search

aws-samples / aws-rds-snapshot-management

A serverless notification mechanism to manage Amazon RDS manual snapshots for both RDS Instances and Aurora Clusters. The solution manages creatiton of manual snapshot, deletion of old snapshots, and finally send a notification email. Email subscribers are notified with a list of newly created manual snapshots and older deleted snapshots.
Apache License 2.0
28 stars 20 forks source link

Encrypted snapshots #2

Open jkovolski opened 6 years ago

jkovolski commented 6 years ago

Hi, I understand that this doesn't work with encrypted snapshots. Is there a specific reason for that or planned in a future release? Thanks!

jkovolski commented 6 years ago

Since the snapshot would be encrypted by default, you would need to add something similar to this in the CFT.

  iampolicyKMSPermissions:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: >-
        IAM Managed Policy to allow to create and delete Snapshots for DB Instances and Clusters
      Path: '/RDS-Backup-Tool/'
      ManagedPolicyName: managed_policy_rds_backup_tool_kms
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'kms:Encrypt'
              - 'kms:Decrypt'
              - 'kms:ReEncrypt*'
              - 'kms:GenerateDataKey*'
              - 'kms:DescribeKey'
            Resource: '*'

Then update the role that the lambda is using with the updated policy

  iamroleSnapshotsRDS:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: 'sts:AssumeRole'  
      ManagedPolicyArns:
        - !Ref iampolicyRDSPermissions
        - !Ref iampolicyKMSPermissions
        - !Ref iampolicyLambdaLogs
        - !Ref iampolicyDynamoDB
        - !Ref iampolicySNSEmail
        - !Ref iampolicyS3