# Amazon EBS snapshots
You can back up the data on your Amazon EBS volumes by making point-in-time copies, known as *Amazon EBS snapshots*. A snapshot is an **incremental backup**, which means that we save only the blocks on the volume that have changed since the most recent snapshot. This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data.
**Important**
AWS does not automatically back up the data stored on your EBS volumes. For data resiliency and disaster recovery, it is your responsibility to create EBS snapshots on a regular basis, or to set up automatic snapshot creation by using [Automate backups with Amazon Data Lifecycle Manager](snapshot-lifecycle.md) or [AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html).
Snapshots are stored in Amazon S3, in S3 buckets that you can't access directly. You can create and manage your snapshots using the Amazon EC2 console or the Amazon EC2 API. You can't access your snapshots using the Amazon S3 console or the Amazon S3 API.
Snapshot data is automatically replicated across all Availability Zones in the Region. This provides high availability and durability for snapshot data, and enables you to restore volumes in any Availability Zones in that Region.
Each snapshot contains all of the information that is needed to restore your data (from the moment when the snapshot was taken) to a new EBS volume. When you create an EBS volume from a snapshot, the new volume begins as an exact replica of the volume that was used to create the snapshot.
For more information, see the [Amazon EBS Snapshots](https://aws.amazon.com/ebs/snapshots/) product page.
**Snapshot events**
You can track the status of your EBS snapshots through CloudWatch Events. For more information, see [EBS snapshot events](ebs-cloud-watch-events.md#snapshot-events).
**Snapshot pricing**
Charges for your snapshots are based on the amount of data stored. Because snapshots are incremental, deleting a snapshot might not reduce your data storage costs. Data referenced exclusively by a snapshot is removed when that snapshot is deleted, but data referenced by other snapshots is preserved. For more information, see [Amazon Elastic Block Store Volumes and Snapshots](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/checklistforunwantedcharges.html#checkebsvolumes) in the *AWS Billing User Guide*.
**Topics**
+ [How Amazon EBS snapshots work](how_snapshots_work.md)
+ [Amazon EBS snapshot lifecycle](ebs-snapshot-lifecycle.md)
+ [Amazon EBS fast snapshot restore](ebs-fast-snapshot-restore.md)
+ [Amazon EBS snapshot lock](ebs-snapshot-lock.md)
+ [Block public access for Amazon EBS snapshots](block-public-access-snapshots.md)
+ [Amazon EBS local snapshots on Outposts](snapshots-outposts.md)
+ [Local snapshots in Local Zones](snapshots-localzones.md)
# How Amazon EBS snapshots work
The first snapshot that you create from a volume is always a *full snapshot*. It includes all of the data blocks written to the volume at the time of creating the snapshot. Subsequent snapshots of the same volume are *incremental snapshots*. They include only changed and new data blocks written to the volume since the last snapshot was created
The size of a full snapshot is determined by the size of the data being backed up, not the size of the source volume. Similarly, the storage costs associated with a full snapshot is determined by the size of the snapshot, not the size of the source volume. For example, you create the first snapshot of a `200 GiB` Amazon EBS volume that contains only `50 GiB` of data. This results in a full snapshot that is `50 GiB` in size, and you are billed for `50 GiB` snapshot storage.
Similarly, the size and storage costs of an incremental snapshot are determined by the size of any data that was written to the volume since the previous snapshot was created. Continuing the previous example, if you create a second snapshot of the same `200 GiB` volume after changing `20 GiB` of data and adding `10 GiB` of data, the incremental snapshot is `30 GiB` in size. You are then billed for that additional `30 GiB` snapshot storage.
For more information about snapshot pricing, see [ Amazon EBS pricing](https://aws.amazon.com/ebs/pricing/).
**Important**
When you archive an incremental snapshot, it is converted to a full snapshot that includes all of the blocks written to the volume at the time that the snapshot was created. It is then moved to the Amazon EBS Snapshots Archive tier. Snapshots in the archive tier are billed at a different rate from snapshots in the standard tier. For more information, see [Pricing and billing for archiving Amazon EBS snapshots](snapshot-archive-pricing.md).
The following sections show how an EBS snapshot captures the state of a volume at a point in time, and how subsequent snapshots of a changing volume create a history of those changes.
**Multiple snapshots of the same volume**
The diagram in this section shows Volume 1, which is `15 GiB` in size, at three points in time. A snapshot is taken of each of these three volume states. The diagram specifically shows the following:
+ In **State 1**, the volume has `10 GiB` of data. **Snap A** is the first snapshot taken of the volume. **Snap A** is a full snapshot and the entire `10 GiB` of data is backed up.
+ In **State 2**, the volume still contains `10 GiB` of data, but only `4 GiB` have changed after **Snap A** was taken. **Snap B** is an incremental snapshot. It needs to back up only the `4 GiB` that changed. The other `6 GiB` of unchanged data, which are already backed up in **Snap A**, are *referenced* by **Snap B** rather than being backed up again. This is indicated by the dashed arrow.
+ In **State 3**, `2 GiB` of data have been added to the volume, for a total of `12 GiB`, after **Snap B** was taken. **Snap C** is an incremental snapshot. It needs to back up only the `2 GiB` that were added after **Snap B** was taken. As shown by the dashed arrows, **Snap C** also references the `4 GiB` of data stored in **Snap B**, and the `6 GiB` of data stored in **Snap A**.
+ The total storage required for the three snapshots is `16 GiB` total. This accounts for 10 GiB for Snap A, 4 GiB for Snap B, and 2 GiB for Snap C.
![\[Snapshots capturing an initial volume state and two subsequent states after data has been changed.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snapshot_1a.png)
**Incremental snapshots of different volumes**
The diagram in this section shows how incremental snapshots can be taken from different volumes.
1. **Vol 1**, which is `14 GiB` in size, has `10 GiB` of data. Because **Snap A** is the first snapshot taken of the volume, it is a full snapshot and the entire `10 GiB` of data is backed up.
1. **Vol 2** is created from **Snap A**, so it is an exact replica of **Vol 1** at the time the snapshot was taken.
1. Over time, `4 GiB` of data is added to **Vol 2** and the total size of its data is `14 GiB`.
1. **Snap B** is taken from **Vol 2**. For **Snap B**, only the `4 GiB` of data that was added after the volume was created from **Snap A** is backed up. The other `10 GiB` of unchanged data, which is already stored in **Snap A**, is referenced by **Snap B** instead of being backed up again.
**Snap B** is an incremental snapshot of **Snap A**, even though it was created from a different volume.
**Important**
The diagram assumes that you own **Vol 1** and **Snap A**, and that **Vol 2** is encrypted with the same KMS key as Vol 1. If **Vol 1** was owned by another AWS account and that account took **Snap A** and shared it with you, then **Snap B** would be a full snapshot. Or, if **Vol 2** was encrypted with a different KMS key than **Vol 1**, then **Snap B** would be a full snapshot.
![\[Snapshots capturing an initial volume state and two subsequent states after data has been changed.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snapshot_1c.png)
For more information about how data is managed when you delete a snapshot, see [Delete an Amazon EBS snapshot](ebs-deleting-snapshot.md).
# Amazon EBS snapshot lifecycle
The lifecycle of an Amazon EBS snapshot starts with the creation process. You create snapshots from Amazon EBS volumes. You can use snapshots to restore new Amazon EBS volumes. You can create copies of snapshots either in the same Region, or in different Regions. You can share snapshots with other AWS accounts, either publicly or privately. Those accounts can restore volumes from the shared snapshots, or they can create copies of the shared snapshots in their own account. If you don't need immediate access to a snapshot, you can archive it to save on storage costs.
The following image shows actions that you can perform on your snapshots as part of the snapshot lifecycle.
![\[Snapshot lifecycle\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snapshot-lifecycle.png)
**Topics**
+ [Create snapshots](ebs-creating-snapshot.md)
+ [View snapshot information](ebs-describing-snapshots.md)
+ [Copy a snapshot](ebs-copy-snapshot.md)
+ [Share a snapshot](ebs-modifying-snapshot-permissions.md)
+ [Archive snapshots](snapshot-archive.md)
+ [Delete a snapshot](ebs-deleting-snapshot.md)
# Create Amazon EBS snapshots
You can create an Amazon EBS snapshot of an Amazon EBS volume to create a point-in-time backup of that volume. You can either create snapshots of **individual Amazon EBS volumes**, or you can create **multi-volume snapshots** of all, or a subset, of the volumes attached to an Amazon EC2 instance.
Snapshot creation is asynchronous. The snapshot is created immediately, but it remains in the `pending` state until all of data has been transferred to Amazon S3. This can take several hours to complete, depending on the number of modified blocks on the volume. You can continue to use the volume during this time without impacting the snapshot. The snapshot includes only the data that was written to the volume at the time the snapshot was requested. It does not include data that has been cached by applications or the operating system.
**Tip**
To ensure consistent and complete snapshots, we recommend that you pause writes to the volume before you create the snapshot. If you can't pause writes to the volume, we recommend that you unmount the volume, from within the instance, before you create the snapshot. You can remount and resume writes once the snapshot enters the `pending` state.
If you create a snapshot of a volume that serves as the root device for an Amazon EC2 instance, we recommend that you stop the instance before taking the snapshot.
**Topics**
+ [Snapshot encryption](#create-snapshot-encryption)
+ [Snapshot destinations](#create-snapshot-destinations)
+ [Automating snapshots](#create-snapshots-automate)
+ [Considerations for creating snapshots](#create-snapshots-considerations)
+ [Create snapshot of a volume](ebs-create-snapshot.md)
+ [Create multi-volume snapshots](ebs-create-snapshots.md)
## Snapshot encryption
A snapshot automatically gets the same encryption status as the volume from which it is created. Snapshots created from unencrypted volumes are not encrypted. Snapshots created from encrypted volumes are automatically encrypted using the same KMS key as the volume.
**Tip**
If you need to create an encrypted snapshot from an unencrypted volume, first create the unencrypted snapshot of the volume, and then create an encrypted copy of that snapshot.
## Snapshot destinations
The location of the source resource (volume or instance) determines where you can create snapshots.
+ If the source resource is in a Region, you must create snapshots in the same Region as the source resource.
+ If the source resource is in a Local Zone, you can create snapshots in the same Local Zone or in its parent Region. For more information, see [Local snapshots in Local Zones](snapshots-localzones.md).
+ If the source resource is on an Outpost, you can create snapshots on the same Outpost or in its parent Region. For more information, see [Amazon EBS local snapshots on Outposts](snapshots-outposts.md).
## Automating snapshots
You can automate snapshot creation using [Amazon Data Lifecycle Manager](snapshot-lifecycle.md) and [AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/multi-volume-crash-consistent.html).
## Considerations for creating snapshots
+ We recommend that you do not create snapshots of volumes that are attached to Amazon EC2 instances that are hibernated or that are enabled for hibernation. For more information, see [How Amazon EC2 instance hibernation works](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-hibernate-overview.html#instance-hibernate-limitations).
+ Although you can take a snapshot of a volume while a previous snapshot of that volume is in the `pending` status, having multiple snapshots in the `pending` state for the same volume can result in reduced volume performance until the snapshots complete.
+ There are limits on the number of snapshots you can have in the `pending` state, and on the number of concurrent snapshots you can request per volume type. For more information, see [Quotas for Amazon EBS](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-resource-quotas.html). If you exceed one of these quotas, wait for the current snapshots to complete and then try again.
# Create a snapshot of an EBS volume
You can create a single snapshot of a single volume. Alternatively, to automate snapshot creation, use [Amazon Data Lifecycle Manager](snapshot-lifecycle.md) or [AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/multi-volume-crash-consistent.html). To create snapshots of all the volumes for an EC2 instance, use [multi-volume snapshots](ebs-create-snapshots.md).
------
#### [ Console ]
**To create a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**, **Create snapshot**.
1. For **Resource type**, choose **Volume**.
1. For **Volume ID**, select the volume from which to create the snapshot. The **Encryption** field indicates the volume and resulting snapshot's encryption status. It can't be modified.
1. (*Optional*) For **Description**, enter a brief description for the snapshot.
1. If the volume is on an Outpost or in a Local Zone, the **Snapshot destination** field appears. Do one of the following:
+ If the volume is in a Local Zone, choose **Local Zone** to create the snapshot in the same Local Zone, or choose **AWS Region** to create the snapshot in the parent Region of the Local Zone.
+ If the volume is on an Outpost, choose **AWS Outpost**, to create the snapshot on the same Outpost, or choose **AWS Region** to create the snapshot in the parent Region of the Outpost.
**Note**
If the volume is in a Region, the **Snapshot destination** does not appear. The snapshot is automatically created in the same Region as the volume.
1. (*Optional*) To assign custom tags to the snapshot, in the **Tags** section, choose **Add tag**, and then enter the key-value pair. You can add up to 50 tags.
1. Choose **Create snapshot**.
------
#### [ AWS CLI ]
**To create a snapshot**
Use the [create-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-snapshot.html) command.
```
aws ec2 create-snapshot \
--volume-id vol-01234567890abcdef \
--description "Snapshot of the root volume for i-1234567890abcdef0"
```
------
#### [ PowerShell ]
**To create a snapshot**
Use the [New-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2Snapshot.html) cmdlet.
```
New-EC2Snapshot `
-VolumeId vol-01234567890abcdef `
-Description "Snapshot of the root volume for i-1234567890abcdef0"
```
------
# Create multi-volume EBS snapshots from an EC2 instance
By default, when you create multi-volume snapshots from an Amazon EC2 instance, Amazon EBS creates snapshots of all the Amazon EBS volumes that are attached to the instance. However, you can choose to exclude the root volume, or specific data volumes if needed.
**Tip**
We recommend that you tag your multi-volume snapshots so that it's easy to identify and manage them collectively. You can also copy the tags from the source volumes to the corresponding snapshots to set the snapshot metadata, such as access policies, attachment information, and cost allocation, to match the source volume.
**Considerations for multi-volume snapshots**
+ If all of the snapshots complete successfully, a `createSnapshots` CloudWatch event with a result of `succeeded` is sent to your AWS account. If any one snapshot in the multi-volume snapshot set fails, all of the other snapshots enter the `error` state and a `createSnapshots` CloudWatch event with a result of `failed` is sent to your account. For more information, see [Create snapshots (createSnapshots)](ebs-cloud-watch-events.md#create-snapshots-complete).
+ Multi-volume snapshots support up to 128 Amazon EBS volumes attached to an instance, including the root volume and up to 127 data volumes.
+ Each snapshot in the multi-volume snapshot set is an individual snapshot that can be used in the same way, and that supports the same features, as an individual snapshot.
+ You can take application-consistent snapshots of all the Amazon EBS volumes attached to an Amazon EC2 Windows instance using [AWS Systems Manager command documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-vss-snapshots-ssm.html).
------
#### [ Console ]
**To create multi-volume snapshots**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**, **Create snapshot**.
1. For **Resource type**, choose **Instance**.
1. For **Description**, enter a brief description for the snapshots. This description is applied to all of the snapshots.
1. If the instance is on an Outpost or in a Local Zone, the **Snapshot destination** field appears. Do one of the following:
+ If the instance is in a Local Zone, choose **Local Zone** to create the snapshots in the same Local Zone, or choose **AWS Region** to create the snapshots in the parent Region of the Local Zone.
+ If the instance is on an Outpost, choose **AWS Outpost**, to create the snapshots on the same Outpost, or choose **AWS Region** to create the snapshots in the parent Region of the Outpost.
**Note**
If the instance is in a Region, the **Snapshot destination** does not appear. The snapshot is automatically created in the same Region as the instance.
1. (*Optional*) To exclude the instance's root volume, select **Exclude root volume**.
1. (*Optional*) To exclude data volumes, select **Exclude specific data volumes**. The **Attached data volumes** section lists all of the data volumes that are currently attached to the selected instance.
Select the data volumes to exclude. Only the volumes that remain unselected will be included in the multi-volume snapshot set.
1. (*Optional*) To automatically copy tags from the source volumes to the corresponding snapshots, for **Copy tags from source volume**, select **Copy tags**.
1. (*Optional*) To assign additional custom tags to the snapshots, in the **Tags** section, choose **Add tag**, and then enter the key-value pair. You can add up to 50 tags.
1. Choose **Create snapshot**.
------
#### [ AWS CLI ]
**To create multi-volume snapshots**
Use the [ create-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-snapshots.html) command.
```
aws ec2 create-snapshots \
--instance-specification InstanceId=i-1234567890abcdef0 \
--description "from a multi-volume snapshot of i-1234567890abcdef0"
```
To exclude the root volume, add the following to the `--instance-specification` option.
```
ExcludeBootVolume=true
```
To exclude a data volume, add the following to the `--instance-specification` option.
```
ExcludeDataVolumeIds=vol-01234567890abcdef
```
------
#### [ PowerShell ]
**To create multi-volume snapshots**
Use the [New-EC2SnapshotBatch](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2SnapshotBatch.html) cmdlet.
```
New-EC2SnapshotBatch `
-InstanceSpecification_InstanceId i-1234567890abcdef0 `
-Description "from a multi-volume snapshot of i-1234567890abcdef0"
```
To exclude the root volume, add the following parameter.
```
-InstanceSpecification_ExcludeBootVolume $true
```
To exclude data volumes, add the following parameter.
```
-InstanceSpecification_ExcludeDataVolumes "vol-01234567890abcdef"
```
------
# View Amazon EBS snapshot information
You can view detailed information about your snapshots.
------
#### [ Console ]
**To view snapshot information**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. To view only your snapshots that you own, in the top-left corner of the screen, choose **Owned by me**. You can also filter the list of snapshots using tags and other snapshot attributes. In the **Filter** field, select the attribute field, and then select or enter the attribute value. For example, to view only encrypted snapshots, select **Encryption**, and then enter `true`.
1. To view more information about a specific snapshot, choose its ID in the list.
**Note**
The **Full snapshot size** field shows the full size of the snapshot, in bytes. This is **not** the incremental size of the snapshot. Instead, it represents the size of all the blocks that were written to the source volume at the time the snapshot was created.
The **Volume size** field shows the size of the EBS volume that will created from the snapshot if no other size is specified.
------
#### [ AWS CLI ]
**To view snapshot information**
Use the [describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) command.
**Example 1: Filter based on tags**
The following example describes the snapshots with the tag Stack=production.
```
aws ec2 describe-snapshots --filters Name=tag:Stack,Values=production
```
**Example 2: Filter based on volume**
The following example describes the snapshots created from the specified volume.
```
aws ec2 describe-snapshots --filters Name=volume-id,Values=vol-049df61146c4d7901
```
**Example 3: Filter based on snapshot age**
You can use JMESPath to filter results using expressions. For example, the following command displays the IDs of all snapshots created by your account before the specified date. If you do not specify the owner, the results include all public snapshots.
```
aws ec2 describe-snapshots \
--filters Name=owner-id,Values=123456789012 \
--query "Snapshots[?(StartTime<='2024-03-31')].[SnapshotId]" \
--output text
```
The following command displays the IDs of all snapshots created in the specified date range.
```
aws ec2 describe-snapshots \
--filters Name=owner-id,Values=123456789012 \
--query "Snapshots[?(StartTime>='2024-01-01') && (StartTime<='2024-12-31')].[SnapshotId]" \
--output text
```
------
#### [ PowerShell ]
**To view snapshot information**
Use the [Get-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2Snapshot.html) cmdlet.
**Example 1: Describe a snapshot**
The following example describes the specified snapshot.
```
Get-EC2Snapshot -SnapshotId snap-0abcdef1234567890
```
**Example 2: Filter based on volume**
The following example describes the snapshots created from the specified volume.
```
Get-EC2Snapshot`
-Filter @{Name="volume-id"; Values="vol-01234567890abcdef"}
```
------
## Snapshot states
An Amazon EBS snapshot transitions through different states from the moment it is created until it is permanently deleted.
