AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2026-03-07 · Documentation low

File: AmazonRDS/latest/UserGuide/USER_CopySnapshot.md

Summary

Added documentation for required KMS permissions when copying encrypted snapshots

Security assessment

Clarifies permissions needed for encryption operations but doesn't indicate a specific security vulnerability being addressed

Diff

diff --git a/AmazonRDS/latest/UserGuide/USER_CopySnapshot.md b/AmazonRDS/latest/UserGuide/USER_CopySnapshot.md
index 8b4aab32c..887a55761 100644
--- a//AmazonRDS/latest/UserGuide/USER_CopySnapshot.md
+++ b//AmazonRDS/latest/UserGuide/USER_CopySnapshot.md
@@ -409,0 +410,23 @@ For more information about AWS KMS key management for Amazon RDS, see [AWS KMS k
+#### Required permissions for copying encrypted snapshots
+
+To copy an encrypted DB snapshot, your user must have the following permissions to use Amazon RDS encryption.
+
+  * `kms:DescribeKey`
+
+  * `kms:CreateGrant`
+
+  * `kms:Decrypt`
+
+  * `kms:Encrypt`
+
+  * `kms:GenerateDataKey`
+
+  * `kms:GenerateDataKeyWithoutPlaintext`
+
+  * `kms:ReEncrypt`
+
+
+
+
+If you use IAM policy conditions to restrict AWS KMS grant operations, ensure your policy includes all operations required by Amazon RDS. If you receive a `KMSKeyNotAccessibleFault` error when copying an encrypted snapshot across Regions, verify that your IAM policy includes all required AWS KMS grant operations mentioned above.
+