# Amazon EBS snapshot lock
You can lock your Amazon EBS snapshots to protect them against accidental or malicious deletions, or to store them in WORM (write-once-read-many) format for a specific duration. While a snapshot is locked, it can't be deleted by any user, regardless of their IAM permissions. You can continue to use a locked snapshot in the same way that you would use any other snapshot.
**Note**
Snapshot lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations. For more information about how snapshot lock relates to these regulations, see the [ Cohasset Associates Compliance Assessment](https://d1.awsstatic.com/Amazon-EBS-Cohasset-Assessment-2023-11-14-final.pdf).
You can lock snapshots in one of two modes: *compliance mode* or *governance mode*, and they can be locked for a specific duration or until a specific date. For more information, see [Lock mode](snapshot-lock-concepts.md#lock-mode) and [Lock duration](snapshot-lock-concepts.md#lock-duration).
**Pricing**
You can lock and unlock snapshots at no additional cost. You pay the standard Amazon EBS snapshot storage costs for locked snapshots.
**Topics**
+ [Concepts](snapshot-lock-concepts.md)
+ [Considerations](snapshot-lock-considerations.md)
+ [Control access](snapshot-lock-iam.md)
+ [Lock a snapshot](lock-snapshot.md)
+ [Unlock a snapshot](unlock-snapshot.md)
+ [Update snapshot lock settings](update-snapshot-lock.md)
+ [Monitor snapshot lock](monitor-snapshot-lock.md)
# Amazon EBS snapshot lock concepts
The following are important concepts to understand as you get started using snapshot lock.
**Contents**
+ [Lock mode](#lock-mode)
+ [Lock duration](#lock-duration)
+ [Cooling-off period](#cool-off)
+ [Lock state](#lock-state)
## Lock mode
You can lock a snapshot in one of two modes:
**Governance mode**
After a snapshot is locked, users with appropriate IAM permissions can unlock the snapshot and modify the lock mode and lock duration or expiry date at any time. When you lock a snapshot in governance mode, the snapshot is locked immediately; there is no cooling-off period. To delete a snapshot after it has been locked in governance mode, you must first unlock the snapshot or you must wait for the lock to expire.
You can use governance mode to meet your organization's data governance requirements by ensuring that only certain users have permission to unlock snapshots and modify snapshot lock configurations. You can also use governance mode to test your lock configuration before locking a snapshot in compliance mode.
**Compliance mode**
When you lock a snapshot in compliance mode, you can optionally specify a cooling-off period that starts immediately after you lock the snapshot. During the cooling-off period, users with appropriate permissions can unlock the snapshot, change the lock mode, increase or decrease the cooling-off period, and increase or decrease the lock duration or expiry date. After the cooling-off period expires, you can't unlock the snapshot, change the lock mode, or decrease the lock duration or expire date; you can only increase the lock duration or expiry date. To delete a snapshot after it has been locked in compliance and the cooling-off period has expired, you must wait for the lock to expire.
**Note**
You can lock a snapshot in compliance mode without a cooling-off period by omitting the cooling-off period in the request. If you do this, the lock becomes effective immediately, and you can't unlock the snapshot, change the lock mode, or decrease the lock duration or expire date; you can only increase the lock duration or expiry date.
You can use compliance mode to protect snapshots that should not be deleted for a specific period for compliance reasons. Compliance mode offers the following benefits:
+ It enables WORM (write-once, read-many) configuration for your snapshots.
+ It provides an additional layer of defense that protects snapshots from accidental or malicious deletions.
+ It enforces retention periods, which prevent early deletions by privileged users, to meet your organization's data protection policies and procedures.
**Note**
The only way to delete a snapshot that is locked in compliance mode before its lock expires is to close the associated AWS account.
## Lock duration
The lock duration is the period of time for which the snapshot is to remain locked. You can specify the lock duration as one of the following, but not both:
**Number of days**
The lock duration is specified as a number of days for which the snapshot is to remain locked. After the specified number of days has passed, the snapshot is automatically unlocked. The duration can range from 1 day to 36500 days (100 years).
**Lock expiration date**
The lock duration is determined by an expiration date in the future. The snapshot remains locked until the lock expiration date is reached. When the lock expiration date is reached, the snapshot is automatically unlocked.
## Cooling-off period
The cooling-off period is an optional period of time that you can specify when you lock a snapshot in compliance mode. During the cooling-off period, users with appropriate permissions can unlock the snapshot, change the lock mode, increase or decrease the cooling-off period, and increase or decrease the lock duration. After the cooling-off period expires, users can't unlock the snapshot, change the lock mode, reinstate the cooling-off period, or decrease the lock duration, regardless of their permissions.
A snapshot can't be deleted during the cooling-off period.