The following illustration shows the transitions between snapshot states. When you create a snapshot, it enters the `pending` state. After the snapshot is ready for use, it enters the `completed` state. When you've decided that you no longer need a snapshot, you can delete it. If you delete a snapshot that matches a Recycle Bin retention rule, it is retained in the Recycle Bin and it enters the `recoverable` state. If you recover a snapshot from the Recycle Bin, it enters the `recovering` state and then the `completed` state. Otherwise, it is permanently deleted.
![\[Snapshot with allocated blocks\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snapshot-statuses.png)
The following table summarizes the snapshot states.
| Status | Description |
| --- | --- |
| pending | The snapshot creation process is still in progress. A snapshot can't be used while it is in the `pending` state. |
| completed | The snapshot creation process has completed and the snapshot is ready for use. |
| recoverable | The snapshot is currently in the Recycle Bin. To use the snapshot, you must first recover it from the Recycle Bin. |
| recovering | The snapshot is being recovered from the Recycle Bin. After the snapshot has been recovered, it transitions to the completed state and becomes ready for use. |
| error | The snapshot creation process has failed. A snapshot can't be used if it is in the error state. |
# Copy an Amazon EBS snapshot
After you create a snapshot, and it has reached the `completed` state, you can create a copy of it. The snapshot copy is an exact copy of the original, but it has a unique resource ID. You can copy snapshots that you own and snapshots that are shared with you, privately or publicly. You might need to copy a snapshot for the following use cases:
+ Geographic expansion — You need to launch your applications in a new Region.
+ Migration — You need to move an application to a new destination, to enable better availability or to minimize cost.
+ Disaster recovery — You need to back up your data and logs to secondary Regions for data redundancy purposes.
+ Encryption — You need to encrypt a previously unencrypted snapshot or reencrypt an encrypted snapshot using a different KMS key.
+ Copy a shared snapshot — You need to copy a snapshot that is shared with you.
+ Data retention and auditing requirements — You need to copy encrypted snapshots from one AWS account to another to preserve data for auditing or data retention. Using a different account protects you if your main AWS account is compromised.
To copy multi-volume snapshots, identify all of the snapshots that are part of that set using the tags that you assigned during creation, and then copy them individually.
For information about copying an Amazon RDS snapshot, see [Copying a DB Snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html) in the *Amazon RDS User Guide*.
**Pricing**
For pricing information about copying snapshots, see [Amazon EBS Pricing](https://aws.amazon.com/ebs/pricing/).
**Topics**
+ [Considerations for copying snapshots](#snapshot-copy-consids)
+ [Destinations for snapshot copies](#snapshot-copy-destinations)
+ [Incremental snapshot copying](#ebs-incremental-copy)
+ [Time-based copies](time-based-copies.md)
+ [Encryption and snapshot copying](#creating-encrypted-snapshots)
+ [Copy a snapshot](#ebs-snapshot-copy)
## Considerations for copying snapshots
+ You can copy AWS Marketplace, VM Import/Export, and Storage Gateway snapshots, but you must verify that the snapshot is supported in the destination Region.
+ There is a limit of `20` concurrent snapshot copy requests per destination. If you exceed this quota, you receive a `ResourceLimitExceeded` error. If you receive this error, wait for one or more of the copy requests to complete before making a new snapshot copy request.
+ User-defined tags are not copied from the source snapshot to the snapshot copy. You can add user-defined tags during or after the copy operation.
+ Snapshots created by a snapshot copy operation have an arbitrary volume ID, such as `vol-ffff` or `vol-ffffffff`. These arbitrary volume IDs should not be used for any purpose.
+ Resource-level permissions specified for the snapshot copy operation can apply to the snapshot copy and the source snapshot. For an example, see [ Example: Copying snapshots](https://docs.aws.amazon.com/ebs/latest/userguide/security_iam_id-based-policy-examples.html#iam-copy-snapshot).
+ If you copy a snapshot that is enabled for fast snapshot restore, the snapshot copy is not automatically enabled for fast snapshot restore. You must explicitly enable fast snapshot restore for the snapshot copy.
+ If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.
+ If you copy a snapshot to a new Region, a full (non-incremental) copy is created. This results in additional storage costs.
+ If you use external or cross-Region data transfers, additional [EC2 data transfer](https://aws.amazon.com/ebs/pricing/) charges will apply. If you delete any snapshots after initiation, you are still charged for the data that has already been transferred.
## Destinations for snapshot copies
The location of the source snapshot determines whether you can copy it or not.
+ If the source snapshot is in a Region, you can copy it within that Region, to another Region, to an Outpost associated with that Region, or to a Local Zone in that Region.
+ If the source snapshot is in a Local Zone, you can copy it within the same Local Zone, to another Local Zone in the same zone group, or to the parent Region of that Local Zone.
+ If the source snapshot is on an Outpost, you can't copy it.
## Incremental snapshot copying
Snapshot copy operations within the same account and Region using the same KMS key are always incremental copies. However, if you encrypt the snapshot copy using a different KMS key, the copy is a full copy.
When you copy a snapshot across Regions or accounts, the copy is an incremental copy if the following conditions are met:
+ The snapshot was copied to the destination Region or account previously.
+ The most recent snapshot copy still exists in the destination Region or account.
+ The most recent snapshot copy has not been archived.
+ All copies of the snapshot in the destination Region or account are either unencrypted or were encrypted using the same KMS key.
**Tip**
We recommend that you tag your snapshot copies with the volume ID and creation time so that you can keep track of the most recent snapshot copy of a volume in the destination Region or account.
To see whether your snapshot copies are incremental, check the [copySnapshot](ebs-cloud-watch-events.md#copy-snapshot-complete) CloudWatch event.
# Time-based copies for Amazon EBS snapshots and EBS-backed AMIs
Time-based copies can help you meet compliance or business requirements for data replication by ensuring that your EBS snapshots and EBS-backed AMIs are copied, within and across AWS Regions, in a specified timeframe. Time-based copies can also help backup administrators meet stringent disaster recovery requirements (Recovery Point Objectives and Recovery Time Objectives), and it improves development agility by ensuring predictable copying times for snapshots and EBS-backed AMIs.
With time-based snapshot and EBS-backed AMI copy operations, you specify a completion duration, between 15 minutes and 48 hours, in which the copy is to be completed. The completion duration must be specified in 15 minute increments.
**Topics**
+ [Quotas](#time-based-copies-quota)
+ [Determine your completion duration](#time-based-copies-how)
+ [Considerations](#time-based-copies-considerations)
+ [Monitoring](#time-based-copies-monitoring)
+ [Pricing and billing](#time-based-copies-pricing)
## Quotas
The following quotas apply to time-based snapshot and EBS-backed AMI copy operations:
| Quota | Description | Quota value | Adjustable |
| --- | --- | --- | --- |
| Snapshot copy operation throughput quota | The maximum throughput that can be achieved by a single time-based snapshot copy operation. For AMI copy operations, the quota applies to each individual snapshot associated with the AMI. | 500 MiB/s | No |
| Cumulative snapshot copy throughput quota | The maximum cumulative throughput that can be achieved by concurrent time-based snapshot copy operations between a source and destination Region. For AMI copy operations, each individual snapshot associated with the AMI counts towards the quota. | 2,000 MiB/s | [Yes](https://console.aws.amazon.com/servicequotas/home/services/ebs/quotas/L-E137849C) |
When you initiate a **time-based snapshot copy operation**, you specify a completion duration. The throughput used by the request is determined by the size of the snapshot data and the requested completion duration. For example, if you copy a snapshot that has 225,000 MiB (0.214 TiB) of data, and you request a completion duration of 15 minutes, the throughput is 250 MiB/s (225,000 MiB ÷ 15 minutes = 250 MiB/s).
When you initiate a **time-based AMI copy operation**, the completion duration you specify applies to each snapshot associated with the AMI. Because each snapshot can have a different size, each snapshot is copied at a different throughput to ensure that all snapshots are copied within the completion duration. For example, say you have an AMI with the following associated snapshots:
+ Snapshot 1: 200,000 MiB
+ Snapshot 2: 500,000 MiB
+ Snapshot 3: 450,000 MiB
If you initiate a time-based copy for this AMI and specify a completion duration of 60 minutes, the request uses the following throughput:
+ Snapshot 1: 55.56 MiB/s (200,000 MiB ÷ 60 minutes = 55.56 MiB/s)
+ Snapshot 2: 138.89 MiB/s (500,000 MiB ÷ 60 minutes = 138.89 MiB/s)
+ Snapshot 3: 125 MiB/s (450,000 MiB ÷ 60 minutes = 125 MiB/s)
This means that the request uses 319.45 MiB/s of your cumulative snapshot copy throughput quota to ensure that the copy completes in 60 minutes.
If you initiate a time-based snapshot or EBS-backed AMI copy request and your available cumulative snapshot copy throughput quota is:
+ greater than or equal to the required throughput rate, the copy completes within the requested completion duration.
+ less than the required throughput rate but greater than zero, the request succeeds but it will take longer than you requested. The copy is completed using your available throughput quota.
+ zero (quota reached), the request fails.
## Determine your completion duration
The minimum completion duration you can request for a time-based snapshot or EBS-backed AMI copy operation is 15 minutes, and the maximum completion duration you can request is 48 hours. The completion duration must be specified in 15 minute increments.
**Concurrent time-based snapshot copy operations**
You can perform concurrent time-based snapshot copy operations between the same source and destination Regions, as long as the combined throughput of all of the concurrent operations is within your cumulative snapshot copy throughput quota (2,000 MiB/s by default).
To determine whether you can achieve your required completion duration for your existing snapshots, divide the combined size of all of your snapshots by your required completion duration to determine the required throughput rate.
**Tip**
If you don't know the exact size of the data in your snapshots, you can use the full snapshot size as a proxy instead. To get the full snapshot size, use the [ describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) AWS CLI command.
```
required throughput rate = combined snapshot size ÷ required completion duration
```
If the required throughput rate is less than your cumulative snapshot copy throughput quota, you can achieve your required completion duration. If the required throughput rate is greater than your cumulative snapshot copy throughput quota, we recommend that you request a quota increase that is at least 10% higher than your required throughput rate.
**Tip**
The Amazon EC2 console provides a calculator that you can use to check how much snapshot data you copied between two Regions over a specific period, and the minimum achievable completion duration that you can achieve for that amount of data, based on a specific cumulative snapshot copy throughput quota. The calculator uses the `SnapshotCopyBytesTransferred` CloudWatch metric to calculate data copied between two Regions over a period. To open the calculator, in the Amazon EC2 console navigation panel, select **Snapshots**, and then choose **Actions**, **Launch copy duration calculator**.
The snapshot copy duration calculator are not supported with AWS Outposts, Local Zones, and Wavelength Zones.
**Individual time-based snapshot copy operations**
You can calculate the minimum completion duration for an individual time-based snapshot copy operation by dividing the size of the snapshot data by the snapshot copy operation throughput quota (500 MiB/s).
**Tip**
If you don't know the exact size of the data in your snapshots, you can use the full snapshot size as a proxy instead. To get the full snapshot size, use the [ describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) AWS CLI command.
```
minimum completion duration = Max(15 minutes, (snapshot data size ÷ 500 MiB/s)
```
For example, the minimum completion duration for a snapshot with 900,000 MiB of data is 30 minutes.
```
minimum completion duration = Max(15 minutes, (900,000 MiB ÷ 500 MiB/s)
= Max(15 minutes, 30 minutes)
= 30 minutes
```
**Time-based AMI copy operations**
When you initiate a time-based AMI copy operation for an EBS-backed AMI with a single associated snapshot, it behaves in the same way as an **individual time-based snapshot copy operation**, and the same throughput limitations apply.
When you initiate a time-based AMI copy operation for an EBS-backed AMI with a multiple associated snapshots, it behaves in the same way as **concurrent time-based snapshot copy operations** and the same throughput limitations apply. Each associated snapshot results in a separate snapshot copy request, each of which contributes to your cumulative snapshot copy throughput quota. The completion duration that you specify applies to each associated snapshot.
## Considerations
+ You can initiate time-based snapshot and EBS-backed AMI copy operations when copying snapshots within the same Region or when copying snapshots across Regions.
+ If you initiate two time-based copy operations for the same snapshot or AMI, the second copy operation's completion duration starts only after the first copy operation completes.
+ Time-based copy operations and the snapshot copy duration calculator are not supported with AWS Outposts, Local Zones, and Wavelength Zones.
## Monitoring
You can monitor the progress of time-based snapshot and EBS-backed AMI copy operations using the Amazon EC2 console and the AWS CLI. In the console, select the snapshot and then, in the **Details tab**, inspect the ** Progress** field. With the AWS CLI, inspect the `Progress` output element in the [ describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) command response.
You can check whether a time-based snapshot or EBS-backed AMI copy operation completed within the requested completion duration by checking the difference between the **Started** and **Completed** times in the console, or `StartTime` and `CompletionTime` in the `describe-snapshots` response.
You can also use the `copySnapshot` Amazon EventBridge event to monitor the outcome of time-based copy operations. The event indicates whether the operation completed and whether the requested completion duration was met. If the completion duration was not met, the event includes more information about the cause. For more information, see [EBS snapshot events](ebs-cloud-watch-events.md#snapshot-events).
## Pricing and billing
**Note**
Similar to standard snapshot copy operations, if you copy a snapshot to a new Region, a full (non-incremental) copy is created, which results in additional storage costs. Subsequent copies of the same snapshot are incremental. Additionally, if you use external or cross-region data transfers, additional Amazon EC2 data transfer charges will apply.
Additional charges apply for time-based snapshot and EBS-backed AMI copy operations. Time-based copy operations are charged at a rate that is based on the requested completion duration, per GiB of snapshot data copied. The fixed rates are as follows:
**Note**
The completion duration must be specified in 15 minute increments. The minimum completion duration is 15 minutes, and the maximum is 48 hours.
+ 15 minutes — \$10.020 per GiB of data
+ 30 minutes and 45 minutes — \$10.018 per GiB of data
+ 1 hour to 1 hour 45 minutes — \$10.016 per GiB of data
+ 2 hours to 3 hours 45 minutes — \$10.014 per GiB of data
+ 4 hours to 7 hours 45 minutes — \$10.012 per GiB of data
+ 8 hours to 15 hours 45 minutes — \$10.010 per GiB of data
+ 16 hours or more — \$10.005 per GiB of data
For example, if you copy a snapshot with 3,000 GiB of data with a completion duration of 8 hours, you are billed \$130 (\$10.010 x 3,000 GiB).
If you initiate a time-based copy operation, but the requested completion duration is not met due to you exceeding a quota, you are billed based on the actual completion duration instead of the requested completion duration. For example, if you request a completion duration of 1 hour, but the operation completes in 2 hours, you are billed based on the rate for the 2 hour completion duration.
If Amazon EBS is not able to achieve the requested completion duration or if a request is canceled due to service-side issues, you are not billed the additional charges for the time-based snapshot copy operation.
If you delete the snapshot copy while the time-based snapshot copy operation is still in progress, you are billed for the data copied up to that point at the rate corresponding to the specified completion duration.
## Encryption and snapshot copying
**Note**
Amazon S3 server-side encryption (256-bit AES) protects a snapshot's data in transit during a copy operation.
You can create an encrypted snapshot copy of a source snapshot that is unencrypted. And you can encrypt a snapshot copy with a KMS key that is different from the source snapshot. However, changing the encryption status of a snapshot copy during a copy operation could result in a full (not incremental) copy, which might incur greater data transfer and storage charges.
**Tip**
When using an encrypted snapshot that is shared with you, we recommend that you re-encrypt the snapshot by copying it and using a KMS key that you own. This protects you if the original KMS key is compromised, or if the owner revokes your access, which could cause you to lose access to the snapshot and any encrypted volumes that you created from it.
**Permissions for copying encrypted snapshots**
To copy an encrypted snapshot, your user must have the following permissions to use Amazon EBS encryption.
+
+ `kms:DescribeKey`
+ `kms:CreateGrant`
+ `kms:GenerateDataKey`
+ `kms:GenerateDataKeyWithoutPlaintext`
+ `kms:ReEncrypt`
+ `kms:Decrypt`
+ To copy an encrypted snapshot that is shared from another AWS account, you must have permissions to use customer managed key that was used to encrypt that snapshot. For more information, see [Share the KMS key used to encrypt a shared Amazon EBS snapshot](share-kms-key.md).
**Encryption outcomes for snapshot copies**
The following table describes the encryption outcomes when copying snapshots that you own and snapshots that are shared with you.
| Encryption by default for destination Region | Source snapshot | Snapshot copy encryption outcome | Note |
| --- | --- | --- | --- |
| Disabled | Unencrypted | Optional encryption | If you encrypt the copy, you can specify the KMS key to use. If you encrypt the copy but do not specify a KMS key, the key specified for encryption by default is used. |
| Disabled | Encrypted | Automatically encrypted | You can specify the KMS key to use. If you do not specify a KMS key, the AWS managed key (aws/ebs) is used. |
| Enabled | Unencrypted | Automatically encrypted | You can specify the KMS key to use. If you do not specify a KMS key, the key specified for encryption by default is used. |
| Enabled | Encrypted | Automatically encrypted | You can specify the KMS key to use. If you do not specify a KMS key, the key specified for encryption by default is used. |
## Copy a snapshot
You can copy snapshots from one Region to another. You can copy an unencrypted snapshot to an encrypted snapshot. However, if you attempt to copy an encrypted snapshot without having permissions to use the encryption key, the operation fails silently and the snapshot copy receives the "Given key ID is not accessible" status message.
------
#### [ Console ]
**To copy a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot to copy, and then choose **Actions**, **Copy snapshot**.
1. For **Description**, enter a brief description for the snapshot copy.
By default, the description includes information about the source snapshot so that you can identify a copy from the original.
1. Specify the destination for the snapshot copy.
+ To copy the snapshot to the same Region or to a different Region, select **AWS Region** and then select the destination Region.
+ To copy the snapshot to a Local Zone, select **AWS Local Zone** and then select the destination Local Zone.
+ (*Outpost customers only*) To copy the snapshot to an Outpost, select **AWS Outpost** and then enter the ARN of the destination Outpost.
1. If you need the snapshot copy to be completed within a specific timeframe, select **Enable time-based copy**. For **Completion duration**, enter the required completion duration, in 15-minute increments. For more information, [Time-based copies for Amazon EBS snapshots and EBS-backed AMIs](time-based-copies.md).
If you do not need the snapshot copy to be completed in a specific timeframe, do not enable time-based copy. In this case, the snapshot copy is completed on a best-effort basis.
1. (*Outpost customers only*) To create the snapshot copy on an Outpost in the selected Region, for **Snapshot destination** choose **AWS Outpost**, and then for **Destination Outpost ARN**, enter the ARN of the Outpost to which to copy the snapshot. The **Snapshot destination** field appears only if you have and Outpost in the selected Region.
1. Specify the encryption status for the snapshot copy.
If the source snapshot is encrypted, or if your account is enabled for [encryption by default](encryption-by-default.md), the snapshot copy is automatically encrypted. If the source snapshot is unencrypted and your account is not enabled for encryption by default, encryption is optional.
1. Choose **Copy snapshot**.
------
#### [ AWS CLI ]
**To copy a snapshot to another Region**
Use the [copy-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-snapshot.html) command. The following example copies the specified snapshot from the source Region to the current Region, which is specified by the `--region` option.
```
aws ec2 copy-snapshot \
--source-snapshot-id snap-0abcdef1234567890 \
--source-region us-east-1 \
--region us-west-2
```
**To copy an unencrypted snapshot to an encrypted snapshot**
Use the [copy-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-snapshot.html) command. The following example copies the specified unencrypted snapshot from the source Region to the current Region, encrypting the new snapshot using the specified KMS key.
