Introduction
RDS snapshots can be shared with other AWS accounts for data migration, development, or disaster recovery. When sharing fails, especially for encrypted snapshots, the target account can't restore the database, blocking cross-account workflows.
Symptoms
Snapshot sharing failed:
```bash $ aws rds modify-db-snapshot-attributes \ --db-snapshot-identifier my-snapshot \ --attribute-name restore \ --values-to-add 123456789012
An error occurred (InvalidParameter) when calling the ModifyDBSnapshotAttribute operation: Cannot share encrypted snapshot without sharing KMS key ```
Access denied for target account:
```bash # From target account $ aws rds describe-db-snapshots \ --snapshot-type shared \ --include-shared
# Empty result - can't see shared snapshots ```
KMS key sharing denied:
```bash $ aws kms put-key-policy \ --key-id my-key-id \ --policy-name default \ --policy file://policy.json
An error occurred (AccessDeniedException) when calling the PutKeyPolicy operation ```
Common Causes
- 1.KMS key not shared - Encrypted snapshot requires key access in target account
- 2.Snapshot not encrypted - Unencrypted snapshots have sharing limitations
- 3.IAM permissions missing - Target account lacks snapshot restore permission
- 4.Snapshot attribute wrong - Not configured for sharing
- 5.Account not in share list - Target account ID not added
- 6.KMS key policy restrictive - Key policy doesn't allow target account
- 7.Snapshot in wrong state - Not fully available
Step-by-Step Fix
- 1.Check logs for specific error messages
- 2.Verify configuration settings
- 3.Test network connectivity
- 4.Review recent changes
- 5.Apply corrective action
- 6.Verify the fix
Step 1: Check Snapshot Encryption
```bash # Check if snapshot is encrypted aws rds describe-db-snapshots \ --db-snapshot-identifier my-snapshot \ --query 'DBSnapshots[*].[StorageEncrypted,KmsKeyId]'
# If encrypted, MUST share KMS key with target account # If not encrypted, can share directly (with limitations) ```
Step 2: Share Unencrypted Snapshot
```bash # For unencrypted snapshots aws rds modify-db-snapshot-attributes \ --db-snapshot-identifier my-snapshot \ --attribute-name restore \ --values-to-add 123456789012
# Verify sharing aws rds describe-db-snapshot-attributes \ --db-snapshot-identifier my-snapshot \ --query 'DBSnapshotAttributesResult.DBSnapshotAttributes' ```
Step 3: Share KMS Key for Encrypted Snapshot
```bash # Get KMS key ID from snapshot aws rds describe-db-snapshots \ --db-snapshot-identifier my-snapshot \ --query 'DBSnapshots[0].KmsKeyId'
# Get current key policy aws kms get-key-policy \ --key-id KEY_ID \ --policy-name default
# Update key policy to allow target account # Add statement to allow target account to decrypt: { "Sid": "AllowTargetAccount", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::TARGET_ACCOUNT_ID:root" }, "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" } ```
Apply key policy:
aws kms put-key-policy \
--key-id KEY_ID \
--policy-name default \
--policy file://updated-policy.jsonStep 4: Share Encrypted Snapshot
```bash # After sharing KMS key, share the snapshot aws rds modify-db-snapshot-attributes \ --db-snapshot-identifier my-snapshot \ --attribute-name restore \ --values-to-add TARGET_ACCOUNT_ID
# Verify snapshot is shared
aws rds describe-db-snapshot-attributes \
--db-snapshot-identifier my-snapshot \
--query 'DBSnapshotAttributesResult.DBSnapshotAttributes[?AttributeName==restore].AttributeValues'
```
Step 5: Target Account - Verify Access
```bash # From target account aws rds describe-db-snapshots \ --snapshot-type shared \ --include-shared \ --query 'DBSnapshots[*].[DBSnapshotIdentifier,SharedAccounts]'
# Should see the shared snapshot ```
Step 6: Target Account - Check IAM Permissions