If specified, the cooling-off period starts immediately after you lock the snapshot. If omitted, the snapshot is locked in compliance mode immediately without a cooling-off period.
The cooling-off period can range from 1 to 72 hours. To lock a snapshot in compliance mode immediately without a cooling-off period, do not specify a cooling-off period in the request.
## Lock state
A snapshot lock can be in one of the following states:
+ `compliance-cooloff` — The snapshot has been locked in compliance mode but it is still within the cooling-off period. The snapshot can't be deleted, but it can be unlocked and the lock settings can be modified by users with appropriate permissions.
+ `governance` — The snapshot is locked in governance mode. The snapshot can't be deleted, but it can be unlocked and the lock settings can be modified by users with appropriate permissions.
+ `compliance` — The snapshot is locked in compliance mode without a cooling-off period or the cooling-off period has expired. The snapshot can't be unlocked or deleted. The lock duration can only be increased by users with appropriate permissions.
+ `expired` — The snapshot was locked in compliance or governance mode but the lock has expired. The snapshot is not locked and can be deleted.
# Considerations for Amazon EBS snapshot lock
Keep the following in mind when locking Amazon EBS snapshots.
+ You can lock a snapshot only if it is in the `pending` or `completed` state.
+ If you lock a snapshot while it is in the `pending` state, and you lock it for a specific duration, the lock duration starts only when the snapshot reaches the `completed` state. The snapshot can't be deleted while it is in the `pending` state.
+ If you lock a snapshot while it is in the `pending` state and the snapshot creation fails for any reason, the lock is canceled.
+ If you extend the lock duration for a snapshot that is locked in compliance mode after the cooling-off period has expired, you can't specify another cooling-off period. If you specify a cooling-off period, the request fails.
+ You can lock archived snapshots. And you can archive locked snapshots.
+ You can lock snapshots that are associated with an AMI.
+ You can deregister an AMI that has associated snapshots that are locked.
+ You can delete the KMS key used to encrypt a locked snapshot.
+ We recommend that you do not lock snapshots created by AWS Backup. AWS Backup already ensures that its snapshots are not deleted before their retention period expires. To add an additional layer of security for snapshots managed by AWS Backup, we recommend that you use AWS Backup Vault Lock. For more information, see [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html).
+ You can't lock snapshots during creation or during AMI registration.
+ You can't lock local Amazon EBS snapshots on AWS Outposts.
+ The only way to delete a snapshot that is locked in compliance mode before its lock expires is to close the associated AWS account.
If you close your AWS account while you have locked snapshots, AWS suspends your account for 90 days with your snapshots intact. If you do not reopen your account within the 90 days, AWS deletes your snapshots, even if they are locked.
# Control access to Amazon EBS snapshot lock
By default, users don't have permission to work with snapshot locks. To allow users to use snapshot locks, you must create IAM policies that grant permission to use specific resources and API actions. For more information, see [Creating IAM policies in the IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html).
**Topics**
+ [Required permissions](#snapshot-lock-req-perms)
+ [Restrict access with condition keys](#snapshot-lock-condition-keys)
## Required permissions
To work with snapshot locks, users need the following permissions.
+ `ec2:LockSnapshot` — To lock snapshots.
+ `ec2:UnlockSnapshot` — To unlock snapshots.
+ `ec2:DescribeLockedSnapshots` — To view snapshot lock settings.
The following is an example IAM policy that gives users permission to lock and unlock snapshots, and to view snapshot lock settings. It includes the `ec2:DescribeSnapshots` permission for console users. If some permissions are not needed, you can remove them from the policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSnapshotLockOperations",
"Effect": "Allow",
"Action": [
"ec2:LockSnapshot",
"ec2:UnlockSnapshot",
"ec2:DescribeLockedSnapshots",
"ec2:DescribeSnapshots"
],
"Resource": [
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:111122223333:volume/*"
]
}
]
}
```
------
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## Restrict access with condition keys
You can use condition keys to restrict how users are allowed to lock snapshots.
**Topics**
+ [ec2:SnapshotLockDuration](#snapshotlockduration)
+ [ec2:CoolOffPeriod](#cooloffperiod)
### ec2:SnapshotLockDuration
You can use the `ec2:SnapshotLockDuration` condition key to restrict users to specific lock durations when locking snapshots.
The following example policy restricts users to specifying a lock duration between `10` and `50` days.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSnapshotLockWithDurationCondition",
"Effect": "Allow",
"Action": "ec2:LockSnapshot",
"Resource": "arn:aws:ec2:*::snapshot/*",
"Condition": {
"NumericGreaterThan": {
"ec2:SnapshotLockDuration": 10
},
"NumericLessThan": {
"ec2:SnapshotLockDuration": 50
}
}
}
]
}
```
------
### ec2:CoolOffPeriod
You can use the `ec2:CoolOffPeriod` condition key to prevent users from locking snapshots in compliance mode without a cooling-off period.