```
aws ec2 copy-snapshot \
--source-snapshot-id snap-0abcdef1234567890 \
--source-region us-east-1 \
--encrypted \
--kms-key-id alias/my-kms-key
```
------
#### [ PowerShell ]
**To copy a snapshot to another Region**
Use the [Copy-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Copy-EC2Snapshot.html) cmdlet. The following example copies the specified snapshot from the source Region to the current Region, which is specified by the `--region` option.
```
Copy-EC2Snapshot `
-SourceSnapshotId snap-0abcdef1234567890 `
-SourceRegion us-east-1 `
-Region us-west-2
```
**To copy an unencrypted snapshot to an encrypted snapshot**
Use the [Copy-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Copy-EC2Snapshot.html) cmdlet. The following example copies the specified unencrypted snapshot from the source Region to the current Region, encrypting the new snapshot using the specified KMS key.
```
Copy-EC2Snapshot `
-SourceSnapshotId snap-0abcdef1234567890 `
-SourceRegion us-east-1 `
-Encrypted $true `
-KmsKeyId alias/my-kms-key
```
------
# Share an Amazon EBS snapshot with other AWS accounts
You can modify the permissions of a snapshot if you want to share it with other AWS accounts. You can share snapshots publicly with all other AWS accounts, or you can share them privately with individual AWS accounts that you specify. Users that you have authorized can use the snapshots that you share to create their own EBS volumes, while your original snapshot remains unaffected.
**Important**
When you share a snapshot, you are giving others access to all of the data on the snapshot. Share snapshots only with people that you trust with *all* of your snapshot data.
To prevent the public sharing of snapshots, you can enable [Block public access for Amazon EBS snapshots](block-public-access-snapshots.md).
**Topics**
+ [Before you share a snapshot](#share-snapshot-considerations)
+ [Share a snapshot](#share-unencrypted-snapshot)
+ [Share a KMS key](share-kms-key.md)
+ [Use shared snapshots](view-shared-snapshot.md)
+ [Determine the use of snapshots that you share](#shared-snapshot-cloudtrail-logging)
## Before you share a snapshot
The following considerations apply to sharing snapshots:
+ If block public access for snapshots is enabled for the Region, attempts to publicly share snapshots will be blocked. Snapshots can still be privately shared.
+ Snapshots are constrained to the Region in which they were created. To share a snapshot with another Region, copy the snapshot to that Region and then share the copy. For more information, see [Copy an Amazon EBS snapshot](ebs-copy-snapshot.md).
+ You can't share snapshots that are encrypted with the default AWS managed key. You can only share snapshots that are encrypted with a customer managed key. For more information, see [Creating Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*.
+ You can share only unencrypted snapshots publicly.
+ When you share an encrypted snapshot, you must also share the customer managed key used to encrypt the snapshot. For more information, see [Share the KMS key used to encrypt a shared Amazon EBS snapshot](share-kms-key.md).
## Share a snapshot
You can share a snapshot publicly or with specific AWS accounts.
------
#### [ Console ]
**To share a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot to share, and then choose **Actions**, **Modify permissions**.
1. Specify the snapshot's permissions. *Current setting* indicates the snapshot's current sharing permissions.
+ To share the snapshot publicly with all AWS accounts, choose **Public**.
+ To share the snapshot privately with specific AWS accounts, choose **Private**. Then, in the **Sharing accounts** section, choose **Add account**, and enter the 12-digit account ID (without hyphens) of the account to share with.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
The permissions for a snapshot are specified using the `createVolumePermission` attribute of the snapshot. To make a snapshot public, set the group to `all`. To share a snapshot with a specific AWS account, set the user to the ID of the AWS account.
**To share a snapshot publicly**
Use the [modify-snapshot-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html) command.
For `--attribute`, specify `createVolumePermission`. For `--operation-type`, specify `add`. For `--group-names`, specify `all`.
```
aws ec2 modify-snapshot-attribute \
--snapshot-id snap-0abcdef1234567890 \
--attribute createVolumePermission \
--operation-type add \
--group-names all
```
**To share a snapshot privately**
Use the [modify-snapshot-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html) command.
For `--attribute`, specify `createVolumePermission`. For `--operation-type`, specify `add`. For `--user-ids`, specify the 12-digit IDs of the AWS accounts with which to share the snapshots.
```
aws ec2 modify-snapshot-attribute \
--snapshot-id snap-0abcdef1234567890 \
--attribute createVolumePermission \
--operation-type add \
--user-ids 123456789012 111122223333
```
------
#### [ PowerShell ]
The permissions for a snapshot are specified using the `createVolumePermission` attribute of the snapshot. To make a snapshot public, set the group to `all`. To share a snapshot with a specific AWS account, set the user to the ID of the AWS account.
**To share a snapshot publicly**
Use the [Edit-EC2SnapshotAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2SnapshotAttribute.html) cmdlet.
For `-Attribute`, specify `CreateVolumePermission`. For `-OperationType`, specify `Add`. For `-GroupName`, specify `all`.
```
Edit-EC2SnapshotAttribute `
-SnapshotId snap-0abcdef1234567890 `
-Attribute CreateVolumePermission `
-OperationType Add `
-GroupName all
```
**To share a snapshot privately**
Use the [Edit-EC2SnapshotAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2SnapshotAttribute.html) cmdlet.
For `-Attribute`, specify `CreateVolumePermission`. For `-OperationType`, specify `Add`. For `UserId`, specify the 12-digit IDs of the AWS accounts with which to share the snapshots.
```
Edit-EC2SnapshotAttribute `
-SnapshotId snap-0abcdef1234567890 `
-Attribute CreateVolumePermission `
-OperationType Add `
-UserId 123456789012 111122223333
```
------
# Share the KMS key used to encrypt a shared Amazon EBS snapshot
When you share an encrypted snapshot, you must also share the customer managed key used to encrypt the snapshot. You can apply cross-account permissions to a customer managed key either when it is created or at a later time.
Users of your shared customer managed key who are accessing encrypted snapshots must be granted permissions to perform the following actions on the key:
+ `kms:DescribeKey`
+ `kms:CreateGrant`
+ `kms:GenerateDataKey`
+ `kms:GenerateDataKeyWithoutPlaintext`
+ `kms:ReEncrypt`
+ `kms:Decrypt`
**Tip**
To follow the principle of least privilege, do not allow full access to `kms:CreateGrant`. Instead, use the `kms:GrantIsForAWSResource` condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an AWS service.
For more information about controlling access to a customer managed key, see [ Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*.
**To share customer managed key using the AWS KMS console**
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. To change the AWS Region, use the Region selector in the upper-right corner of the page.
1. Choose **Customer managed keys** in the navigation pane.
1. In the **Alias** column, choose the alias (text link) of the customer managed key that you used to encrypt the snapshot. The key details open in a new page.
1. In the **Key policy** section, you see either the *policy view* or the *default view*. The policy view displays the key policy document. The default view displays sections for **Key administrators**, **Key deletion**, **Key Use**, and **Other AWS accounts**. The default view displays if you created the policy in the console and have not customized it. If the default view is not available, you'll need to manually edit the policy in the policy view. For more information, see [Viewing a Key Policy (Console)](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-viewing.html#key-policy-viewing-console) in the *AWS Key Management Service Developer Guide*.
Use either the policy view or the default view, depending on which view you can access, to add one or more AWS account IDs to the policy, as follows:
+ (Policy view) Choose **Edit**. Add one or more AWS account IDs to the following statements: `"Allow use of the key"` and `"Allow attachment of persistent resources"`. Choose **Save changes**. In the following example, the AWS account ID `444455556666` is added to the policy.
```
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
}
```
+ (Default view) Scroll down to **Other AWS accounts**. Choose **Add other AWS accounts** and enter the AWS account ID as prompted. To add another account, choose **Add another AWS account** and enter the AWS account ID. When you have added all AWS accounts, choose **Save changes**.
# Use Amazon EBS snapshots that are shared with you
**To use a shared unencrypted snapshot**
Locate the shared snapshot by ID or description. You can use this snapshot as you would any other snapshot that you own in your account. For example, you can create a volume from the snapshot or copy it to a different Region.
**To use a shared encrypted snapshot**
Locate the shared snapshot by ID or description. Create a copy of the shared snapshot in your account, and encrypt the copy with a KMS key that you own. You can then use the copy to create volumes or you can copy it to different Regions.
------
#### [ Console ]
**To view snapshot permissions**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot.
1. If the filter is **Owned by me**, the snapshot is owned by this account. If the filter is **Private snapshots**, the snapshot is either owned by this account or shared specifically with this account. Select a snapshot and on the **Details** tab, check whether **Owner** specifies this account or a different account.
------
#### [ AWS CLI ]
**To view snapshot permissions**
Use the [describe-snapshot-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshot-attribute.html) command to get the snapshot permissions of the specified snapshot.
```
aws ec2 describe-snapshot-attribute \
--snapshot-id snap-0abcdef1234567890 \
--attribute createVolumePermission
```
The following is example output.
```
{
"SnapshotId": "snap-0abcdef1234567890",
"CreateVolumePermissions": [
{
"UserId": "111122223333"
}
]
}
```
------
#### [ PowerShell ]
**To view snapshot permissions**
Use the [Get-EC2SnapshotAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2SnapshotAttribute.html) cmdlet.
```
(Get-EC2SnapshotAttribute `
-SnapshotId snap-0abcdef1234567890 `
-Attribute createVolumePermission).CreateVolumePermissions
```
The following is example output.
```
Group UserId
----- ------
111122223333
```
------
## Determine the use of snapshots that you share
You can use AWS CloudTrail to monitor whether a snapshot that you have shared with others is copied or used to create a volume. The following events are logged in CloudTrail when an action is taken on a snapshot you have shared::
+ **SharedSnapshotCopyInitiated** — A shared snapshot is being copied.
+ **SharedSnapshotVolumeCreated** — A shared snapshot is being used to create a volume.
For more information about using CloudTrail, see [ Log Amazon EC2 and Amazon EBS API calls with AWS CloudTrail](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/monitor-with-cloudtrail.html).
# Archive Amazon EBS snapshots
Amazon EBS Snapshots Archive is a storage tier that you can use for low-cost, long-term storage of your rarely-accessed snapshots that do not need frequent or fast retrieval.
By default, when you create a snapshot, it is stored in the Amazon EBS Snapshot Standard tier (*standard tier*). Snapshots stored in the standard tier are incremental. This means that only the blocks on the volume that have changed after your most recent snapshot are saved.
When you archive a snapshot, the incremental snapshot is converted to a full snapshot, and it is moved from the standard tier to the Amazon EBS Snapshots Archive tier (*archive tier*). Full snapshots include all of the blocks that were written to the volume at the time when the snapshot was created.
When you need to access an archived snapshot, you can restore it from the archive tier to the standard tier, and then use it in the same way that you use any other snapshot in your account.
Amazon EBS Snapshots Archive offers up to 75 percent lower snapshot storage costs for snapshots that you plan to store for 90 days or longer and that you rarely need to access.
Some typical use cases include:
+ Archiving the only snapshot of a volume, such as end-of-project snapshots
+ Archiving full, point-in-time incremental snapshots for compliance reasons.
+ Archiving monthly, quarterly, or yearly incremental snapshots.
**Topics**
+ [Quotas](#archive-quotas)
+ [Considerations and limitations](snapshot-archive-considerations.md)
+ [Pricing and billing](snapshot-archive-pricing.md)
+ [Guidelines and best practices](archiving-guidelines.md)
+ [Required permissions](snapshot-archiving-iam.md)
+ [Archive a snapshot](archive-snapshot.md)
+ [Restore an archived snapshot](restore-archived-snapshot.md)
+ [Modify the restore period](modify-temp-restore-period.md)
+ [View archived snapshots](view-archived-snapshot.md)
+ [Monitor snapshot archiving](monitor-snapshot-archiving.md)
## Quotas
This section describes the default quotas for archived and in-progress snapshots.
| Quota | Default quota |
| --- | --- |
| Archived snapshots per volume | 25 |
| Concurrent in-progress snapshot archives per account | 25 |
| Concurrent in-progress snapshot restores per account | 5 |
If you need more than the default limits, complete the Support Center [Create case](https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase&limitType=service-code-ebs) form to request a limit increase.
# Considerations and limitations for archiving Amazon EBS snapshots
Keep the following in mind when archiving Amazon EBS snapshots.
**Considerations**
+ The minimum archive period is 90 days. If you delete or permanently restore an archived snapshot before the minimum archive period of 90 days, you are billed for remaining days in the archive tier, rounded to the nearest hour. For more information, see [Pricing and billing for archiving Amazon EBS snapshots](snapshot-archive-pricing.md).
+ It can take up to 72 hours to restore an archived snapshot from the archive tier to the standard tier, depending on the size of the snapshot.
+ Archived snapshots are always full snapshots. A full snapshot contains all the blocks written to the volume at the time the snapshot was created. The full snapshot will likely be larger than the incremental snapshot from which it was created. However, if you have only one snapshot of a volume on the standard tier, the size of the full snapshot in the archive tier will be the same size as the snapshot in standard tier. This is because the first snapshot taken of a volume is always a full snapshot. To get the full snapshot size, use the [ describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) AWS CLI command.
+ Archiving is recommended for monthly, quarterly, or yearly snapshots. Archiving daily incremental snapshots of a single volume can lead to higher costs when compared to keeping them in the standard tier.
+ When a snapshot is archived, the data of the snapshot that is referenced by other snapshots in the snapshot lineage are retained in the standard tier. Data and storage costs associated with the referenced data that is retained on the standard tier are allocated to the next snapshot in the lineage. This ensures that subsequent snapshots in the lineage are not affected by the archival.
+ If you delete an archived snapshot that matches a Recycle Bin retention rule, the archived snapshot is retained in the Recycle Bin for the retention period defined in the retention rule. To use the snapshot, you must first recover it from the Recycle Bin and then restore it from the archive tier. For more information, see [Recycle Bin](recycle-bin.md) and [Pricing and billing for archiving Amazon EBS snapshots](snapshot-archive-pricing.md).
+ You can't use an archived snapshot in a block device mapping or to create an Amazon EBS volume.
+ You can archive snapshots created by AWS Backup using the AWS Backup console, APIs, or command line tools. For more information, see [ Creating a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-backup-plan.html) in the *AWS Backup Developer Guide*.
**Limitations**
+ You can archive snapshots that are in the `completed` state only.
+ You can archive only snapshots that you own in your account. To archive a snapshot that is shared with you, first copy the snapshot to your account and then archive the snapshot copy.
+ Before you can use an archived snapshot, you must first restore it to the standard tier. Restoring to the standard tier is required to create a volume from the snapshot through the `CreateVolume` and `RunInstances` API operations as well as to share or copy a snapshot. For more information, see [Restore an archived Amazon EBS snapshot](restore-archived-snapshot.md).
+ You can archive a snapshot that is associated with one or more AMIs only if all of the associated AMIs are disabled. For more information, see [Disable an AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/disable-an-ami.html).
+ You can't enable a disabled AMI if the associated snapshots are temporarily restored. All of the associated snapshots must be permanently restored before you can enable the AMI.
+ You can't cancel the snapshot archive or snapshot restore process after it has been started.
+ You can't share archived snapshots. If you archive a snapshot that you have shared with other accounts, the accounts with which the snapshot is shared lose access after the snapshot is archived.
+ You can't copy an archived snapshot. If you need to copy an archived snapshot, you must first restore it.
+ You can't enable fast snapshot restore for an archived snapshot. Fast snapshot restore is automatically disabled when a snapshot is archived. If you need to use fast snapshot restore, you must manually enable it after restoring the snapshot.
# Pricing and billing for archiving Amazon EBS snapshots
Archived snapshots are billed at a rate of \$10.0125 per GB-month. For example, if you archive a 100 GiB snapshot, you are billed \$11.25 (100 GiB \$1 \$10.0125) per month.
Snapshot restores are billed at a rate of \$10.03 per GB of data restored. For example, if you restore a 100 GiB snapshot from the archive tier, you are billed one time for \$13 (100 GiB \$1 \$10.03).
After the snapshot is restored to the standard tier, the snapshot is billed at the standard rate for snapshots of \$10.05 per GB-month.
For more information, see [Amazon EBS pricing](https://aws.amazon.com/ebs/pricing/).
**Billing for the minimum archive period**
The minimum archive period is 90 days. If you delete or permanently restore an archived snapshot before the minimum archive period of 90 days, you are billed a pro-rated charge equal to the archive tier storage charge for the remaining days, rounded to the nearest hour. For example, if you delete or permanently restore an archived snapshot after 40 days, you are billed for the remaining 50 days of the minimum archive period.
**Note**
Temporarily restoring an archived snapshot before the minimum archive period of 90 days does not incur this charge.
**Temporary restores**
When you temporarily restore a snapshot, the snapshot is restored from the archive tier to the standard tier, and a copy of the snapshot remains in the archive tier. You are billed for both the snapshot in the standard tier and the snapshot copy in the archive tier for the duration of the temporary restore period. When the temporarily restored snapshot is removed from the standard tier, you are no longer billed for it, and you are billed for the snapshot in the archive tier only.
**Permanent restores**
When you permanently restore a snapshot, the snapshot is restored from the archive tier to the standard tier, and the snapshot is deleted from the archive tier. You are billed for the snapshot in the standard tier only.
**Deleting snapshots**
If you delete a snapshot while it is being archived, you are billed for the snapshot data that has already been moved to the archive tier. This data is subject to the minimum archive period of 90 days and billed accordingly upon deletion. For example, if you archive a 100 GiB snapshot, and you delete the snapshot after only 40 GiB has been archived, you are billed \$11.50 for the minimum archive period of 90 days for the 40 GiB that has already been archived (\$10.0125 per GB-month \$1 40 GB \$1 (90 days \$1 24 hours) / (24 hours/day \$1 30-day month).
If you delete a snapshot while it is being restored from the archive tier, you are billed for the snapshot restore for the full size of the snapshot (snapshot size \$1 \$10.03). For example, if you restore a 100 GiB snapshot from the archive tier, and you delete the snapshot at any point before the snapshot restore completes, you are billed \$13 (100 GiB snapshot size \$1 \$10.03).
**Recycle Bin**
Archived snapshots are billed at the rate for archived snapshots while they are in the Recycle Bin. Archived snapshots that are in the Recycle Bin are subject to the minimum archive period of 90 days and they are billed accordingly if they are deleted by Recycle Bin before the minimum archive period. In other words, if a retention rule deletes an archived snapshot from the Recycle Bin before the minimum period of 90 days, you are billed for the remaining days.
If you delete a snapshot that matches a retention rule while the snapshot is being archived, the archived snapshot is retained in the Recycle Bin for the retention period defined in the retention rule. It is billed at the rate for archived snapshots.
If you delete a snapshot that matches a retention rule while the snapshot is being restored, the restored snapshot is retained in the Recycle Bin for the remainder of the retention period, and billed at the standard snapshot rate. To use the restored snapshot, you must first recover it from the Recycle Bin.
For more information, see [Recycle Bin](recycle-bin.md).
**Cost tracking**
Archived snapshots appear in the AWS Cost and Usage Report with their same resource ID and Amazon Resource Name (ARN). For more information, see the [AWS Cost and Usage Report User Guide](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html).
You can use the following usage types to identify the associated costs:
+ `SnapshotArchiveStorage` — fee for monthly data storage
+ `SnapshotArchiveRetrieval` — one-time fee for snapshot restores
+ `SnapshotArchiveEarlyDelete` — fee for deleting or permanently restoring a snapshot before the minimum archive period (90 days)
# Guidelines and best practices for archiving Amazon EBS snapshots
This section provides some guidelines and best practices for archiving snapshots.
