List encrypted RDS snapshots using CLI

Question

I have automated the RDS snapshot copy across the region, but the Snapshot which is encrypted gets fail to copy. I have figured a way to copy an encrypted snapshot using

$  aws rds copy-db-snapshot   --source-db-snapshot-identifier arn:aws:rds:eu-west-1:XXXX:snapshot:XXX-2017-01-31-04-30      --target-db-snapshot-identifier mydbsnapshotcopy   --kms-key-id XXX --region eu-central-1 --source-region eu-west-1

I want to filter/test the snapshots if they are encrypted or not, if they are encrypted I will perform the above-defined operation. I tried this which is not working.

$ aws rds describe-db-snapshots  --filter "Name=encrypted,Values=true"

How do I list/filter all the encrypted snapshots and move it to a file?

Answer 1

Either use the --query attribute

aws rds describe-db-snapshots --query "DBSnapshots[?Encrypted].DBSnapshotIdentifier"

If the [?Encrypted] does not work, try [?Encrypted == 'true'] as the first is from JMESPath improved filters. The quotes might need to be backticks in some case. It all depends.

Second way:

aws rds describe-db-snapshots --output json | jq '.DBSnapshots | map(select(has("Encrypted"))) | .[].DBSnapshotIndetifier'

One of them should work. Might need a bit messing around as I don't have your output to tune the jq command. Feel free to edit and fix the answer.

Answer 2

You will require a script that interacts with the AWS cli to accomplish your goal.

To list encrypted drives I use the following query when describing the DB snapshots --query 'DBSnapshots[*].[DBSnapshotArn,Encrypted]'

I have put together the following script which will look for all encrypted DBS snapshots and then copy all of them to a different region. It can also be modified to copy unencrypted snapshots to a different region and then encrypt them.

I have explained the script in the comments. It is quite dirty... so feel free to improve it!

#!/usr/bin/env bash
#
# Copy encrypted or unencrypted DBSnapshots to an encrypted DBSnapshot in a different region
#

aws_profile="" 
aws_source_region="" 
aws_dest_region="" 
aws_kms_key_id="" #destination kms key ID 
num=1

aws --profile "${aws_profile}" --region "${aws_source_region}" rds describe-db-snapshots \
  --query 'DBSnapshots[*].[DBSnapshotArn,Encrypted]' \  
  --output text > rds-snapshots-list.txt

echo "Encrypted snapshots" 
awk '{IGNORECASE=1}{if ($2 == "True") print}' rds-snapshots-list.txt #Show list of encrypted snapshots 
echo "Unencrypted snapshots" 
awk '{IGNORECASE=1}{if ($2 == "False") print}' rds-snapshots-list.txt #Show list of unencrypted snapshots

IFS=$'\n' read -d '' -r -a rds_list_lines < rds-snapshots-list.txt #Move txt file content into an array

echo "Copying encrypted snapshots from ${aws_source_region} to ${aws_dest_region}" 
for i in "${rds_list_lines[@]}"; do #Loop through array   
if [[ "${i}" == *"True"* ]]; then #Check for encrypted rds snapshot & if true copy snapshot
    source_snapshot_ident="$( echo "${i}" | sed 's/[[:blank:]]True.*//')" #Remove all spaces tabs and the word true
    target_snapshot_ident="$( echo "$source_snapshot_ident" | sed 's/.*:snapshot:rds:.//')snapshotcopy$num" #Name of target snapshot with incrementing number
    ((num++))

    aws --profile "${aws_profile}" --region "${aws_dest_region}" rds copy-db-snapshot \
      --source-db-snapshot-identifier "${source_snapshot_ident}" \
      --target-db-snapshot-identifier "${target_snapshot_ident}" \
      --source-region "${aws_source_region}" \
      --kms-key-id "${aws_kms_key_id}"   
fi 
done