The following example policy restricts users to specifying a cooling-off period greater than `48` hours when locking snapshots in compliance mode.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSnapshotLockWithCondition",
"Effect": "Allow",
"Action": "ec2:LockSnapshot",
"Resource": "arn:aws:ec2:*::snapshot/*",
"Condition": {
"NumericGreaterThan": {
"ec2:SnapshotTime": 48
}
}
}
]
}
```
------
# Lock an Amazon EBS snapshot
You can lock a snapshot that is in the `pending` or `completed` state. For more information, see [Considerations for Amazon EBS snapshot lock](snapshot-lock-considerations.md).
------
#### [ Console ]
**To lock a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot to lock and choose **Actions**, **Snapshot settings**, **Manage snapshot lock**.
1. Select **Lock snapshot**.
1. For **Lock mode**, choose either **Governance mode** or **Compliance mode**. For more information, see [Lock mode](snapshot-lock-concepts.md#lock-mode).
1. For **Lock duration**, do one of the following:
+ To lock the snapshot for a specific period, choose **Lock snapshot for**, and then enter the period in either days or years.
+ To lock the snapshot until a specific date and time, choose **Lock snapshot until**, and then select the expiration date and time.
For more information, see [Lock duration](snapshot-lock-concepts.md#lock-duration).
1. (*Compliance mode only*) For **Cooling-off period**, specify a cooling-off period during which you can unlock the snapshot and modify the lock configuration. For more information, see [Cooling-off period](snapshot-lock-concepts.md#cool-off).
1. (*Compliance mode only*) To confirm that you want to lock the snapshot in compliance mode and that you will not be able to unlock the snapshot after the cooling-off period expires, choose **Acknowledge**.
1. Choose **Save lock settings**.
------
#### [ AWS CLI ]
**To lock a snapshot in governance mode**
Use the [lock-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/lock-snapshot.html) command. For `--lock-mode`, specify `governance`. To lock the snapshot for a specific period, for `--lock-duration`, specify the period, in days.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode governance \
--lock-duration 30
```
To lock the snapshot until a specific date, for `--expiration-date`, specify the date and time at which the lock must expire, in the UTC time zone.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode governance \
--expiration-date YYYY-MM-DDThh:mm:ss.sssZ
```
**To lock a snapshot in compliance mode**
Use the [lock-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/lock-snapshot.html) command. For `--lock-mode`, specify `compliance`. For `--cool-off-period`, optionally specify a cooling-off period, in hours. To lock the snapshot for a specific period, for `--lock-duration`, specify the number of days to lock the snapshot.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode compliance \
--cool-off-period 24 \
--lock-duration 30
```
To lock the snapshot until a specific date, for `--expiration-date`, specify the date and time at which the lock must expire, in the UTC time zone.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode compliance \
--expiration-date YYYY-MM-DDThh:mm:ss.sssZ
```
------
#### [ PowerShell ]
**To lock a snapshot in governance mode**
Use the [Lock-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Lock-EC2Snapshot.html) cmdlet. You can optionally specify the duration of the snapshot lock, in days.
```
Lock-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890 `
-LockMode "governance" `
-LockDuration 30
```
Alternatively, you can lock the snapshot until a specific date, in the UTC time zone.
```
Lock-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890 `
-LockMode "governance" `
-ExpirationDate YYYY-MM-DDThh:mm:ss.sssZ
```
**To lock a snapshot in compliance mode**
Use the [Lock-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Lock-EC2Snapshot.html) cmdlet. You can optionally specify a cooling-off period, in hours. You can also optionally specify the duration of the snapshot lock, in days.
```
Lock-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890 `
-LockMode "compliance" `
-CoolOffPeriod 24 `
-LockDuration 30
```
Alternatively, you can lock the snapshot until a specific date, in the UTC time zone.
```
Lock-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890 `
-LockMode "compliance" `
-ExpirationDate YYYY-MM-DDThh:mm:ss.sssZ
```
------
# Unlock an Amazon EBS snapshot
You can unlock a snapshot only if it is locked in governance mode, or if it is locked in compliance mode and it is still within the cooling-off period.
------
#### [ Console ]
**To unlock a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot to unlock and choose **Actions**, **Snapshot settings**, **Manage snapshot lock**.
1. Choose **Unlock snapshot** and then choose **Unlock snapshot** again to confirm.
------
#### [ AWS CLI ]
**To unlock a snapshot**
Use the [unlock-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/unlock-snapshot.html) command.
```
aws ec2 unlock-snapshot --snapshot-id snap-0abcdef1234567890
```
------
#### [ PowerShell ]
**To unlock a snapshot**
Use the [Unlock-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Unlock-EC2Snapshot.html) cmdlet.