**Topics**
+ [Archiving the only snapshot of a volume](#guidelines-single-snapshot)
+ [Archiving incremental snapshots of a single volume](#guidelines-incremental-snapshot)
+ [Archiving full snapshots for compliance reasons](#guidelines-full-snapshot)
+ [Determining the reduction in standard tier storage costs](#archive-guidelines)
## Archiving the only snapshot of a volume
When you have only one snapshot of a volume, the snapshot is always the same size as the blocks written to the volume at the time the snapshot was created. When you archive such a snapshot, the snapshot in the standard tier is converted to an equivalent-sized full snapshot and it is moved from the standard tier to the archive tier.
Archiving these snapshots can help you save with lower storage costs. If you no longer need the source volume, you can delete the volume for further storage cost savings.
![\[Creating a snapshot, archiving it, and then deleting the source volume.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/archive-single-snap.png)
## Archiving incremental snapshots of a single volume
When you archive an incremental snapshot, the snapshot is converted to a full snapshot and it is moved to the archive tier. For example, in the following image, if you archive **Snap B**, the snapshot is converted to a full snapshot that is 10 GiB in size and moved to the archive tier. Similarly, if you archive **Snap C**, the size of the full snapshot in the archive tier is 14 GiB.
![\[Archiving incremental snapshots of a volume.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snapshot_1e.png)
If you are archiving snapshots to reduce your storage costs in the standard tier, you should not archive the first snapshot in a set of incremental snapshots. These snapshots are referenced by subsequent snapshots in the snapshot lineage. In most cases, archiving these snapshots will not reduce storage costs.
**Note**
You should not archive the last snapshot in a set of incremental snapshots. The last snapshot is the most recent snapshot taken of a volume. You will need this snapshot in the standard tier if you want to create volumes from it in the case of a volume corruption or loss.
If you archive a snapshot that contains data that is referenced by a later snapshot in the lineage, the data storage and storage costs associated with the referenced data are allocated to the later snapshot in the lineage. In this case, archiving the snapshot will not reduce data storage or storage costs. For example, in the preceding image, if you archive **Snap B**, its 4 GiB of data is attributed to **Snap C**. In this case, your overall storage costs will increase because you incur storage costs for the full version of **Snap B** in the archive tier, and your storage costs for the standard tier remain unchanged.
If you archive **Snap C**, your standard tier storage will decrease by 4 GiB because the data is not referenced by any other snapshots later in the lineage. And your archive tier storage will increase by 14 GiB because the snapshot is converted to a full snapshot.
## Archiving full snapshots for compliance reasons
You might need to create full backups of volumes on a monthly, quarterly, or yearly basis for compliance reasons. For these backups, you might need standalone snapshots without backward or forward references to other snapshots in the snapshot lineage. Snapshots archived with EBS Snapshots Archive are full snapshots, and they do not have any references to other snapshots in the lineage. Additionally, you will likely need to retain these snapshots for compliance reasons for several years. EBS Snapshots Archive makes it cost-effective to archive these full snapshots for long-term retention.
## Determining the reduction in standard tier storage costs
If you want to archive an incremental snapshot to reduce your storage costs, you should consider the size of the full snapshot in the archive tier and the reduction in storage in the standard tier. This section explains how to do this.
**Important**
The API responses are data accurate at the point-in-time when the APIs are called. API responses can differ as the data associated with a snapshot changes as a result of changes in the snapshot lineage.
To determine the reduction in storage and storage costs in the standard tier, use the following steps.
1. For the snapshot that you want to archive, check the full snapshot size and the source volume from which it was created. Use the [ describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) command, and for `--snapshot-id`, specify the ID of the snapshot that you want to archive.
```
$ aws ec2 describe-snapshots --snapshot-id snapshot_id
```
The `FullSnapshotSizeInBytes` reponse value indicates the full snapshot size, in bytes, and the `VolumeId` response value indicates the ID of the source volume.
For example, the following command returns information about snapshot `snap-09c9114207084f0d9`.
```
$ aws ec2 describe-snapshots --snapshot-id snap-09c9114207084f0d9
```
The following example output shows that the full snapshot size is `5678912341` bytes (5.28 GiB), and the source volume is `vol-0f3e2c292c52b85c3`.
```
{
"Snapshots": [
{
"Description": "",
"Tags": [],
"Encrypted": false,
"VolumeId": "vol-0f3e2c292c52b85c3",
"State": "completed",
"VolumeSize": 8,
"StartTime": "2021-11-16T08:29:49.840Z",
"Progress": "100%",
"OwnerId": "123456789012",
"FullSnapshotSizeInBytes" : "5678912341",
"SnapshotId": "snap-09c9114207084f0d9"
}
]
}
```
1. Find all of the snapshots created from the source volume. Use the [describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) command. Specify the `volume-id` filter, and for the filter value, specify the volume ID from the previous step.
```
$ aws ec2 describe-snapshots --filters "Name=volume-id, Values=volume_id"
```
For example, the following command returns all snapshots created from volume `vol-0f3e2c292c52b85c3`.
```
$ aws ec2 describe-snapshots --filters "Name=volume-id, Values=vol-0f3e2c292c52b85c3"
```
The following is the command output, which indicates that three snapshots were created from volume `vol-0f3e2c292c52b85c3`.
```
{
"Snapshots": [
{
"Description": "",
"Tags": [],
"Encrypted": false,
"VolumeId": "vol-0f3e2c292c52b85c3",
"State": "completed",
"VolumeSize": 8,
"StartTime": "2021-11-14T08:57:39.300Z",
"Progress": "100%",
"OwnerId": "123456789012",
"SnapshotId": "snap-08ca60083f86816b0"
},
{
"Description": "",
"Tags": [],
"Encrypted": false,
"VolumeId": "vol-0f3e2c292c52b85c3",
"State": "completed",
"VolumeSize": 8,
"StartTime": "2021-11-15T08:29:49.840Z",
"Progress": "100%",
"OwnerId": "123456789012",
"SnapshotId": "snap-09c9114207084f0d9"
},
{
"Description": "01",
"Tags": [],
"Encrypted": false,
"VolumeId": "vol-0f3e2c292c52b85c3",
"State": "completed",
"VolumeSize": 8,
"StartTime": "2021-11-16T07:50:08.042Z",
"Progress": "100%",
"OwnerId": "123456789012",
"SnapshotId": "snap-024f49fe8dd853fa8"
}
]
}
```
1. Using the output from the previous command, sort the snapshots by their creation times, from oldest to newest. The `StartTime` response parameter for each snapshot indicates its creation time, in UTC time format.
For example, the snapshots returned in the previous step arranged by creation time, from oldest to newest, is as follows:
1. `snap-08ca60083f86816b0` (oldest – created before the snapshot that you want to archive)
1. `snap-09c9114207084f0d9` (the snapshot to archive)
1. `snap-024f49fe8dd853fa8` (newest – created after the snapshot that you that want to archive)
1. Identify the snapshots that were created immediately before and after the snapshot that you want to archive. In this case, you want to archive snapshot `snap-09c9114207084f0d9`, which was the second incremental snapshot created in the set of three snapshots. Snapshot `snap-08ca60083f86816b0` was created immediately before, and snapshot `snap-024f49fe8dd853fa8` was created immediately after.
1. Find the unreferenced data in the snapshot that you want to archive. First, find the blocks that are different between the snapshot that was created immediately before the snapshot that you want to archive, and the snapshot that you want to archive. Use the [list-changed-blocks](https://docs.aws.amazon.com/cli/latest/reference/ebs/list-changed-blocks.html) command. For `--first-snapshot-id`, specify the ID of the snapshot that was created immediately before the snapshot that you want to archive. For `--second-snapshot-id`, specify the ID of the snapshot that you want to archive.
```
$ aws ebs list-changed-blocks --first-snapshot-id snapshot_created_before --second-snapshot-id snapshot_to_archive
```
For example, the following command shows the block indexes for the blocks that are different between snapshot `snap-08ca60083f86816b0` (the snapshot created before the snapshot you want to archive), and snapshot `snap-09c9114207084f0d9` (the snapshot you want to archive).
```
$ aws ebs list-changed-blocks --first-snapshot-id snap-08ca60083f86816b0 --second-snapshot-id snap-09c9114207084f0d9
```
The following shows the command output, with some blocks omitted.
```
{
"BlockSize": 524288,
"ChangedBlocks": [
{
"FirstBlockToken": "ABgBAX6y+WH6Rm9y5zq1VyeTCmEzGmTT0jNZG1cDirFq1rOVeFbWXsH3W4z/",
"SecondBlockToken": "ABgBASyx0bHHBnTERu+9USLxYK/81UT0dbHIUFqUjQUkwTwK5qkjP8NSGyNB",
"BlockIndex": 4
},
{
"FirstBlockToken": "ABgBAcfL+EfmQmlNgstqrFnYgsAxR4SDSO4LkNLYOOChGBWcfJnpn90E9XX1",
"SecondBlockToken": "ABgBAdX0mtX6aBAt3EBy+8jFCESMpig7csKjbO2Ocd08m2iNJV2Ue+cRwUqF",
"BlockIndex": 5
},
{
"FirstBlockToken": "ABgBAVBaFJmbP/eRHGh7vnJlAwyiyNUi3MKZmEMxs2wC3AmM/fc6yCOAMb65",
"SecondBlockToken": "ABgBAdewWkHKTcrhZmsfM7GbaHyXD1Ctcn2nppz4wYItZRmAo1M72fpXU0Yv",
"BlockIndex": 13
},
{
"FirstBlockToken": "ABgBAQGxwuf6z095L6DpRoVRVnOqPxmx9r7Wf6O+i+ltZ0dwPpGN39ijztLn",
"SecondBlockToken": "ABgBAUdlitCVI7c6hGsT4ckkKCw6bMRclnV+bKjViu/9UESTcW7CD9w4J2td",
"BlockIndex": 14
},
{
"FirstBlockToken": "ABgBAZBfEv4EHS1aSXTXxSE3mBZG6CNeIkwxpljzmgSHICGlFmZCyJXzE4r3",
"SecondBlockToken": "ABgBAVWR7QuQQB0AP2TtmNkgS4Aec5KAQVCldnpc91zBiNmSfW9ouIlbeXWy",
"BlockIndex": 15
},
.....
{
"SecondBlockToken": "ABgBAeHwXPL+z3DBLjDhwjdAM9+CPGV5VO5Q3rEEA+ku50P498hjnTAgMhLG",
"BlockIndex": 13171
},
{
"SecondBlockToken": "ABgBAbZcPiVtLx6U3Fb4lAjRdrkJMwW5M2tiCgIp6ZZpcZ8AwXxkjVUUHADq",
"BlockIndex": 13172
},
{
"SecondBlockToken": "ABgBAVmEd/pQ9VW9hWiOujOAKcauOnUFCO+eZ5ASVdWLXWWC04ijfoDTpTVZ",
"BlockIndex": 13173
},
{
"SecondBlockToken": "ABgBAT/jeN7w+8ALuNdaiwXmsSfM6tOvMoLBLJ14LKvavw4IiB1d0iykWe6b",
"BlockIndex": 13174
},
{
"SecondBlockToken": "ABgBAXtGvUhTjjUqkwKXfXzyR2GpQei/+pJSG/19ESwvt7Hd8GHaUqVs6Zf3",
"BlockIndex": 13175
}
],
"ExpiryTime": 1637648751.813,
"VolumeSize": 8
}
```
Next, use the same command to find blocks that are different between the snapshot that you want to archive and the snapshot that was created immediately after it. For `--first-snapshot-id`, specify the ID of the snapshot that you want to archive. For `--second-snapshot-id`, specify the ID of the snapshot that was created immediately after the snapshot that you want to archive.
```
$ aws ebs list-changed-blocks --first-snapshot-id snapshot_to_archive --second-snapshot-id snapshot_created_after
```
For example, the following command shows the block indexes of the blocks that are different between snapshot `snap-09c9114207084f0d9` (the snapshot that you want to archive) and snapshot `snap-024f49fe8dd853fa8` (the snapshot created after the snapshot that you want to archive).
```
$ aws ebs list-changed-blocks --first-snapshot-id snap-09c9114207084f0d9 --second-snapshot-id snap-024f49fe8dd853fa8
```
The following shows the command output, with some blocks omitted.
```
{
"BlockSize": 524288,
"ChangedBlocks": [
{
"FirstBlockToken": "ABgBAVax0bHHBnTERu+9USLxYK/81UT0dbSnkDk0gqwRFSFGWA7HYbkkAy5Y",
"SecondBlockToken": "ABgBASEvi9x8Om7Htp37cKG2NT9XUzEbLHpGcayelomSoHpGy8LGyvG0yYfK",
"BlockIndex": 4
},
{
"FirstBlockToken": "ABgBAeL0mtX6aBAt3EBy+8jFCESMpig7csfMrI4ufnQJT3XBm/pwJZ1n2Uec",
"SecondBlockToken": "ABgBAXmUTg6rAI+v0LvekshbxCVpJjWILvxgC0AG0GQBEUNRVHkNABBwXLkO",
"BlockIndex": 5
},
{
"FirstBlockToken": "ABgBATKwWkHKTcrhZmsfM7GbaHyXD1CtcnjIZv9YzisYsQTMHfTfh4AhS0s2",
"SecondBlockToken": "ABgBAcmiPFovWgXQio+VBrxOqGy4PKZ9SAAHaZ2HQBM9fQQU0+EXxQjVGv37",
"BlockIndex": 13
},
{
"FirstBlockToken": "ABgBAbRlitCVI7c6hGsT4ckkKCw6bMRclnARrMt1hUbIhFnfz8kmUaZOP2ZE",
"SecondBlockToken": "ABgBAXe935n544+rxhJ0INB8q7pAeoPZkkD27vkspE/qKyvOwpozYII6UNCT",
"BlockIndex": 14
},
{
"FirstBlockToken": "ABgBAd+yxCO26I+1Nm2KmuKfrhjCkuaP6LXuol3opCNk6+XRGcct4suBHje1",
"SecondBlockToken": "ABgBAcPpnXz821NtTvWBPTz8uUFXnS8jXubvghEjZulIjHgc+7saWys77shb",
"BlockIndex": 18
},
.....
{
"SecondBlockToken": "ABgBATni4sDE5rS8/a9pqV03lU/lKCW+CTxFl3cQ5p2f2h1njpuUiGbqKGUa",
"BlockIndex": 13190
},
{
"SecondBlockToken": "ABgBARbXo7zFhu7IEQ/9VMYFCTCtCuQ+iSlWVpBIshmeyeS5FD/M0i64U+a9",
"BlockIndex": 13191
},
{
"SecondBlockToken": "ABgBAZ8DhMk+rROXa4dZlNK45rMYnVIGGSyTeiMli/sp/JXUVZKJ9sMKIsGF",
"BlockIndex": 13192
},
{
"SecondBlockToken": "ABgBATh6MBVE904l6sqOC27s1nVntFUpDwiMcRWGyJHy8sIgGL5yuYXHAVty",
"BlockIndex": 13193
},
{
"SecondBlockToken": "ABgBARuZykaFBWpCWrJPXaPCneQMbyVgnITJqj4c1kJWPIj5Gn61OQyy+giN",
"BlockIndex": 13194
}
],
"ExpiryTime": 1637692677.286,
"VolumeSize": 8
}
```
1. Compare the output returned by both commands in the previous step. If the same block index appears in both command outputs, it indicates that the block contains unreferenced data.
For example, the command output in the previous step indicates that blocks 4, 5, 13, and 14 are unique to snapshot `snap-09c9114207084f0d9` and that they are not referenced by any other snapshots in the snapshot lineage.
To determine the reduction in standard tier storage, multiply the number of blocks that appear in both command outputs by 512 KiB, which is the snapshot block size.
For example, if 9,950 block indexes appear in both command outputs, it indicates that you will decrease standard tier storage by around 4.85 GiB (9,950 blocks \$1 512 KiB = 4.85 GiB).
1. Determine the storage costs for storing the unreferenced blocks in the standard tier for 90 days. Compare this value with the cost of storing the full snapshot, described in step 1, in the archive tier. You can determine your costs savings by comparing the values, assuming that you do not restore the full snapshot from the archive tier during the minimum 90-day period. For more information, see [Pricing and billing for archiving Amazon EBS snapshots](snapshot-archive-pricing.md).
# Required IAM permissions for archiving Amazon EBS snapshots
By default, users don't have permission to use snapshot archiving. To allow users to use snapshot archiving, you must create IAM policies that grant permission to use specific resources and API actions. For more information, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the IAM User Guide.
To use snapshot archiving, users need the following permissions.
+ `ec2:DescribeSnapshotTierStatus`
+ `ec2:ModifySnapshotTier`
+ `ec2:RestoreSnapshotTier`
Console users might need additional permissions such as `ec2:DescribeSnapshots`.
To archive and restore encrypted snapshots, the following additional AWS KMS permissions are required.
+ `kms:CreateGrant`
+ `kms:Decrypt`
+ `kms:DescribeKey`
The following is an example IAM policy that gives IAM users permission to archive, restore, and view encrypted and unencrypted snapshots. It includes the `ec2:DescribeSnapshots` permission for console users. If some permissions are not needed, you can remove them from the policy.
**Tip**
To follow the principle of least privilege, do not allow full access to `kms:CreateGrant`. Instead, use the `kms:GrantIsForAWSResource` condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an AWS service, as shown in the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeSnapshotTierStatus",
"ec2:ModifySnapshotTier",
"ec2:RestoreSnapshotTier",
"ec2:DescribeSnapshots",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}]
}
```
------
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
# Archive an Amazon EBS snapshot
You can archive any snapshot that is in the `completed` state and that you own in your account. You can't archive snapshots that are in the `pending` or `error` states, or snapshots that are shared with you. For more information, see [Considerations and limitations for archiving Amazon EBS snapshots](snapshot-archive-considerations.md).
If the snapshot is associated with one or more AMIs, then you must first disable those associated AMIs before you can archive the snapshot. For more information, see [Disable an AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/disable-an-ami.html).
Archived snapshots retain their snapshot ID, encryption status, AWS Identity and Access Management (IAM) permissions, owner information, and resource tags. However, fast snapshot restore and snapshot sharing are automatically disabled after the snapshot is archived.
You can continue to use the snapshot while the archive is in process. As soon as the snapshot tiering status reaches the `archival-complete` state, you can no longer use the snapshot.
------
#### [ Console ]
**To archive a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. In the list of snapshots, select the snapshot to archive and then choose **Actions**, **Archive snapshot**.
1. To confirm, choose **Archive snapshot**.
------
#### [ AWS CLI ]
**To archive a snapshot**
Use the [ modify-snapshot-tier](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-tier.html) AWS CLI command. For `--snapshot-id`, specify the ID of the snapshot to archive. For `--storage-tier`, specify `archive`.
```
aws ec2 modify-snapshot-tier \
--snapshot-id snap-0abcdef1234567890 \
--storage-tier archive
```
The following is example output. The `TieringStartTime` response parameter indicates the date and time at which the archive process was started, in UTC time format (YYYY-MM-DDTHH:MM:SSZ).
```
{
"SnapshotId": "snap-0abcdef1234567890",
"TieringStartTime": "2021-09-15T16:44:37.574Z"
}
```
------
#### [ PowerShell ]
**To archive a snapshot**
Use the [Edit-EC2SnapshotTier](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2SnapshotTier.html) cmdlet. The following example archives the specified snapshot.
```
Edit-EC2SnapshotTier `
-SnapshotId snap-0abcdef1234567890 `
-StorageTier "archive"
```
------
# Restore an archived Amazon EBS snapshot
Before you can use an archived snapshot, you must first restore it to the standard tier. The restored snapshot has the same snapshot ID, encryption status, IAM permissions, owner information, and resource tags that it had before it was archived. After it is restored, you can use it in the same way that you use any other snapshot in your account. The restored snapshot is always a full snapshot.
When you restore a snapshot, you can choose to restore it **permanently** or **temporarily**.
If you restore a snapshot permanently, the snapshot is moved from the archive tier to the standard tier permanently. The snapshot remains restored and ready for use until you manually re-archive it or you manually delete it. When you permanently restore a snapshot, the snapshot is removed from the archive tier.
