parameter-group", "DBSubnetGroup": "default", "Status": "creating", "Endpoint": "sample-cluster-restored.node.us-east-1.docdb.amazonaws.com", "ReaderEndpoint": "sample-cluster-restored.node.us-east-1.docdb.amazonaws.com", "MultiAZ": false, "Engine": "docdb", "EngineVersion": "4.0.0", "Port": 27017, "MasterUsername": "master-user", "PreferredBackupWindow": "02:00-02:30", "PreferredMaintenanceWindow": "tue:09:50-tue:10:20", "DBClusterMembers": [], "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-abc0123", "Status": "active" } ], "HostedZoneId": "ABCDEFGHIJKLM", "StorageEncrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1::key/sample-key", "DbClusterResourceId": "cluster-ABCDEFGHIJKLMNOPQRSTUVWXYZ", "DBClusterArn": "arn:aws:rds:us-east-1::cluster:sample-cluster-restored", "AssociatedRoles": [], "ClusterCreateTime": "2020-04-24T20:14:36.713Z", "DeletionProtection": false } } ``` ------ # Deleting a cluster snapshot Deleting a cluster snapshot A manual snapshot is a full backup that is deleted only when you manually delete it using the AWS Management Console or AWS CLI. You cannot manually delete an automatic snapshot because automatic snapshots are deleted only when the snapshot's retention period expires or you delete the snapshot's cluster. ------ #### [ Using the AWS Management Console ] To delete a manual cluster snapshot using the AWS Management Console, complete the following steps. 1. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at [https://console.aws.amazon.com/docdb](https://console.aws.amazon.com/docdb). 1. In the navigation pane, choose **Snapshots**. **Tip** If you don't see the navigation pane on the left side of your screen, choose the menu icon (![\[Hamburger menu icon with three horizontal lines.\]](http://docs.aws.amazon.com/documentdb/latest/developerguide/images/docdb-menu-icon.png)) in the upper-left corner of the page. 1. In the list of snapshots, choose the button to the left of the snapshot that you want to delete. The snapshot's type must be **manual**. 1. You can verify that that the snapshot's type is **manual** by checking if it is listed as `manual` or `automatic` under the **Type** column. 1. From the **Actions** menu, choose **Delete**. If the **Delete** option is unavailable, you probably chose an automatic snapshot. 1. On the delete confirmation screen, to delete the snapshot, choose **Delete**. To keep the snapshot, choose **Cancel**. ------ #### [ Using the AWS CLI ] An Amazon DocumentDB manual cluster snapshot is a full backup that you can manually delete using the AWS CLI. You cannot manually delete an automatic snapshot. To delete a manual cluster snapshot using the AWS CLI, use the `delete-db-cluster-snapshot` operation with the following parameters. **Parameters** + **--db-cluster-snapshot-identifier** — Required. The name of the manual snapshot to delete. The following example deletes the cluster snapshot `sample-cluster-snapshot`. For Linux, macOS, or Unix: ``` aws docdb delete-db-cluster-snapshot \ --db-cluster-snapshot-identifier sample-cluster-snapshot ``` For Windows: ``` aws docdb delete-db-cluster-snapshot ^ --db-cluster-snapshot-identifier sample-cluster-snapshot ``` Output from this operation lists the details of the cluster snapshot you deleted. ------