```bash # Target account needs these permissions: # - rds:DescribeDBSnapshots # - rds:RestoreDBInstanceFromDBSnapshot
# Verify current user has permissions aws rds restore-db-instance-from-db-snapshot \ --db-instance-identifier restored-instance \ --db-snapshot-identifier arn:aws:rds:SOURCE_REGION:SOURCE_ACCOUNT:snapshot:my-snapshot ```
Step 7: Target Account - Restore Snapshot
```bash # Restore shared snapshot aws rds restore-db-instance-from-db-snapshot \ --db-instance-identifier restored-instance \ --db-snapshot-identifier my-snapshot \ --source-db-snapshot-identifier arn:aws:rds:us-west-2:SOURCE_ACCOUNT:snapshot:my-snapshot
# For encrypted snapshots, specify KMS key aws rds restore-db-instance-from-db-snapshot \ --db-instance-identifier restored-instance \ --db-snapshot-identifier my-snapshot \ --source-db-snapshot-identifier arn:aws:rds:us-west-2:SOURCE_ACCOUNT:snapshot:my-snapshot \ --kms-key-id TARGET_KEY_ID ```
Step 8: Remove Snapshot Sharing
```bash # Remove account from share list aws rds modify-db-snapshot-attributes \ --db-snapshot-identifier my-snapshot \ --attribute-name restore \ --values-to-remove TARGET_ACCOUNT_ID
# Remove KMS key access # Update key policy to remove target account statement ```
Step 9: Share with All AWS Accounts (Public)
```bash # WARNING: Share with all accounts (not recommended for production) aws rds modify-db-snapshot-attributes \ --db-snapshot-identifier my-snapshot \ --attribute-name restore \ --values-to-add all
# Better: Share with specific Organization aws rds modify-db-snapshot-attributes \ --db-snapshot-identifier my-snapshot \ --attribute-name restore \ --values-to-add arn:aws:organizations::ACCOUNT_ID:organization/o-ORG_ID ```
Step 10: Check Snapshot Status
```bash # Snapshot must be "available" to share aws rds describe-db-snapshots \ --db-snapshot-identifier my-snapshot \ --query 'DBSnapshots[*].Status'
# If status is "creating", wait for completion aws rds wait db-snapshot-available \ --db-snapshot-identifier my-snapshot ```
KMS Key Sharing Requirements
- 1.For encrypted snapshots, target account must have:
- 2.KMS key policy allowing target account
kms:Decryptandkms:DescribeKey - 3.IAM policy allowing target account users
kms:Decrypt - 4.Snapshot shared with target account
Verification
```bash # Source account - verify sharing aws rds describe-db-snapshot-attributes \ --db-snapshot-identifier my-snapshot \ --query 'DBSnapshotAttributesResult.DBSnapshotAttributes'
# Target account - verify access aws rds describe-db-snapshots \ --snapshot-type shared \ --include-shared
# Target account - test restore aws rds restore-db-instance-from-db-snapshot \ --db-instance-identifier test-restore \ --db-snapshot-identifier shared-snapshot \ --source-db-snapshot-identifier arn:aws:rds:SOURCE_REGION:SOURCE_ACCOUNT:snapshot:my-snapshot ```
Related Issues
- [Fix AWS RDS Snapshot Restore Failed](/articles/fix-aws-rds-snapshot-restore-failed)
- [Fix AWS KMS Key Access Denied](/articles/fix-aws-kms-key-access-denied)
- [Fix AWS RDS Cross Account Replication](/articles/fix-aws-rds-cross-account-replication)
Related Articles
- [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
- [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
- [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
- [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
- [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS RDS Snapshot Sharing Failed", "description": "Troubleshoot RDS snapshot sharing failures. Share KMS keys, configure IAM permissions, and enable cross-account access.", "url": "https://www.fixwikihub.com/fix-aws-rds-snapshot-sharing-failed", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-02T02:29:44.074Z", "dateModified": "2026-04-02T02:29:44.074Z" } </script>