If you restore a snapshot temporarily, the snapshot is copied from the archive tier to the standard tier for a restore period that you specify. The snapshot remains restored and ready for use for the restore period only. During the restore period, a copy of the snapshot remains in the archive tier. After the period expires, the snapshot is automatically removed from the standard tier. You can increase or decrease the restore period or change the restore type to permanent at any time during the restore period. For more information, see [Modify the restore period for a temporarily restored Amazon EBS snapshot](modify-temp-restore-period.md).
If you are restoring snapshots that are associated with a disabled AMI, and you intend to use that AMI, you must first **permanently restore** all of the associated snapshots and then [ re-enable a disabled AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/disable-an-ami.html#re-enable-a-disabled-ami) before you can use it. You can't enable an AMI if the associated snapshots are temporarily restored. You can use the following command to find all of the snapshots associated with an AMI.
```
aws ec2 describe-images --image-id ami_id \
--query Images[*].BlockDeviceMappings[*].Ebs[].SnapshotId[]
```
------
#### [ Console ]
**To restore a snapshot from the archive**
Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. In the list of snapshots, select the archived snapshot to restore, and then choose **Actions**, **Restore snapshot from archive**.
1. Specify the type of restore to perform. For **Restore type**, do one of the following:
+ To restore the snapshot permanently, select **Permanent**.
+ To restore the snapshot temporarily, select **Temporary**, and then for **Temporary restore period**, enter the number of days for which to restore the snapshot.
1. To confirm, choose **Restore snapshot**.
------
#### [ AWS CLI ]
**To permanently restore an archived snapshot**
Use the [ restore-snapshot-tier](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-snapshot-tier.html) AWS CLI command with the `--permanent-restore` option. For `--snapshot-id`, specify the ID of the snapshot to restore.
```
aws ec2 restore-snapshot-tier \
--snapshot-id snap-0abcdef1234567890 \
--permanent-restore
```
The following is example output.
```
{
"SnapshotId": "snap-0abcdef1234567890",
"IsPermanentRestore": true
}
```
**To temporarily restore an archived snapshot**
Use the [ restore-snapshot-tier](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-snapshot-tier.html) AWS CLI command. Omit the `--permanent-restore` option. For `--temporary-restore-days`, specify the number of days for which to restore the snapshot. The allowed range is 1 to 180 days. If you do not specify a value, the default is 1 day.
The following example temporarily restores the specified snapshot for a restore period of 5 days.
```
aws ec2 restore-snapshot-tier \
--snapshot-id snap-0abcdef1234567890 \
--temporary-restore-days 5
```
The following is example output.
```
{
"SnapshotId": "snap-0abcdef1234567890",
"RestoreDuration": 5,
"IsPermanentRestore": false
}
```
------
#### [ PowerShell ]
**To permanently restore an archived snapshot**
Use the [Restore-EC2SnapshotTier](https://docs.aws.amazon.com/powershell/latest/reference/items/Restore-EC2SnapshotTier.html) cmdlet.
```
Restore-EC2SnapshotTier `
-SnapshotId snap-0abcdef1234567890 `
-PermanentRestore $true
```
**To temporarily restore an archived snapshot**
Use the [Restore-EC2SnapshotTier](https://docs.aws.amazon.com/powershell/latest/reference/items/Restore-EC2SnapshotTier.html) cmdlet.
```
Restore-EC2SnapshotTier `
-SnapshotId snap-0abcdef1234567890 `
-TemporaryRestoreDays 5
```
------
# Modify the restore period for a temporarily restored Amazon EBS snapshot
When you restore a snapshot temporarily, you must specify the number of days for which the snapshot is to remain restored in your account. After the restore period expires, the snapshot is automatically removed from the standard tier.
You can change the restore period for a temporarily restored snapshot at any time.
You can choose to either increase or decrease the restore period, or you can change the restore type from temporary to permanent.
If you change the restore period, the new restore period is effective from the current date. For example, if you specify a new restore period of `5` days, the snapshot will remain restored for five days from the current date.
**Note**
You can end a temporary restore early by setting the restore period to 1 day.
If you change the restore type from temporary to permanent, the snapshot copy is deleted from the archive tier, and the snapshot remains available in your account until you manually re-archive it or delete it.
------
#### [ Console ]
**To modify the restore period or restore type**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. In the list of snapshots, select the snapshot that you previously temporarily restored, and then choose **Actions**, **Restore snapshot from archive**.
1. For **Restore type**, do one of the following:
+ To change the restore type from temporary to permanent, select **Permanent**.
+ To increase or decrease the restore period, keep **Temporary**, and then for **Temporary restore period**, enter the new restore period in days.
1. To confirm, choose **Restore snapshot**.
------
#### [ AWS CLI ]
**To modify the restore period or change the restore type**
Use the [ restore-snapshot-tier](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-snapshot-tier.html) command. For `--snapshot-id`, specify the ID of the snapshot that you previously temporarily restored. To change the restore type from temporary to permanent, specify `--permanent-restore` and omit `--temporary-restore-days`. To increase or decrease the restore period, omit `--permanent-restore` and for `--temporary-restore-days`, specify the new restore period in days.
**Example: Increase or decrease the restore period**
The following command changes the restore period for the specified snapshot to `10` days.
```
aws ec2 restore-snapshot-tier \
--snapshot-id snap-0abcdef1234567890 \
--temporary-restore-days 10
```
The following is example output.
```
{
"SnapshotId": "snap-0abcdef1234567890",
"RestoreDuration": 10,
"IsPermanentRestore": false
}
```
**Example: Change restore type to permanent**
The following command changes the restore type for the specified snapshot from temporary to permanent.
```
aws ec2 restore-snapshot-tier \
--snapshot-id snap-0abcdef1234567890 \
--permanent-restore
```
The following is example output.
```
{
"SnapshotId": "snap-0abcdef1234567890",
"IsPermanentRestore": true
}
```
------
#### [ PowerShell ]
**To modify the restore period or change the restore type**
Use the [Restore-EC2SnapshotTier](https://docs.aws.amazon.com/powershell/latest/reference/items/Restore-EC2SnapshotTier.html) cmdlet. For `-SnapshotId`, specify the ID of the snapshot that you previously temporarily restored. To change the restore type from temporary to permanent, specify `-PermanentRestore` and omit `-TemporaryRestoreDays`. To increase or decrease the restore period, omit `-PermanentRestore` and for `-TemporaryRestoreDays`, specify the new restore period in days.
**Example: Increase or decrease the restore period**
The following command changes the restore period for the specified snapshot to `10` days.
```
Restore-EC2SnapshotTier `
-SnapshotId snap-0abcdef1234567890 `
-TemporaryRestoreDays 10
```
**Example: Change restore type to permanent**
The following command changes the restore type for the specified snapshot from temporary to permanent.
```
Restore-EC2SnapshotTier `
-SnapshotId snap-0abcdef1234567890 `
-PermanentRestore $true
```
------
# View archived Amazon EBS snapshots
------
#### [ Console ]
**To view storage tier information for a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. In the list of snapshots, select the snapshot and choose the **Storage tier** tab.
The tab provides the following information:
+ **Last tier change started on** — The date and time when the last archive or restore was started.
+ **Tier change progress** — The progress of the last archive or restore action, as a percentage.
+ **Storage tier** — The storage tier for the snapshot. Always `archive` for archived snapshots, and `standard` for snapshots stored on the standard tier, including temporarily restored snapshots.
+ **Tiering status** — The status of the last archive or restore action.
+ **Archive completed on** — The date and time when the archive completed.
+ **Temporary restore expires on** — The date and time when a temporarily restored snapshot is set to expire.
------
#### [ AWS CLI ]
**To view archival information about an archived snapshot**
Use the [ describe-snapshot-tier-status](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshot-tier-status.html) command. Specify the `snapshot-id` filter, and for the filter value, specify the snapshot ID. Alternatively, to view all archived snapshots, omit the filter.
```
--filters "Name=snapshot-id, Values=snapshot_id"
```
The output includes the following response parameters:
+ `Status` — The status of the snapshot. Always `completed` for archived snapshots. Only snapshots that are in the `completed` state can be archived.
+ `LastTieringStartTime` — The date and time that the archival process started, in UTC time format (YYYY-MM-DDTHH:MM:SSZ).
+ `LastTieringOperationState` — The current state of the archival process. Possible states include: `archival-in-progress` \$1 `archival-completed` \$1 `archival-failed` \$1 `permanent-restore-in-progress` \$1 `permanent-restore-completed` \$1 `permanent-restore-failed` \$1 `temporary-restore-in-progress` \$1 `temporary-restore-completed` \$1 `temporary-restore-failed`
+ `LastTieringProgress` — The progress of the snapshot archival process, as a percentage.
+ `StorageTier` — The storage tier for the snapshot. Always `archive` for archived snapshots, and `standard` for snapshots stored on the standard tier, including temporarily restored snapshots.
+ `ArchivalCompleteTime` — The date and time that the archival process completed, in UTC time format (YYYY-MM-DDTHH:MM:SSZ).
**Example: Describe a snapshot**
The following example displays information about the specified snapshot.
```
aws ec2 describe-snapshot-tier-status \
--filters "Name=snapshot-id, Values=snap-0abcdef1234567890"
```
The following is example output.
```
{
"SnapshotTierStatuses": [
{
"Status": "completed",
"ArchivalCompleteTime": "2021-09-15T17:33:16.147Z",
"LastTieringProgress": 100,
"Tags": [],
"VolumeId": "vol-01234567890abcdef",
"LastTieringOperationState": "archival-completed",
"StorageTier": "archive",
"OwnerId": "123456789012",
"SnapshotId": "snap-0abcdef1234567890",
"LastTieringStartTime": "2021-09-15T16:44:37.574Z"
}
]
}
```
**To view archived and standard tier snapshots**
Use the [describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) command. For `--snapshot-ids`, specify the ID of the snapshot.
```
aws ec2 describe-snapshots --snapshot-ids snap-0abcdef1234567890
```
The following is example output. The `StorageTier` response parameter indicates whether the snapshot is currently archived. `archive` indicates that the snapshot is currently archived and stored in the archive tier, and `standard` indicates that the snapshot is currently not archived and that it is stored in the standard tier.
In the following example output, only `Snap A` is archived. `Snap B` and `Snap C` are not archived.
Additionally, the `RestoreExpiryTime` response parameter is returned only for snapshots that are temporarily restored from the archive. It indicates when temporarily restored snapshots are to be automatically removed from the standard tier. It is **not** returned for snapshots that are permanently restored.
In the following example output, `Snap C` is temporarily restored, and it will be automatically removed from the standard tier at 2021-09-19T21:00:00.000Z (September 19, 2021 at 21:00 UTC).
```
{
"Snapshots": [
{
"Description": "Snap A",
"Encrypted": false,
"VolumeId": "vol-01234567890aaaaaa",
"State": "completed",
"VolumeSize": 8,
"StartTime": "2021-09-07T21:00:00.000Z",
"Progress": "100%",
"OwnerId": "123456789012",
"SnapshotId": "snap-01234567890aaaaaa",
"StorageTier": "archive",
"Tags": []
},
{
"Description": "Snap B",
"Encrypted": false,
"VolumeId": "vol-09876543210bbbbbb",
"State": "completed",
"VolumeSize": 10,
"StartTime": "2021-09-14T21:00:00.000Z",
"Progress": "100%",
"OwnerId": "123456789012",
"SnapshotId": "snap-09876543210bbbbbb",
"StorageTier": "standard",
"RestoreExpiryTime": "2019-09-19T21:00:00.000Z",
"Tags": []
},
{
"Description": "Snap C",
"Encrypted": false,
"VolumeId": "vol-054321543210cccccc",
"State": "completed",
"VolumeSize": 12,
"StartTime": "2021-08-01T21:00:00.000Z",
"Progress": "100%",
"OwnerId": "123456789012",
"SnapshotId": "snap-054321543210cccccc",
"StorageTier": "standard",
"Tags": []
}
]
}
```
**To view only snapshots that are stored in the archive tier or the standard tier**
Use the [describe-snapshots](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html) command. Include the `--filter` option, with the filter name `storage-tier`. For the filter value specify either `archive` or `standard`. The following example displays only archived snapshots.
```
aws ec2 describe-snapshots --filters "Name=storage-tier,Values=archive"
```
------
#### [ PowerShell ]
**To view archival information about an archived snapshot**
Use the [Get-EC2SnapshotTierStatus](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2SnapshotTierStatus.html) cmdlet.
```
Get-EC2SnapshotTierStatus `
-Filter @{Name="snapshot-id"; Values="snap-0abcdef1234567890"}
```
**To view archived and standard tier snapshots**
Use the [Get-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2Snapshot.html) cmdlet.
```
Get-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890
```
**To view only snapshots that are stored in the archive tier or the standard tier**
Use the [Get-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2Snapshot.html) cmdlet. The following example displays only archived snapshots.
```
Get-EC2Snapshot `
-Filter @{Name="storage-tier"; Values="archive"}
```
------
# Monitor Amazon EBS snapshot archiving using CloudWatch Events
Amazon EBS emits events related to snapshot archiving actions. You can use AWS Lambda and Amazon CloudWatch Events to handle event notifications programmatically. Events are emitted on a best effort basis. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
The following events are available:
+ `archiveSnapshot` — Emitted when a snapshot archive action succeeds or fails.
The following is an example of an event that is emitted when a snapshot archive action succeeds.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "123456789012",
"time": "2021-05-25T13:12:22Z",
"region": "us-east-1",
"resources": [
"arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "archiveSnapshot",
"result": "succeeded",
"cause": "",
"request-id": "123456789",
"snapshot_id": "arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef",
"startTime": "2021-05-25T13:12:22Z",
"endTime": "2021-05-45T15:30:00Z",
"recycleBinExitTime": "2021-10-45T15:30:00Z"
}
```
The following is an example of an event that is emitted when a snapshot archive action fails.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "123456789012",
"time": "2021-05-25T13:12:22Z",
"region": "us-east-1",
"resources": [
"arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "archiveSnapshot",
"result": "failed",
"cause": "Source snapshot ID is not valid",
"request-id": "1234567890",
"snapshot_id": "arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef",
"startTime": "2021-05-25T13:12:22Z",
"endTime": "2021-05-45T15:30:00Z",
"recycleBinExitTime": "2021-10-45T15:30:00Z"
}
}
```
+ `permanentRestoreSnapshot` — Emitted when a permanent restore action succeeds or fails.
The following is an example of an event that is emitted when a permanent restore action succeeds.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "123456789012",
"time": "2021-05-25T13:12:22Z",
"region": "us-east-1",
"resources": [
"arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "permanentRestoreSnapshot",
"result": "succeeded",
"cause": "",
"request-id": "1234567890",
"snapshot_id": "arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef",
"startTime": "2021-05-25T13:12:22Z",
"endTime": "2021-10-45T15:30:00Z"
}
}
```
The following is an example of an event that is emitted when a permanent restore action fails.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "123456789012",
"time": "2021-05-25T13:12:22Z",
"region": "us-east-1",
"resources": [
"arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "permanentRestoreSnapshot",
"result": "failed",
"cause": "Source snapshot ID is not valid",
"request-id": "1234567890",
"snapshot_id": "arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef",
"startTime": "2021-05-25T13:12:22Z",
"endTime": "2021-05-45T15:30:00Z",
"recycleBinExitTime": "2021-10-45T15:30:00Z"
}
}
```
+ `temporaryRestoreSnapshot` — Emitted when a temporary restore action succeeds or fails.
The following is an example of an event that is emitted when a temporary restore action succeeds.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "123456789012",
"time": "2021-05-25T13:12:22Z",
"region": "us-east-1",
"resources": [
"arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "temporaryRestoreSnapshot",
"result": "succeeded",
"cause": "",
"request-id": "1234567890",
"snapshot_id": "arn:aws:ec2:us-us-east-1::snapshot/snap-01234567890abcdef",
"startTime": "2021-05-25T13:12:22Z",
"endTime": "2021-05-45T15:30:00Z",
"restoreExpiryTime": "2021-06-45T15:30:00Z",
"recycleBinExitTime": "2021-10-45T15:30:00Z"
}
}
```
The following is an example of an event that is emitted when a temporary restore action fails.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "123456789012",
"time": "2021-05-25T13:12:22Z",
"region": "us-east-1",
"resources": [
"arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "temporaryRestoreSnapshot",
"result": "failed",
"cause": "Source snapshot ID is not valid",
"request-id": "1234567890",
"snapshot_id": "arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef",
"startTime": "2021-05-25T13:12:22Z",
"endTime": "2021-05-45T15:30:00Z",
"recycleBinExitTime": "2021-10-45T15:30:00Z"
}
}
```
+ `restoreExpiry` — Emitted when the restore period for a temporarily restored snapshot expires.
The following is an example.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "123456789012",
"time": "2021-05-25T13:12:22Z",
"region": "us-east-1",
"resources": [
"arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "restoryExpiry",
"result": "succeeded",
"cause": "",
"request-id": "1234567890",
"snapshot_id": "arn:aws:ec2:us-east-1::snapshot/snap-01234567890abcdef",
"startTime": "2021-05-25T13:12:22Z",
"endTime": "2021-05-45T15:30:00Z",
"recycleBinExitTime": "2021-10-45T15:30:00Z"
}
}
```
# Delete an Amazon EBS snapshot
After you no longer need an Amazon EBS snapshot of a volume, you can delete it. Deleting a snapshot has no effect on the volume. Deleting a volume has no effect on the snapshots made from it.
**Topics**
+ [Considerations for deleting snapshots](#ebs-delete-snapshot-considerations)
+ [How deleting incremental snapshots works](#ebs-deleting-snapshot-incremental)
+ [Delete a snapshot](#ebs-delete-snapshot)
+ [Delete multi-volume snapshots](#ebs-delete-snapshot-multi-volume)
## Considerations for deleting snapshots
The following considerations apply to deleting snapshots:
+ You can't delete a snapshot of the root device of an EBS volume used by a registered AMI. This consideration applies even if the registered AMI is deprecated or disabled. You must first deregister the AMI before you can delete the snapshot. For more information, see [ Deregister your AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/deregister-ami.html).
+ You can't delete a snapshot that is managed by the AWS Backup service using Amazon EC2. Instead, use AWS Backup to delete the corresponding recovery points in the backup vault. For more information, see [Deleting backups](https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-backups.html) in the *AWS Backup Developer Guide*.
+ You can create, retain, and delete snapshots manually, or you can use Amazon Data Lifecycle Manager to manage your snapshots for you. For more information, see [Amazon Data Lifecycle Manager](snapshot-lifecycle.md).
+ Although you can delete a snapshot that is still in progress, the snapshot must complete before the deletion takes effect. This might take a long time. If you are also at your concurrent snapshot limit, and you attempt to take an additional snapshot, you might get a `ConcurrentSnapshotLimitExceeded` error. For more information, see the [ Service Quotas](https://docs.aws.amazon.com/general/latest/gr/ebs-service.html#limits_ebs) for Amazon EBS in the *Amazon Web Services General Reference*.
+ If you delete a snapshot that matches a Recycle Bin retention rule, the snapshot is retained in the Recycle Bin instead of being immediately deleted. For more information, see [Recycle Bin](recycle-bin.md).
+ You can't delete snapshots associated with disabled EBS-backed AMIs. For more information, see [Disable an AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/disable-an-ami.html).
+ You can't delete snapshots that are shared with you.
+ If you delete a shared snapshot that you own, all accounts with which the snapshot is shared lose access to it.
## How deleting incremental snapshots works
If you make periodic snapshots of a volume, the snapshots are *incremental*. This means that only the blocks on the device that have changed after your most recent snapshot are saved in the new snapshot. Even though snapshots are saved incrementally, the snapshot deletion process is designed so that you need to retain only the most recent snapshot in order to create volumes.
