How To Copy Encrypted AWS EBS Snapshots Across Accounts

How To Copy Encrypted AWS EBS Snapshots Across Accounts
A detailed guide on how to perform an encrypted copy of AWS EBS snapshots across different accounts. Step-by-step instructions showing how to encrypt, share and copy AWS EBS snapshots.
Share This Post

Data security is an essential requirement when storing data on the cloud. AWS offers various types of storage including EBS that offers persistent data storage. Along with persistence, EBS also provides an easy way to encrypt your data using a 256-bit key-based encryption mechanism.

The AWS EBS-managed encryption helps the user get rid of tasks such as creating, managing, and securing your own key management service. AWS EBS encryption uses AWS’ own key management service – known as AWS KMS and AWS KMS customer master keys (CMK) – to create encrypted volumes and snapshots of the encrypted volumes.

If you have an unencrypted volume, you can always migrate the data to an encrypted volume.  Since encrypted volumes are created by a specific CMK, if the user wants to share the snapshot with another AWS account, that user needs to first share the CMK with the intended account.

The easier way to copy EBS across accounts
Try N2WS Backup & Recovery to:

When a user creates an encrypted EBS volume, the encryption happens on the servers that host EC2 instances, providing encryption of data-in-transit from EC2 instances to EBS storage. When this encrypted EBS volume is attached to a supported instance type, AWS encrypts all the data at rest inside the volume. It also encrypts the data moving between the volume and the instance.

If a snapshot is created from this encrypted volume, that volume will be encrypted as well. In this article, we will show you how to copy the encrypted Amazon EBS snapshots from one AWS account to another. For the first step, the user should create an encryption key in a source AWS account. The key can be created from the IAM console.

encrypted snapshots 01

Using the CLI –    First create the Encryption Key with below command:

aws kms create-key --description "key for AWS Snapshot Copy"
encrypted snapshots 02

Now attach an alias with the above created key:

aws kms create-alias --alias-name alias/n2ws-backup --target-key-id d81ba610-48f8-434f-bbc8-ca29a031f9e2
encrypted snapshots 03

To find whether above alias was attached correctly list all keys:

aws kms list-aliases
encrypted snapshots 04

To find whether above alias was attached correctly list all keys:

aws kms list-aliases
encrypted snapshots 05

The CLI to create a volume for this step is done like so:

aws ec2 create-volume --size 5 --volume-type gp2 --kms-key-id arn:aws:kms:us-east-1:067302926475:key/d81ba610-48f8-434f-bbc8-ca29a031f9e2 --availability-zone us-east-1a --encrypted
encrypted snapshots 06

Create the snapshot of the encrypted volume.

encrypted snapshots 07

With CLI, type the command:

aws ec2 create-snapshot --volume-id vol-3b558cee
encrypted snapshots 08

Check all of the details of the snapshot from AWS console.

encrypted snapshots 09

All of the above steps are common when creating these snapshots. Once the snapshot is created, AND before you share the snapshot with your target account, first share the encryption key with your target account. Go to the IAM console, select the key, and share it with the target account.

encrypted snapshots 10

You can also create a policy and attach policy with key where you provide access to external account. The sample policy will look as below

{ "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::0XXXXX926475:root", "arn:aws:iam::0XXXXX926475:user/ABCD", "arn:aws:iam::0YYYYY628926:root" ]
"Action": "kms:*",
"Resource": "*"
} ]

In the above command, the accounts with XXXX are current account while the account with YYYY is an external account with which we are sharing key.

After the above custom encryption key is shared, you can share the snapshot of the encrypted volume with the target account. Remember that you can never make the encrypted snapshot public as it requires a key to be used by the target account.

encrypted snapshots 11

The CLI to do this is:

aws ec2 modify-snapshot-attribute --snapshot-id snap-349f01a8 --attribute createVolumePermission --operation add --user-ids 0YYYYY628926
encypted snapshots 18

Log in to the target account, go to the snapshot in the EC2 console, and select the private snapshots option.

It will also list the snapshot of the source account.

encrypted snapshots 12

To list the snapshot in the target account, run the CLI with credentials (access / secret access keys) of the target account:

aws ec2 describe-snapshots --snapshot-id snap-349f01a8
encrypted snapshots 13

You cannot create a new volume from this snapshot.

Instead, you have to create a copy of this snapshot in your target account. Since the first snapshot is also encrypted, the copy snapshot will be encrypted too. Create your own encryption key in the target account.

encrypted snapshots 14

Create a copy of the snapshot in the target account. Use the encryption key of the target account.

encrypted snapshots 15

With CLI run command:

aws ec2 copy-snapshot --source-region us-east-1 --source-snapshot-id snap-349f01a8 --destination-region us-east-1 --kms-key-id arn:aws:kms:us-east-1:067302926475:key/d81ba610-48f8-434f-bbc8-ca29a031f9e2 --encrypted
encrypted snapshots 16

The above step will complete the copy process of an encrypted snapshot to a target account.

encrypted snapshots 17

If required, use this newly created snapshot copy to create a new volume.
It is important to note that:

  1. AWS does not allow you to share snapshots that were created by a default CMK. This is  the reason that a user must create his own CMK before encrypting the volume / snapshot.
  2. Snapshots that are taken from encrypted volumes are automatically encrypted. Volumes that are created from encrypted snapshots are also automatically encrypted.
  3. Remember that when you share the snapshot, you are sharing the data of volume. Be careful when providing the target account ID that you only share it with trusted entities.
  4. Since we have used an encrypted key of the target account, this key provides an additional level of isolation between the two accounts. As a part of the copy operation, the data will be re-encrypted using the new target account key.
  5. The user in the target account that performs copy options should have respective IAM permissions such as DescribeKey, CreateGrant, Encrypt, and Descrypt in addition to the EBS snapshot level permission.

In this article, we walked through how you can share an encrypted snapshot with any AWS account by sharing the key (CMK) with the target account.

Remember —the encrypted snapshot cannot be made public. When the target account is granted AWS cross-account access permission, the user of that target account can then copy a snapshot to his own account and create a new volume. During this time, the original snapshot remains unaffected.

N2WS Backup & Recovery is an enterprise-class backup/recovery and disaster recovery solution for EC2. It is a software product that uses EBS volumes and RDS databases to automatically take snapshots at regular intervals. Additionally, you can set up policies and schedule backups for various targets.

You might also like:

Next step

The easier way to copy EBS across accounts

Allowed us to save over $1 million in the management of AWS EBS snapshots...

N2WS vs AWS Backup

Why chose N2WS over AWS Backup? Find out the critical differences here.

N2WS in comparison to AWS Backup, offers a single console to manage backups across accounts or clouds. Here is a stylized screenshot of the N2WS dashboard.

Try N2WS for Free