```
Unlock-EC2Snapshot -SnapshotId snap-0abcdef1234567890
```
------
# Update Amazon EBS snapshot lock settings
The allowed updates depend on the lock state:
+ `governance` — you can change the lock mode and increase or decrease the lock duration or expiration date.
+ `compliance-cooloff` — you can change the lock mode, increase or decrease the cooling-off period, and increase or decrease the lock duration or expiration date.
+ `compliance` — you can only increase the lock duration or expiration date.
------
#### [ Console ]
**To update snapshot lock settings**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot for which to modify the lock settings and choose **Actions**, **Snapshot settings**, **Manage snapshot lock**.
1. Update the settings as needed, and then choose **Save lock settings**.
------
#### [ AWS CLI ]
**To update snapshot lock settings**
Use the [lock-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/lock-snapshot.html) command. Specify the ID of the snapshot and the options to modify. The following example changes the expiration date.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode governance \
--expiration-date YYYY-MM-DDThh:mm:ss.sssZ
```
------
#### [ PowerShell ]
**To update snapshot lock settings**
Use the [Lock-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Lock-EC2Snapshot.html) cmdlet. Specify the ID of the snapshot and the options to modify. The following example changes the expiration date.
```
Lock-EC2Snapshot `
-SnapshoId snap-0abcdef1234567890 `
-LockMode "governance" `
-ExpirationDate YYYY-MM-DDThh:mm:ss.sssZ
```
------
# Monitor Amazon EBS snapshot lock
You can monitor actions related to Amazon EBS snapshot lock using the following tools:
**Topics**
+ [Monitor using CloudTrail](#snapshot-lock-ct)
+ [Monitor using EventBridge](#snapshot-lock-ev)
## Monitor Amazon EBS snapshot locks using AWS CloudTrail
You can monitor API calls for snapshot locks as events, including calls from the console and from code calls to the APIs. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, who made the request, when it was made, and additional details.
For more information, see [Log API calls using AWS CloudTrail](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitor-with-cloudtrail.html).
## Monitor Amazon EBS snapshot locks using Amazon EventBridge
Amazon EBS emits events related to snapshot lock actions. You can use AWS Lambda and Amazon EventBridge to handle event notifications programmatically. Events are emitted on a best effort basis. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html).
The following events are emitted:
+ Successfully locked snapshot in governance or compliance mode.
```
{
"version": "0",
"id": "01234567-01234-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "012345678901",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [
"arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "lockSnapshot",
"result": "succeeded",
"snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef",
"source": 012345678901,
"lockState": "compliance-cooloff",
"lockCreatedOn": "yyyy-mm-ddThh:mm:ssZ",
"lockExpiresOn": "yyyy-mm-ddThh:mm:ssZ",
"lockDuration": 123,
"lockStartDurationTime": "yyyy-mm-ddThh:mm:ssZ",
"cooOffPeriod": 24,
"coolOffPeriodExpiresOn": "yyyy-mm-ddThh:mm:ssZ"
}
}
```
+ Failed lock event when a snapshot is locked while it is in the `pending` state, and it fails to reach the `completed` state.
```
{
"version": "0",
"id": "01234567-01234-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "012345678901",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [
"arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "lockSnapshot",
"result": "failed",
"cause": "snapshot failed",
"snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef",
"lockState": "pending-compliance",
"lockCreatedOn": "yyyy-mm-ddThh:mm:ssZ",
"lockDuration": 123,
"lockStartDurationTime": "yyyy-mm-ddThh:mm:ssZ",
"cooOffPeriod": 24,
"coolOffPeriodExpiresOn": "yyyy-mm-ddThh:mm:ssZ"
}
}
```
+ Lock expired
```
{
"version": "0",
"id": "01234567-01234-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "012345678901",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [
"arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "lockDurationExpiry",
"result": "succeeded",
"snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef",
"lockState": "expired",
"lockCreatedOn": "yyyy-mm-ddThh:mm:ssZ",
"lockExpiresOn": "yyyy-mm-ddThh:mm:ssZ",
"lockDuration": 123
}
}
```
+ Cooling-off period expired after being locked in compliance mode.
```
{
"version": "0",
"id": "01234567-01234-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "012345678901",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [
"arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "cooloffperiodExpiry",
"result": "succeeded",
"snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef",
"lockState": "compliance",
"lockCreatedOn": "yyyy-mm-ddThh:mm:ssZ",
"lockExpiresOn": "yyyy-mm-ddThh:mm:ssZ",
"lockDuration": 123,
"lockStartDurationTime": "yyyy-mm-ddThh:mm:ssZ",
"cooOffPeriod": 24,
"coolOffPeriodExpiresOn": "yyyy-mm-ddThh:mm:ssZ"
}
}
```