If data was present on a volume held in an earlier snapshot or series of snapshots, and that data is subsequently deleted from the volume later on, the data is still considered to be unique data of the earlier snapshots. Unique data is only deleted from the sequence of snapshots if all snapshots that reference the unique data are deleted.
When you delete a snapshot, only the data that is referenced exclusively by that snapshot is removed. Unique data is only deleted if all of the snapshots that reference it are deleted. Deleting previous snapshots of a volume does not affect your ability to create volumes from later snapshots of that volume.
Deleting a snapshot might not reduce your organization's data storage costs. Other snapshots might reference that snapshot's data, and referenced data is always preserved. If you delete a snapshot containing data being used by a later snapshot, costs associated with the referenced data are allocated to the later snapshot. For more information about how snapshots store data, see [How Amazon EBS snapshots work](how_snapshots_work.md) and the following example.
In the following diagram, Volume 1 is shown at three points in time. A snapshot has captured each of the first two states, and in the third, a snapshot has been deleted.
+ In **state 1**, the volume has 10 GiB of data. Because Snap A is the first snapshot taken of the volume, the entire 10 GiB of data must be copied. In this state, you are charged for storing 10 GiB of snapshot data.
+ In **state 2**, the volume still contains 10 GiB of data, but 4 GiB have changed. Snap B stores only the 4 GiB that changed after Snap A was taken, and it references the 6 GiB of unchanged data that is already stored in Snap A. In this state, you are charged for storing 14 GiB of snapshot data (10 Gib from Snap A \$1 4 GiB from Snap B).
+ In **state 3**, the volume is unchanged but Snap A is deleted. Since the 6 GiB of unchanged data in Snap A is still referenced by Snap B, that data is retained and it is associated with Snap B. The 4 GiB of unique data in Snap A is deleted since it is no longer referenced by other snapshots. In this state, you are charged for storing 10 GiB of snapshot data (6 GiB of data retained from Snap A \$1 4 GiB of data in Snap B).
**Deleting a snapshot with some of its data referenced by another snapshot**
![\[Snap A contains 6 GiB of referenced data. When Snap A is deleted, that data is merged into Snap B.\]](http://docs.aws.amazon.com/ebs/latest/userguide/images/snapshot_1b.png)
## Delete a snapshot
------
#### [ Console ]
**To delete a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot.
1. Choose **Actions**, **Delete snapshot**.
1. When prompted for confirmation, enter **delete** and then choose **Delete**.
------
#### [ AWS CLI ]
**To delete a snapshot**
Use the [delete-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-snapshot.html) command.
```
aws ec2 delete-snapshot --snapshot-id snap-0abcdef1234567890
```
------
#### [ PowerShell ]
**To delete a snapshot**
Use the [Remove-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2Snapshot.html) cmdlet.
```
Remove-EC2Snapshot -SnapshotId snap-0abcdef1234567890
```
------
**Troubleshooting tip**
If you get a `Failed to delete snapshot` error indicating that the snapshot is currently in use by an AMI, you must [ deregister the associated AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/deregister-ami.html) before you can delete the snapshot. You can't delete snapshots that are associated with an AMI.
If you're using the console and the associated AMI is disabled, you must select the **Disabled images** filter on the **AMIs** screen to view disabled AMIs.
## Delete multi-volume snapshots
To delete multi-volume snapshots, retrieve all of the snapshots for your multi-volume snapshot set using the tag you applied to the set when you created the snapshots. Then, delete the snapshots individually.
You will not be prevented from deleting individual snapshots in the multi-volume snapshot set. If you delete a snapshot while it is in the `pending state`, only that snapshot is deleted. The other snapshots in the multi-volume snapshot set still complete successfully.
# Amazon EBS fast snapshot restore
Amazon EBS fast snapshot restore (FSR) enables you to create a volume from a snapshot that is fully initialized at creation. This eliminates the latency of I/O operations on a block when it is accessed for the first time. Volumes that are created using fast snapshot restore instantly deliver all of their provisioned performance.
To get started, enable fast snapshot restore for specific snapshots in specific Availability Zones. Each snapshot and Availability Zone pair refers to one fast snapshot restore. When you create a volume from one of these snapshots in one of its enabled Availability Zones, the volume is restored using fast snapshot restore.
You must explicitly enable fast snapshot restore for each snapshot. For example, if you create a new snapshot from a volume that was restored from a fast snapshot restore-enabled snapshot, the new snapshot is not automatically enabled for fast snapshot restore. If you copy a snapshot that is enabled for fast snapshot restore, the snapshot copy is not automatically enabled for fast snapshot restore.
The number of volumes that you can restore with the full performance benefit of fast snapshot restore is determined by volume creation credits for the snapshot. For more information see [Amazon EBS fast snapshot restore volume creation credits](volume-creation-credits.md).
You can enable fast snapshot restore for snapshots that you own and for public and private snapshots that are shared with you.
**Topics**
+ [Considerations](#fsr-considerations)
+ [Pricing and Billing](#fsr-pricing)
+ [Amazon EBS fast snapshot restore volume creation credits](volume-creation-credits.md)
+ [Configure fast snapshot restore for an Amazon EBS snapshot](manage-fsr-enable.md)
+ [Check the fast snapshot restore state for an Amazon EBS snapshot](view-fsr-enabled-snapshots.md)
+ [View Amazon EBS volumes restored using fast snapshot restore](view-fast-restored-volumes.md)
## Considerations
+ Fast snapshot restore is not supported with AWS Outposts, Local Zones, and Wavelength Zones.
+ Fast snapshot restore can be enabled on snapshots with a size of 16 TiB or less.
+ Volumes provisioned with performance up to 64,000 IOPS and 1,000 MiB/s throughput receive the full performance benefit of fast snapshot restore. For volumes provisioned with performance greater than 64,000 IOPS or 1,000 MiB/s throughput, we recommend that you [initialize the volume](initalize-volume.md#ebs-initialize) to receive its full performance.
+ You can enable up to 5 snapshots for fast snapshot restore per Region. The quota applies to snapshots that you own and snapshots that are shared with you. If you enable fast snapshot restore for a snapshot that is shared with you, it counts towards your fast snapshot restore quota. It does not count towards the snapshot owner's fast snapshot restore quota.
+ Amazon EBS emits Amazon CloudWatch events when the fast snapshot restore state for a snapshot changes. For more information, see [EBS fast snapshot restore events](ebs-cloud-watch-events.md#fast-snapshot-restore-events).
## Pricing and Billing
You are billed for each minute that fast snapshot restore is enabled for a snapshot in a particular Availability Zone. Charges are pro-rated with a minimum of one hour.
For example, if you enable fast snapshot restore for one snapshot in `US-East-1a` for one month (30 days), you are billed **\$1540** (`1` snapshot x `1` AZ x `720` hours x `$0.75` per hour). If you enable fast snapshot restore for two snapshots in `us-east-1a`, `us-east-1b`, and `us-east-1c` for the same period, you are billed **\$13240** (`2` snapshots x `3` AZs x `720` hours x `$0.75` per hour).
If you enable fast snapshot restore for a public or private snapshot that is shared with you, your account is billed; the snapshot owner is not billed. When a snapshot that is shared with you is deleted or unshared by the snapshot owner, fast snapshot restore is disabled for the snapshot in your account and billing is stopped.
For more information, see [Amazon EBS pricing](https://aws.amazon.com/ebs/pricing/).
# Amazon EBS fast snapshot restore volume creation credits
The number of volumes that receive the full performance benefit of fast snapshot restore is determined by the volume creation credits for the snapshot. There is one credit bucket per snapshot per Availability Zone. Each volume that you create from a snapshot with fast snapshot restore enabled consumes one credit from the credit bucket. You must have at least one credit in the bucket to create an initialized volume from the snapshot. If you create a volume but there is less than one credit in the bucket, the volume is created without benefit of fast snapshot restore.
When you enable fast snapshot restore for a snapshot that is shared with you, you get a separate credit bucket for the shared snapshot in your account. If you create volumes from the shared snapshot, the credits are consumed from your credit bucket; they are not consumed from the snapshot owner's credit bucket.
The credit bucket size and the refill rate are based on the size of the snapshot (which is also the size of the source volume), not the size of the snapshot data. For example, if you create a snapshot from a 200 GiB volume that has 150 GiB of data, and enable it for fast snapshot restore, the credit bucket size and the refill rate are based on 200 GiB.
When you enable fast snapshot restore for a snapshot, the credit bucket starts with zero credits, and it gets filled at a set rate until it reaches its maximum credit capacity. Also, as you consume credits, the credit bucket is refilled over time until it reaches its maximum credit capacity.
The fill rate for a credit bucket is calculated as follows:
```
MIN (10, (1024 ÷ snapshot_size_gib))
```
And the size of the credit bucket is calculated as follows:
```
MAX (1, MIN (10, (1024 ÷ snapshot_size_gib)))
```
**For example**, if you enable fast snapshot restore for a snapshot with a size of `128 GiB`, the fill rate is `0.1333` credits per minute.
```
MIN (10, (1024 ÷ 128))
= MIN (10, 8)
= 8 credits per hour
= 0.1333 credits per minute
```
And the maximum size of the credit bucket is `8` credits.
```
MAX (1, MIN (10, (1024 ÷ 128)))
= MAX (1, MIN (10, 8))
= MAX (1, 8)
= 8 credits
```
In this example, when you enable fast snapshot restore, the credit bucket starts with zero credits. After 8 minutes, the credit bucket has enough credits to create one initialized volume (`0.1333 credits × 8 minutes = 1.066 credits`). When the credit bucket is full, you can create 8 initialized volumes simultaneously (8 credits). When the bucket is below its maximum capacity, it refills with `0.1333` credits per minute.
You can use CloudWatch metrics to monitor the size of your credit buckets and the number of credits available in each bucket. For more information, see [Metrics for fast snapshot restore](using_cloudwatch_ebs.md#fast-snapshot-restore-metrics).
After you create a volume from a snapshot with fast snapshot restore enabled, you can describe the volume using [describe-volumes](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html) and check the `fastRestored` field in the output to determine whether the volume was created as an initialized volume using fast snapshot restore.
# Configure fast snapshot restore for an Amazon EBS snapshot
Fast snapshot restore is disabled for a snapshot by default. You can enable or disable fast snapshot restore for snapshots that you own and for snapshots that are shared with you. When you enable or disable fast snapshot restore for a snapshot, the changes apply to your account only.
**Note**
When you enable fast snapshot restore for a snapshot, your account is billed for each minute that fast snapshot restore is enabled in a particular Availability Zone. Charges are pro-rated and have a minimum of one hour.
When you delete a snapshot that you own, fast snapshot restore is automatically disabled for that snapshot in your account. If you enabled fast snapshot restore for a snapshot that is shared with you, and the snapshot owner deletes or unshares it, fast snapshot restore is automatically disabled for the shared snapshot in your account.
If you enabled fast snapshot restore for a snapshot that is shared with you, and it has been encrypted using a custom CMK, fast snapshot restore is not automatically disabled for the snapshot when the snapshot owner revokes your access to the custom CMK. You must manually disable fast snapshot restore for that snapshot.
After you enable fast snapshot restore for a snapshot, it enters the `optimizing` state. Snapshots that are in the `optimizing` state provide some performance benefits when using them to restore volumes. They start to provide the full performance benefits of fast snapshot restore only after they enter the `enabled` state.
------
#### [ Console ]
**To configure fast snapshot restore**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot, and choose **Actions**, **Manage fast snapshot restore**.
1. The **Fast snapshot restore settings** section lists all of the Availability Zones in which you can enable fast snapshot restore for the selected snapshot. The **Current status** volume indicates whether fast snapshot restore is current enabled or disabled for each zone.
To enable fast snapshot restore in a zone where it is currently disabled, select the zone, choose **Enable**, and then to confirm, choose **Enable**.
To disable fast snapshot restore in a zone where it is currently enabled, select the zone, and then choose **Disable**.
1. After you have made the required changes, choose **Close**.
------
#### [ AWS CLI ]
**To enable fast snapshot restore**
Use the [enable-fast-snapshot-restores](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-fast-snapshot-restores.html) command.
```
aws ec2 enable-fast-snapshot-restores \
--availability-zones us-east-1a us-east-1b \
--source-snapshot-ids snap-0abcdef1234567890
```
**To disable fast snapshot restore**
Use the [disable-fast-snapshot-restores](https://docs.aws.amazon.com/cli/latest/reference/ec2/disable-fast-snapshot-restores.html) command.
```
aws ec2 disable-fast-snapshot-restores \
--availability-zones us-east-1a \
--source-snapshot-ids snap-0abcdef1234567890
```
The following example uses the [describe-fast-snapshot-restores](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-fast-snapshot-restores.html) command to describe your disabled fast snapshot restores.
```
aws ec2 describe-fast-snapshot-restores \
--filters Name=state,Values=disabled
```
------
#### [ PowerShell ]
**To enable fast snapshot restore**
Use the [Enable-EC2FastSnapshotRestore](https://docs.aws.amazon.com/powershell/latest/reference/items/Enable-EC2FastSnapshotRestore.html) cmdlet.
```
Enable-EC2FastSnapshotRestore `
-AvailabilityZone us-east-1a us-east-1b `
-SourceSnapshotId snap-0abcdef1234567890
```
**To disable fast snapshot restore**
Use the [Disable-EC2FastSnapshotRestore](https://docs.aws.amazon.com/powershell/latest/reference/items/Disable-EC2FastSnapshotRestore.html) cmdlet.
```
Disable-EC2FastSnapshotRestore `
-AvailabilityZone us-east-1a `
-SourceSnapshotId snap-0abcdef1234567890
```
The following example uses the [Get-EC2FastSnapshotRestore](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2FastSnapshotRestore.html) cmdlet to describe your disabled fast snapshot restores.
```
Get-EC2FastSnapshotRestore `
-Filter @{Name="state"; Values="disabled"}
```
------
# Check the fast snapshot restore state for an Amazon EBS snapshot
Fast snapshot restore for a snapshot can be in one of the following states.
+ `enabling` — A request was made to enable fast snapshot restore.
+ `optimizing` — Fast snapshot restore is being enabled. It takes 60 minutes per TiB to optimize a snapshot. Snapshots in this state offer some performance benefit when restoring volumes.
+ `enabled` — Fast snapshot restore is enabled. Snapshots that are in this state and that have sufficient volume creation credits offer the full performance benefit when restoring volumes.
+ `disabling` — A request was made to disable fast snapshot restore, or a request to enable fast snapshot restore failed.
+ `disabled` — Fast snapshot restore is disabled. You can enable fast snapshot restore again as needed.
You can view the state of fast snapshot restore for a snapshot that you own or for a snapshot that is shared with you.
------
#### [ Console ]
**To view the state of fast snapshot restore**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot.
1. On the **Details** tab, **Fast snapshot restore**, indicates the state of fast snapshot restore.
------
#### [ AWS CLI ]
**To view snapshots with fast snapshot restore enabled**
Use the [describe-fast-snapshot-restores](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-fast-snapshot-restores.html) command.
```
aws ec2 describe-fast-snapshot-restores --filters Name=state,Values=enabled
```
The following is example output.
```
{
"FastSnapshotRestores": [
{
"SnapshotId": "snap-0e946653493cb0447",
"AvailabilityZone": "us-east-2a",
"State": "enabled",
"StateTransitionReason": "Client.UserInitiated - Lifecycle state transition",
"OwnerId": "123456789012",
"EnablingTime": "2020-01-25T23:57:49.596Z",
"OptimizingTime": "2020-01-25T23:58:25.573Z",
"EnabledTime": "2020-01-25T23:59:29.852Z"
},
{
"SnapshotId": "snap-0e946653493cb0447",
"AvailabilityZone": "us-east-2b",
"State": "enabled",
"StateTransitionReason": "Client.UserInitiated - Lifecycle state transition",
"OwnerId": "123456789012",
"EnablingTime": "2020-01-25T23:57:49.596Z",
"OptimizingTime": "2020-01-25T23:58:25.573Z",
"EnabledTime": "2020-01-25T23:59:29.852Z"
}
]
}
```
------
#### [ PowerShell ]
**To view snapshots with fast snapshot restore enabled**
Use the [Get-EC2FastSnapshotRestore](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2FastSnapshotRestore.html) cmdlet.
```
Get-EC2FastSnapshotRestore `
-Filter @{Name="state"; Values="enabled"}
```
------
# View Amazon EBS volumes restored using fast snapshot restore
When you create a volume from a snapshot that is enabled for fast snapshot restore in the Availability Zone for the volume, it is restored using fast snapshot restore.
------
#### [ AWS CLI ]
**To view volumes that were created from a snapshot that is enabled for fast snapshot restore**
Use the [describe-volumes](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html) command.
```
aws ec2 describe-volumes --filters Name=fast-restored,Values=true
```
The following is example output.
```
{
"Volumes": [
{
"Attachments": [],
"AvailabilityZone": "us-east-2a",
"CreateTime": "2020-01-26T00:34:11.093Z",
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/8c5b2c63-b9bc-45a3-a87a-5513e232e843",
"Size": 20,
"SnapshotId": "snap-0abcdef1234567890",
"State": "available",
"VolumeId": "vol-01234567890abcdef",
"Iops": 100,
"VolumeType": "gp2",
"FastRestored": true
}
]
}
```
------
#### [ PowerShell ]
**To view volumes that were created from a snapshot that is enabled for fast snapshot restore**
Use the [Get-EC2Volume](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2Volume.html) cmdlet.
```
Get-EC2Volume -Filter @{Name="fast-restored"; Values="true"}
```
------
# Amazon EBS snapshot lock
You can lock your Amazon EBS snapshots to protect them against accidental or malicious deletions, or to store them in WORM (write-once-read-many) format for a specific duration. While a snapshot is locked, it can't be deleted by any user, regardless of their IAM permissions. You can continue to use a locked snapshot in the same way that you would use any other snapshot.
**Note**
Snapshot lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations. For more information about how snapshot lock relates to these regulations, see the [ Cohasset Associates Compliance Assessment](https://d1.awsstatic.com/Amazon-EBS-Cohasset-Assessment-2023-11-14-final.pdf).
You can lock snapshots in one of two modes: *compliance mode* or *governance mode*, and they can be locked for a specific duration or until a specific date. For more information, see [Lock mode](snapshot-lock-concepts.md#lock-mode) and [Lock duration](snapshot-lock-concepts.md#lock-duration).
**Pricing**
You can lock and unlock snapshots at no additional cost. You pay the standard Amazon EBS snapshot storage costs for locked snapshots.
**Topics**
+ [Concepts](snapshot-lock-concepts.md)
+ [Considerations](snapshot-lock-considerations.md)
+ [Control access](snapshot-lock-iam.md)
+ [Lock a snapshot](lock-snapshot.md)
+ [Unlock a snapshot](unlock-snapshot.md)
+ [Update snapshot lock settings](update-snapshot-lock.md)
+ [Monitor snapshot lock](monitor-snapshot-lock.md)
# Amazon EBS snapshot lock concepts
The following are important concepts to understand as you get started using snapshot lock.
**Contents**
+ [Lock mode](#lock-mode)
+ [Lock duration](#lock-duration)
+ [Cooling-off period](#cool-off)
+ [Lock state](#lock-state)
## Lock mode
You can lock a snapshot in one of two modes:
**Governance mode**
After a snapshot is locked, users with appropriate IAM permissions can unlock the snapshot and modify the lock mode and lock duration or expiry date at any time. When you lock a snapshot in governance mode, the snapshot is locked immediately; there is no cooling-off period. To delete a snapshot after it has been locked in governance mode, you must first unlock the snapshot or you must wait for the lock to expire.
You can use governance mode to meet your organization's data governance requirements by ensuring that only certain users have permission to unlock snapshots and modify snapshot lock configurations. You can also use governance mode to test your lock configuration before locking a snapshot in compliance mode.
**Compliance mode**
When you lock a snapshot in compliance mode, you can optionally specify a cooling-off period that starts immediately after you lock the snapshot. During the cooling-off period, users with appropriate permissions can unlock the snapshot, change the lock mode, increase or decrease the cooling-off period, and increase or decrease the lock duration or expiry date. After the cooling-off period expires, you can't unlock the snapshot, change the lock mode, or decrease the lock duration or expire date; you can only increase the lock duration or expiry date. To delete a snapshot after it has been locked in compliance and the cooling-off period has expired, you must wait for the lock to expire.
**Note**
You can lock a snapshot in compliance mode without a cooling-off period by omitting the cooling-off period in the request. If you do this, the lock becomes effective immediately, and you can't unlock the snapshot, change the lock mode, or decrease the lock duration or expire date; you can only increase the lock duration or expiry date.
You can use compliance mode to protect snapshots that should not be deleted for a specific period for compliance reasons. Compliance mode offers the following benefits:
+ It enables WORM (write-once, read-many) configuration for your snapshots.
+ It provides an additional layer of defense that protects snapshots from accidental or malicious deletions.
+ It enforces retention periods, which prevent early deletions by privileged users, to meet your organization's data protection policies and procedures.
**Note**
The only way to delete a snapshot that is locked in compliance mode before its lock expires is to close the associated AWS account.
## Lock duration
The lock duration is the period of time for which the snapshot is to remain locked. You can specify the lock duration as one of the following, but not both:
**Number of days**
The lock duration is specified as a number of days for which the snapshot is to remain locked. After the specified number of days has passed, the snapshot is automatically unlocked. The duration can range from 1 day to 36500 days (100 years).
**Lock expiration date**
The lock duration is determined by an expiration date in the future. The snapshot remains locked until the lock expiration date is reached. When the lock expiration date is reached, the snapshot is automatically unlocked.
## Cooling-off period
The cooling-off period is an optional period of time that you can specify when you lock a snapshot in compliance mode. During the cooling-off period, users with appropriate permissions can unlock the snapshot, change the lock mode, increase or decrease the cooling-off period, and increase or decrease the lock duration. After the cooling-off period expires, users can't unlock the snapshot, change the lock mode, reinstate the cooling-off period, or decrease the lock duration, regardless of their permissions.
A snapshot can't be deleted during the cooling-off period.
If specified, the cooling-off period starts immediately after you lock the snapshot. If omitted, the snapshot is locked in compliance mode immediately without a cooling-off period.
The cooling-off period can range from 1 to 72 hours. To lock a snapshot in compliance mode immediately without a cooling-off period, do not specify a cooling-off period in the request.
## Lock state
A snapshot lock can be in one of the following states:
+ `compliance-cooloff` — The snapshot has been locked in compliance mode but it is still within the cooling-off period. The snapshot can't be deleted, but it can be unlocked and the lock settings can be modified by users with appropriate permissions.
+ `governance` — The snapshot is locked in governance mode. The snapshot can't be deleted, but it can be unlocked and the lock settings can be modified by users with appropriate permissions.
+ `compliance` — The snapshot is locked in compliance mode without a cooling-off period or the cooling-off period has expired. The snapshot can't be unlocked or deleted. The lock duration can only be increased by users with appropriate permissions.
+ `expired` — The snapshot was locked in compliance or governance mode but the lock has expired. The snapshot is not locked and can be deleted.
# Considerations for Amazon EBS snapshot lock
Keep the following in mind when locking Amazon EBS snapshots.
+ You can lock a snapshot only if it is in the `pending` or `completed` state.
+ If you lock a snapshot while it is in the `pending` state, and you lock it for a specific duration, the lock duration starts only when the snapshot reaches the `completed` state. The snapshot can't be deleted while it is in the `pending` state.
+ If you lock a snapshot while it is in the `pending` state and the snapshot creation fails for any reason, the lock is canceled.
+ If you extend the lock duration for a snapshot that is locked in compliance mode after the cooling-off period has expired, you can't specify another cooling-off period. If you specify a cooling-off period, the request fails.
+ You can lock archived snapshots. And you can archive locked snapshots.
+ You can lock snapshots that are associated with an AMI.
+ You can deregister an AMI that has associated snapshots that are locked.
+ You can delete the KMS key used to encrypt a locked snapshot.
+ We recommend that you do not lock snapshots created by AWS Backup. AWS Backup already ensures that its snapshots are not deleted before their retention period expires. To add an additional layer of security for snapshots managed by AWS Backup, we recommend that you use AWS Backup Vault Lock. For more information, see [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html).
+ You can't lock snapshots during creation or during AMI registration.
+ You can't lock local Amazon EBS snapshots on AWS Outposts.
+ The only way to delete a snapshot that is locked in compliance mode before its lock expires is to close the associated AWS account.
If you close your AWS account while you have locked snapshots, AWS suspends your account for 90 days with your snapshots intact. If you do not reopen your account within the 90 days, AWS deletes your snapshots, even if they are locked.
# Control access to Amazon EBS snapshot lock
By default, users don't have permission to work with snapshot locks. To allow users to use snapshot locks, you must create IAM policies that grant permission to use specific resources and API actions. For more information, see [Creating IAM policies in the IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html).
**Topics**
+ [Required permissions](#snapshot-lock-req-perms)
+ [Restrict access with condition keys](#snapshot-lock-condition-keys)
## Required permissions
To work with snapshot locks, users need the following permissions.
+ `ec2:LockSnapshot` — To lock snapshots.
+ `ec2:UnlockSnapshot` — To unlock snapshots.
+ `ec2:DescribeLockedSnapshots` — To view snapshot lock settings.
The following is an example IAM policy that gives users permission to lock and unlock snapshots, and to view snapshot lock settings. It includes the `ec2:DescribeSnapshots` permission for console users. If some permissions are not needed, you can remove them from the policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSnapshotLockOperations",
"Effect": "Allow",
"Action": [
"ec2:LockSnapshot",
"ec2:UnlockSnapshot",
"ec2:DescribeLockedSnapshots",
"ec2:DescribeSnapshots"
],
"Resource": [
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:111122223333:volume/*"
]
}
]
}
```
------
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## Restrict access with condition keys
You can use condition keys to restrict how users are allowed to lock snapshots.
**Topics**
+ [ec2:SnapshotLockDuration](#snapshotlockduration)
+ [ec2:CoolOffPeriod](#cooloffperiod)
### ec2:SnapshotLockDuration
You can use the `ec2:SnapshotLockDuration` condition key to restrict users to specific lock durations when locking snapshots.
The following example policy restricts users to specifying a lock duration between `10` and `50` days.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSnapshotLockWithDurationCondition",
"Effect": "Allow",
"Action": "ec2:LockSnapshot",
"Resource": "arn:aws:ec2:*::snapshot/*",
"Condition": {
"NumericGreaterThan": {
"ec2:SnapshotLockDuration": 10
},
"NumericLessThan": {
"ec2:SnapshotLockDuration": 50
}
}
}
]
}
```
------
### ec2:CoolOffPeriod
You can use the `ec2:CoolOffPeriod` condition key to prevent users from locking snapshots in compliance mode without a cooling-off period.
The following example policy restricts users to specifying a cooling-off period greater than `48` hours when locking snapshots in compliance mode.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSnapshotLockWithCondition",
"Effect": "Allow",
"Action": "ec2:LockSnapshot",
"Resource": "arn:aws:ec2:*::snapshot/*",
"Condition": {
"NumericGreaterThan": {
"ec2:SnapshotTime": 48
}
}
}
]
}
```
------
# Lock an Amazon EBS snapshot
You can lock a snapshot that is in the `pending` or `completed` state. For more information, see [Considerations for Amazon EBS snapshot lock](snapshot-lock-considerations.md).
------
#### [ Console ]
**To lock a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot to lock and choose **Actions**, **Snapshot settings**, **Manage snapshot lock**.
1. Select **Lock snapshot**.
1. For **Lock mode**, choose either **Governance mode** or **Compliance mode**. For more information, see [Lock mode](snapshot-lock-concepts.md#lock-mode).
1. For **Lock duration**, do one of the following:
+ To lock the snapshot for a specific period, choose **Lock snapshot for**, and then enter the period in either days or years.
+ To lock the snapshot until a specific date and time, choose **Lock snapshot until**, and then select the expiration date and time.
For more information, see [Lock duration](snapshot-lock-concepts.md#lock-duration).
1. (*Compliance mode only*) For **Cooling-off period**, specify a cooling-off period during which you can unlock the snapshot and modify the lock configuration. For more information, see [Cooling-off period](snapshot-lock-concepts.md#cool-off).
1. (*Compliance mode only*) To confirm that you want to lock the snapshot in compliance mode and that you will not be able to unlock the snapshot after the cooling-off period expires, choose **Acknowledge**.
1. Choose **Save lock settings**.
------
#### [ AWS CLI ]
**To lock a snapshot in governance mode**
Use the [lock-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/lock-snapshot.html) command. For `--lock-mode`, specify `governance`. To lock the snapshot for a specific period, for `--lock-duration`, specify the period, in days.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode governance \
--lock-duration 30
```
To lock the snapshot until a specific date, for `--expiration-date`, specify the date and time at which the lock must expire, in the UTC time zone.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode governance \
--expiration-date YYYY-MM-DDThh:mm:ss.sssZ
```
**To lock a snapshot in compliance mode**
Use the [lock-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/lock-snapshot.html) command. For `--lock-mode`, specify `compliance`. For `--cool-off-period`, optionally specify a cooling-off period, in hours. To lock the snapshot for a specific period, for `--lock-duration`, specify the number of days to lock the snapshot.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode compliance \
--cool-off-period 24 \
--lock-duration 30
```
To lock the snapshot until a specific date, for `--expiration-date`, specify the date and time at which the lock must expire, in the UTC time zone.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode compliance \
--expiration-date YYYY-MM-DDThh:mm:ss.sssZ
```
------
#### [ PowerShell ]
**To lock a snapshot in governance mode**
Use the [Lock-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Lock-EC2Snapshot.html) cmdlet. You can optionally specify the duration of the snapshot lock, in days.
```
Lock-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890 `
-LockMode "governance" `
-LockDuration 30
```
Alternatively, you can lock the snapshot until a specific date, in the UTC time zone.
```
Lock-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890 `
-LockMode "governance" `
-ExpirationDate YYYY-MM-DDThh:mm:ss.sssZ
```
**To lock a snapshot in compliance mode**
Use the [Lock-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Lock-EC2Snapshot.html) cmdlet. You can optionally specify a cooling-off period, in hours. You can also optionally specify the duration of the snapshot lock, in days.
```
Lock-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890 `
-LockMode "compliance" `
-CoolOffPeriod 24 `
-LockDuration 30
```
Alternatively, you can lock the snapshot until a specific date, in the UTC time zone.
```
Lock-EC2Snapshot `
-SnapshotId snap-0abcdef1234567890 `
-LockMode "compliance" `
-ExpirationDate YYYY-MM-DDThh:mm:ss.sssZ
```
------
# Unlock an Amazon EBS snapshot
You can unlock a snapshot only if it is locked in governance mode, or if it is locked in compliance mode and it is still within the cooling-off period.
------
#### [ Console ]
**To unlock a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot to unlock and choose **Actions**, **Snapshot settings**, **Manage snapshot lock**.
1. Choose **Unlock snapshot** and then choose **Unlock snapshot** again to confirm.
------
#### [ AWS CLI ]
**To unlock a snapshot**
Use the [unlock-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/unlock-snapshot.html) command.
```
aws ec2 unlock-snapshot --snapshot-id snap-0abcdef1234567890
```
------
#### [ PowerShell ]
**To unlock a snapshot**
Use the [Unlock-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Unlock-EC2Snapshot.html) cmdlet.
```
Unlock-EC2Snapshot -SnapshotId snap-0abcdef1234567890
```
------
# Update Amazon EBS snapshot lock settings
The allowed updates depend on the lock state:
+ `governance` — you can change the lock mode and increase or decrease the lock duration or expiration date.
+ `compliance-cooloff` — you can change the lock mode, increase or decrease the cooling-off period, and increase or decrease the lock duration or expiration date.
+ `compliance` — you can only increase the lock duration or expiration date.
------
#### [ Console ]
**To update snapshot lock settings**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot for which to modify the lock settings and choose **Actions**, **Snapshot settings**, **Manage snapshot lock**.
1. Update the settings as needed, and then choose **Save lock settings**.
------
#### [ AWS CLI ]
**To update snapshot lock settings**
Use the [lock-snapshot](https://docs.aws.amazon.com/cli/latest/reference/ec2/lock-snapshot.html) command. Specify the ID of the snapshot and the options to modify. The following example changes the expiration date.
```
aws ec2 lock-snapshot \
--snapshot-id snap-0abcdef1234567890 \
--lock-mode governance \
--expiration-date YYYY-MM-DDThh:mm:ss.sssZ
```
------
#### [ PowerShell ]
**To update snapshot lock settings**
Use the [Lock-EC2Snapshot](https://docs.aws.amazon.com/powershell/latest/reference/items/Lock-EC2Snapshot.html) cmdlet. Specify the ID of the snapshot and the options to modify. The following example changes the expiration date.
```
Lock-EC2Snapshot `
-SnapshoId snap-0abcdef1234567890 `
-LockMode "governance" `
-ExpirationDate YYYY-MM-DDThh:mm:ss.sssZ
```
------
# Monitor Amazon EBS snapshot lock
You can monitor actions related to Amazon EBS snapshot lock using the following tools:
**Topics**
+ [Monitor using CloudTrail](#snapshot-lock-ct)
+ [Monitor using EventBridge](#snapshot-lock-ev)
## Monitor Amazon EBS snapshot locks using AWS CloudTrail
You can monitor API calls for snapshot locks as events, including calls from the console and from code calls to the APIs. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, who made the request, when it was made, and additional details.
For more information, see [Log API calls using AWS CloudTrail](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitor-with-cloudtrail.html).
## Monitor Amazon EBS snapshot locks using Amazon EventBridge
Amazon EBS emits events related to snapshot lock actions. You can use AWS Lambda and Amazon EventBridge to handle event notifications programmatically. Events are emitted on a best effort basis. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html).
The following events are emitted:
+ Successfully locked snapshot in governance or compliance mode.
```
{
"version": "0",
"id": "01234567-01234-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "012345678901",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [
"arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "lockSnapshot",
"result": "succeeded",
"snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef",
"source": 012345678901,
"lockState": "compliance-cooloff",
"lockCreatedOn": "yyyy-mm-ddThh:mm:ssZ",
"lockExpiresOn": "yyyy-mm-ddThh:mm:ssZ",
"lockDuration": 123,
"lockStartDurationTime": "yyyy-mm-ddThh:mm:ssZ",
"cooOffPeriod": 24,
"coolOffPeriodExpiresOn": "yyyy-mm-ddThh:mm:ssZ"
}
}
```
+ Failed lock event when a snapshot is locked while it is in the `pending` state, and it fails to reach the `completed` state.
```
{
"version": "0",
"id": "01234567-01234-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "012345678901",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [
"arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "lockSnapshot",
"result": "failed",
"cause": "snapshot failed",
"snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef",
"lockState": "pending-compliance",
"lockCreatedOn": "yyyy-mm-ddThh:mm:ssZ",
"lockDuration": 123,
"lockStartDurationTime": "yyyy-mm-ddThh:mm:ssZ",
"cooOffPeriod": 24,
"coolOffPeriodExpiresOn": "yyyy-mm-ddThh:mm:ssZ"
}
}
```
+ Lock expired
```
{
"version": "0",
"id": "01234567-01234-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "012345678901",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [
"arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "lockDurationExpiry",
"result": "succeeded",
"snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef",
"lockState": "expired",
"lockCreatedOn": "yyyy-mm-ddThh:mm:ssZ",
"lockExpiresOn": "yyyy-mm-ddThh:mm:ssZ",
"lockDuration": 123
}
}
```
+ Cooling-off period expired after being locked in compliance mode.
```
{
"version": "0",
"id": "01234567-01234-0123-0123-012345678901",
"detail-type": "EBS Snapshot Notification",
"source": "aws.ec2",
"account": "012345678901",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [
"arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef"
],
"detail": {
"event": "cooloffperiodExpiry",
"result": "succeeded",
"snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567890abcdef",
"lockState": "compliance",
"lockCreatedOn": "yyyy-mm-ddThh:mm:ssZ",
"lockExpiresOn": "yyyy-mm-ddThh:mm:ssZ",
"lockDuration": 123,
"lockStartDurationTime": "yyyy-mm-ddThh:mm:ssZ",
"cooOffPeriod": 24,
"coolOffPeriodExpiresOn": "yyyy-mm-ddThh:mm:ssZ"
}
}
```
# Block public access for Amazon EBS snapshots
To prevent public sharing of your snapshots, you can enable *block public access for snapshots*. After you enable block public access for snapshots in a Region, any attempt to publicly share snapshots in that Region is automatically blocked. This can help you to improve the security of your snapshots and to protect your snapshot data from unauthorized or unintended access.
Block public access for snapshots can be enabled in one of two modes:
+ **Block all sharing** — Blocks all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
+ **Block new sharing** — Blocks only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
**Considerations**
Keep the following in mind when working with block public access for snapshots.
+ Block public access for snapshots does not prevent private snapshot sharing.
+ Enabling block public access for snapshots in *block all sharing* mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.
If you later disable block public access or change the mode to *block new sharing*, these snapshots will become publicly available again.
+ Block public access for snapshots is a Regional setting. It applies to all snapshots in the Region in which it is enabled. You need to enable block public access for snapshots in each Region in which you want to prevent the public sharing of your snapshots.
+ Block public access is an account-level setting. It applies to all users, including administrator users, in the account. You can't enable block public access for snapshots at the organization level.
+ The block public access setting is configured either directly in the account or by using a declarative policy. Using a declarative policy allows you to apply the setting across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the setting directly within an account. This topic describes how to configure the setting directly within an account. For information about using declarative policies, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the *AWS Organizations User Guide*.
+ Block public access for snapshots does not prevent the public sharing of EBS-backed AMIs. If you enable block public access for snapshots, users can still publicly share EBS-backed AMIs. If an EBS-backed AMI is publicly shared, users with access to that AMI can create volumes from its associated snapshots. To prevent public sharing of your AMIs, enable *[ block public access for AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html#block-public-access-to-amis)*.
+ Block public access for snapshots is not supported with local snapshots on AWS Outposts.
**Pricing**
Block public access for snapshots can be enabled at no additional cost.
**Contents**
+ [IAM permissions](block-public-access-snapshots-perms.md)
+ [Configure block public access](block-public-access-snapshots-enable.md)
+ [View block public access setting](block-public-access-snapshots-view.md)
+ [Disable block public access](block-public-access-snapshots-disable.md)
+ [Monitor block public access](block-public-access-snapshots-events.md)
# IAM permissions for block public access for Amazon EBS snapshots
By default, users don't have permission to work with block public access for snapshots. To allow users to work with block public access for snapshots, you must create IAM policies that grant permission to use specific API actions. Once the policies are created, you must add permissions to your users, groups, or roles.
To work with block public access for snapshots, users need the following permissions.
+ `ec2:EnableSnapshotBlockPublicAccess` — Enable block public access for snapshots and modify the mode.
+ `ec2:DisableSnapshotBlockPublicAccess` — Disable block public access for snapshots.
+ `ec2:GetSnapshotBlockPublicAccessState` — View the block public access for snapshots setting for a Region.
The following is an example IAM policy. If some permissions are not needed, you can remove them from the policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:EnableSnapshotBlockPublicAccess",
"ec2:DisableSnapshotBlockPublicAccess",
"ec2:GetSnapshotBlockPublicAccessState"
],
"Resource": "*"
}]
}
```
------
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
# Configure block public access for Amazon EBS snapshots
Enable block public access for snapshots to prevent the public sharing of snapshots in the Region. After this feature is enabled, requests to publicly share snapshots in the Region are blocked.
**Important**
Enabling block public access for snapshots in *block all sharing* mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.
If you later disable block public access or change the mode to *block new sharing*, these snapshots will become publicly available again.
**Note**
This setting is configured at the account level, either directly in the account or by using a declarative policy. It must be configured in each AWS Region where you want to prevent the public sharing of snapshots. Using a declarative policy allows you to apply the setting across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the setting directly within an account. This topic describes how to configure the setting directly within an account. For information about using declarative policies, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the *AWS Organizations User Guide*.
------
#### [ Console ]
**To configure block public access for snapshots**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **EC2 Dashboard**, and then in **Account attributes** (on the right-hand side), choose **Data protection and security**.
1. In the **Block public access for EBS snapshots** section, choose **Manage**.
1. Select **Block public access** and then choose one of the following options:
+ **Block all public access** — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
+ **Block new public sharing** — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
1. Choose **Update**.
------
#### [ AWS CLI ]
**To enable or modify block public access for snapshots**
Use the [enable-snapshot-block-public-access](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-snapshot-block-public-access.html) command. For `--state` specify one of the following values:
+ `block-all-sharing` — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
+ `block-new-sharing` — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
**To enable or modify block public access for snapshots for a specific Region**
```
aws ec2 enable-snapshot-block-public-access \
--state block-new-sharing \
--region us-east-1
```
The following is example output.
```
{
"State": "block-new-sharing"
}
```
**To enable or modify block public access for snapshots for all Regions**
```
echo -e "Region \t Public Access State" ; \
echo -e "-------------- \t ----------------------" ; \
for region in $(
aws ec2 describe-regions \
--region us-east-1 \
--query "Regions[*].[RegionName]" \
--output text
);
do (output=$(
aws ec2 enable-snapshot-block-public-access \
--region $region \
--state block-new-sharing \
--output text)
echo -e "$region \t $output"
);
done
```
The following is example output.
```
Region Public Access State
-------------- ----------------------
ap-south-1 block-new-sharing
eu-north-1 block-new-sharing
eu-west-3 block-new-sharing
...
```
------
#### [ PowerShell ]
**To enable or modify block public access for snapshots**
Use the [ Enable-EC2SnapshotBlockPublicAccess](https://docs.aws.amazon.com/powershell/latest/reference/items/Enable-EC2SnapshotBlockPublicAccess.html) command. For `-State` specify one of the following values:
+ `block-all-sharing` — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
+ `block-new-sharing` — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
**To enable or modify block public access for snapshots for a specific Region**
```
Enable-EC2SnapshotBlockPublicAccess `
-Region us-east-1 `
-State block-new-sharing
```
The following is example output.
```
Value
-----
block-new-sharing
```
**To enable or modify block public access for snapshots for all Regions**
```
(Get-EC2Region -Region us-east-1).RegionName | `
ForEach-Object {
[PSCustomObject]@{
Region = $_
PublicAccessState = (
Enable-EC2SnapshotBlockPublicAccess `
-Region $_ `
-State block-new-sharing)
}
} | Format-Table -AutoSize
```
The following is example output.
```
Region PublicAccessState
------ -----------------
ap-south-1 block-new-sharing
eu-north-1 block-new-sharing
eu-west-3 block-new-sharing
...
```
------
# View the block public access setting for Amazon EBS snapshots
Block public access can be in one of the following states for each Region in your account.
+ **Block all sharing** — All public sharing of your snapshots is blocked. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are not publicly available.
+ **Block new sharing** — Only new public sharing of your snapshots is blocked. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
+ **Unblocked** — Public sharing is not blocked. Users can publicly share snapshots.
------
#### [ Console ]
**To view the setting for block public access for snapshots**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **EC2 Dashboard**, and then in **Account attributes** (on the right-hand side), choose **Data protection and security**.
1. The **Block public access for EBS snapshots** section shows the current setting.
------
#### [ AWS CLI ]
**To view the setting for block public access for snapshots**
Use the [get-snapshot-block-public-access-state](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-snapshot-block-public-access-state.html) command.
+ For a specific Region
```
aws ec2 get-snapshot-block-public-access-state
```
In this example output, the `ManagedBy` field indicates the entity that configured the setting and `account` indicates that the setting was configured directly in the account. A value of `declarative-policy` would mean the setting was configured by a declarative policy. For more information, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the *AWS Organizations User Guide*.
```
{
"State": "unblocked",
"ManagedBy": "account"
}
```
+ For all Regions
```
echo -e "Region \t Public Access State" ; \
echo -e "-------------- \t ----------------------" ; \
for region in $(
aws ec2 describe-regions \
--region us-east-1 \
--query "Regions[*].[RegionName]" \
--output text
);
do (output=$(
aws ec2 get-snapshot-block-public-access-state \
--region $region \
--output text)
echo -e "$region \t $output"
);
done
```
The following is example output.
```
Region Public Access State
-------------- ----------------------
ap-south-1 unblocked
eu-north-1 unblocked
eu-west-3 unblocked
```
------
#### [ PowerShell ]
**To view the setting for block public access for snapshots**
Use the [ Get-EC2SnapshotBlockPublicAccessState](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2SnapshotBlockPublicAccessState.html) cmdlet.
+ For a specific Region
```
Get-EC2SnapshotBlockPublicAccessState -Region us-east-1
```
The following is example output.
```
Value
-----
block-new-sharing
```
+ For all Regions
```
(Get-EC2Region -Region us-east-1).RegionName | `
ForEach-Object {
[PSCustomObject]@{
Region = $_
PublicAccessState = (Get-EC2SnapshotBlockPublicAccessState -Region $_)
}
} | Format-Table -AutoSize
```
The following is example output.
```
Region Public Access State
-------------- ----------------------
ap-south-1 unblocked
eu-north-1 unblocked
eu-west-3 unblocked
...
```
------
# Disable block public access for Amazon EBS snapshots
Disable block public access for snapshots to allow public sharing of snapshots in the Region. After this feature is disabled, users can publicly share snapshots in the Region.
**Important**
Enabling block public access for snapshots in *block all sharing* mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.
If disable block public access, these snapshots will become publicly available again.
**Note**
This setting is configured at the account level, either directly in the account or by using a declarative policy. It must be configured in each AWS Region where you want to allow the public sharing of snapshots. Using a declarative policy allows you to apply the setting across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the setting directly within an account. This topic describes how to configure the setting directly within an account. For information about using declarative policies, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the *AWS Organizations User Guide*.
------
#### [ Console ]
**To disable block public access for snapshots**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **EC2 Dashboard**, and then in **Account attributes** (on the right-hand side), choose **Data protection and security**.
1. In the **Block public access for EBS snapshots** section, choose **Manage**.
1. Clear **Block public access** and choose **Update**.
------
#### [ AWS CLI ]
**To disable block public access for snapshots**
Use the [disable-snapshot-block-public-access](https://docs.aws.amazon.com/cli/latest/reference/ec2/disable-snapshot-block-public-access.html) command.
+ For a specific Region
```
aws ec2 disable-snapshot-block-public-access --region us-east-1
```
The following is example output.
```
{
"State": "unblocked"
}
```
+ For all Regions
```
echo -e "Region \t Public Access State" ; \
echo -e "-------------- \t ----------------------" ; \
for region in $(
aws ec2 describe-regions \
--region us-east-1 \
--query "Regions[*].[RegionName]" \
--output text
);
do (output=$(
aws ec2 disable-snapshot-block-public-access \
--region $region \
--output text)
echo -e "$region \t $output"
);
done
```
The following is example output.
```
Region Public Access State
-------------- ----------------------
ap-south-1 unblocked
eu-north-1 unblocked
eu-west-3 unblocked
```
------
#### [ PowerShell ]
**To disable block public access for snapshots**
Use the [ Disable-EC2SnapshotBlockPublicAccess](https://docs.aws.amazon.com/powershell/latest/reference/items/Disable-EC2SnapshotBlockPublicAccess.html) cmdlet.
+ For a specific Region
```
Disable-EC2SnapshotBlockPublicAccess -Region us-east-1
```
The following is example output.
```
Value
-----
unblocked
```
+ For all Regions
```
(Get-EC2Region -Region us-east-1).RegionName | `
ForEach-Object {
[PSCustomObject]@{
Region = $_
PublicAccessState = (Disable-EC2SnapshotBlockPublicAccess -Region $_)
}
} | `
Format-Table -AutoSize
```
The following is example output.
```
Region PublicAccessState
------ -----------------
ap-south-1 unblocked
eu-north-1 unblocked
eu-west-3 unblocked
...
```
------
# Monitor block public access for Amazon EBS snapshots using EventBridge
Amazon EBS emits events related to block public access for snapshots. You can use AWS Lambda and Amazon EventBridge to handle event notifications programmatically. Events are emitted on a best effort basis. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html).
The following events are emitted:
+ Enable block public access for snapshots in block all sharing mode
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Block Public Access Enabled",
"source": "aws.ec2",
"account": "123456789012",
"time": "2019-05-31T21:49:54Z",
"region": "us-east-1",
"detail": {
"SnapshotBlockPublicAccessState": "block-all-sharing",
"message": "Block Public Access was successfully enabled in 'block-all-sharing' mode"
}
}
```
+ Enable block public access for snapshots in block new sharing mode
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Block Public Access Enabled",
"source": "aws.ec2",
"account": "123456789012",
"time": "2019-05-31T21:49:54Z",
"region": "us-east-1",
"detail": {
"SnapshotBlockPublicAccessState": "block-new-sharing",
"message": "Block Public Access was successfully enabled in 'block-new-sharing' mode"
}
}
```
+ Disable block public access for snapshots
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "EBS Snapshot Block Public Access Disabled",
"source": "aws.ec2",
"account": "123456789012",
"time": "2019-05-31T21:49:54Z",
"region": "us-east-1",
"detail": {
"SnapshotBlockPublicAccessState": "unblocked",
"message": "Block Public Access was successfully disabled"
}
}
```
# Amazon EBS local snapshots on Outposts
Amazon EBS snapshots are a point-in-time copy of your EBS volumes.
By default, snapshots of EBS volumes on an AWS Outpost are stored in Amazon S3 in the Region of the Outpost. You can also use Amazon EBS local snapshots on Outposts to store snapshots of volumes on an Outpost locally in Amazon S3 on the Outpost itself. This ensures that the snapshot data resides on the Outpost, and on your premises. In addition, you can use AWS Identity and Access Management (IAM) policies and permissions to set up data residency enforcement policies to ensue that snapshot data does not leave the Outpost. This is especially useful if you reside in a country or region that is not yet served by an AWS Region and that has data residency requirements.
This topic provides information about working with Amazon EBS local snapshots on Outposts. For more information about Amazon EBS snapshots and about working with snapshots in an AWS Region, see [Amazon EBS snapshots](ebs-snapshots.md).
For more information, see [AWS Outposts Family](https://aws.amazon.com/outposts/) and the [AWS Outposts Family Documentation](https://docs.aws.amazon.com/outposts/).
**Topics**
+ [Frequently asked questions](#faq)
+ [Prerequisites](#prereqs)
+ [Considerations](#considerations)
+ [Controlling access with IAM](#iam)
+ [Working with local snapshots](#using)
## Frequently asked questions
**1. What are local snapshots?**
By default, Amazon EBS snapshots of volumes on an Outpost are stored in Amazon S3 in the Region of the Outpost. If the Outpost is provisioned with S3 on Outposts, you can choose to store the snapshots locally on the Outpost itself. Local snapshots are incremental, which means that only the blocks of the volume that have changed after your most recent snapshot are saved. You can use these snapshots to restore a volume on the same Outpost as the snapshot at any time. For more information about Amazon EBS snapshots, see [Amazon EBS snapshots](ebs-snapshots.md).
**2. Why should I use local snapshots?**
Snapshots are a convenient way of backing up your data. With local snapshots, all of your snapshot data is stored locally on the Outpost. This means that it does not leave your premises. This is especially useful if you reside in a country or region that is not yet served by an AWS Region and that has residency requirements.
Additionally, using local snapshots can help to reduce the bandwidth used for communication between the Region and the Outpost in bandwidth constrained environments.
**3. How do I enforce snapshot data residency on an Outpost?**
You can use AWS Identity and Access Management (IAM) policies to control the permissions that principals (AWS accounts, IAM users, and IAM roles) have when working with local snapshots and to enforce data residency. You can create a policy that prevents principals from creating snapshots from Outpost volumes and instances and storing the snapshots in an AWS Region. Currently, copying snapshots and images from an Outpost to a Region is not supported. For more information, see [Controlling access with IAM](#iam).
**4. Are multi-volume, crash-consistent local snapshots supported?**
Yes, you can create multi-volume, crash-consistent local snapshots from instances on an Outpost.
**5. How do I create local snapshots?**
You can create snapshots manually using the AWS Command Line Interface (AWS CLI) or the Amazon EC2 console. For more information see, [Working with local snapshots](#using). You can also automate the lifecycle of local snapshots using Amazon Data Lifecycle Manager. For more information see, [Automate snapshots on an Outpost](#dlm).
**6. Can I create, use, or delete local snapshots if my Outpost loses connectivity to its Region?**
No. The Outpost must have connectivity with its Region as the Region provides the access, authorization, logging, and monitoring services that are critical for your snapshots' health. If there is no connectivity, you can't create new local snapshots, create volumes or launch instances from existing local snapshots, or delete local snapshots.
**7. How quickly is Amazon S3 storage capacity made available after deleting local snapshots?**
Amazon S3 storage capacity becomes available within 72 hours after deleting local snapshots and the volumes that reference them.
**8. How can I ensure that I do not run out of Amazon S3 capacity on my Outpost?**
We recommend that you use Amazon CloudWatch alarms to monitor your Amazon S3 storage capacity, and delete snapshots and volumes that you no longer need to avoid running out of storage capacity. If you are using Amazon Data Lifecycle Manager to automate the lifecycle of local snapshots, ensure that your snapshot retention policies do not retain snapshots for longer than is needed.
**9. What happens if I run out of local Amazon S3 capacity on an Outpost?**
If you run out of local Amazon S3 capacity on an Outpost, Amazon Data Lifecycle Manager will not be able to successfully create local snapshots on the Outpost. Amazon Data Lifecycle Manager will attempt to create the local snapshots on the Outpost, but the snapshots immediately transition to the `error` state and they are eventually deleted by Amazon Data Lifecycle Manager. We recommend that you use the `SnapshotsCreateFailed` Amazon CloudWatch metric to monitor your snapshot lifecycle policies for snapshot creation failures. For more information, see [Monitor Data Lifecycle Manager policies using CloudWatch](monitor-dlm-cw-metrics.md).
**10. Can I use local snapshots and AMIs backed by local snapshots with Spot Instances and Spot Fleet?**
No, you can't use local snapshots or AMIs backed by local snapshots to launch Spot Instances or a Spot Fleet.
**11. Can I use local snapshots and AMIs backed by local snapshots with Amazon EC2 Auto Scaling?**
Yes, you can use local snapshots and AMIs backed by local snapshots to launch Auto Scaling groups in a subnet that is on the same Outpost as the snapshots. The Amazon EC2 Auto Scaling group service-linked role must have permission to use the KMS key used to encrypt the snapshots.
You can't use local snapshots or AMIs backed by local snapshots to launch Auto Scaling groups in an AWS Region.
## Prerequisites
To store snapshots on an Outpost, you must have an Outpost that is provisioned with S3 on Outposts. For more information about S3 on Outposts, see [S3 on Outposts](https://docs.aws.amazon.com/AmazonS3/latest/s3-outposts/S3onOutposts.html) in the *Amazon S3 on Outposts User Guide*.
## Considerations
Keep the following in mind when working with local snapshots.
+ The Outpost must have connectivity to their AWS Region to use local snapshots.
+ Snapshot metadata is stored in the AWS Region associated with the Outpost. This does not include any snapshot data.
+ Snapshots stored on an Outpost are encrypted by default. Unencrypted snapshots are not supported. Snapshots that are created on an Outpost and snapshots that are copied to an Outpost are encrypted using the default KMS key for the Region or a different KMS key that you specify at the time of the request.
+ When you create a volume on an Outpost from a local snapshot, you cannot re-encrypt the volume using a different KMS key. Volumes created from local snapshots must be encrypted using the same KMS key as the source snapshot.
+ After you delete local snapshots from an Outpost, the Amazon S3 storage capacity used by the deleted snapshots becomes available within 72 hours. For more information, see [Delete local snapshots](#delete-snapshots).
+ You can't export local snapshots from an Outpost.
+ You can't enable fast snapshot restore for local snapshots.
+ EBS direct APIs are not supported with local snapshots.
+ You can't copy local snapshots or AMIs from an Outpost to an AWS Region, from one Outpost to another, or within an Outpost. However, you can copy snapshots from an AWS Region to an Outpost. For more information, see [Copy snapshots from an AWS Region to an Outpost](#copy-snapshots).
+ When copying a snapshot from an AWS Region to an Outpost, the data is transferred over the service link. Copying multiple snapshots simultaneously could impact other services running on the Outpost.
+ You can't share local snapshots.
+ You must use IAM policies to ensure that your data residency requirements are met. For more information, see [Controlling access with IAM](#iam).
+ Local snapshots are incremental backups. Only the blocks in the volume that have changed after your most recent snapshot are saved. Each local snapshot contains all of the information that is needed to restore your data (from the moment when the snapshot was taken) to a new EBS volume. For more information, see [How Amazon EBS snapshots work](how_snapshots_work.md).
+ You can’t use IAM policies to enforce data residency for **CopySnapshot** and **CopyImage** actions.
## Controlling access with IAM
You can use AWS Identity and Access Management (IAM) policies to control the permissions that principals (AWS accounts, IAM users, and IAM roles) have when working with local snapshots. The following are example policies that you can use to grant or deny permission to perform specific actions with local snapshots.
**Important**
Copying snapshots and images from an Outpost to a Region is currently not supported. As result, you currently can’t use IAM policies to enforce data residency for **CopySnapshot** and **CopyImage** actions.
**Topics**
+ [Enforce data residency for snapshots](#enforce-residency-snapshot)
+ [Prevent principals from deleting local snapshots](#deny-delete)
### Enforce data residency for snapshots
The following example policy prevents all principals from creating snapshots from volumes and instances on Outpost `arn:aws:outposts:us-east-1:123456789012:outpost/op-1234567890abcdef` and storing the snapshot data in an AWS Region. Principals can still create local snapshots. This policy ensures that all snapshots remain on the Outpost.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Resource": "arn:aws:ec2:us-east-1::snapshot/*",
"Condition": {
"StringEquals": {
"ec2:SourceOutpostArn": "arn:aws:outposts:us-east-1:123456789012:outpost/op-1234567890abcdef0"
},
"Null": {
"ec2:OutpostArn": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Resource": "*"
}
]
}
```
------
### Prevent principals from deleting local snapshots
The following example policy prevents all principals from deleting local snapshots that are stored on Outpost `arn:aws:outposts:us-east-1:123456789012:outpost/op-1234567890abcdef0`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "arn:aws:ec2:us-east-1::snapshot/*",
"Condition": {
"StringEquals": {
"ec2:OutpostArn": "arn:aws:outposts:us-east-1:123456789012:outpost/op-1234567890abcdef0"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*"
}
]
}
```
------
## Working with local snapshots
The following sections explain how to use local snapshots.
**Topics**
+ [Rules for storing snapshots](#lineage)
+ [Create local snapshots from volumes on an Outpost](#create-snapshot)
+ [Create AMIs from local snapshots](#ami)
+ [Copy snapshots from an AWS Region to an Outpost](#copy-snapshots)
+ [Copy AMIs from an AWS Region to an Outpost](#copy-amis)
+ [Create volumes from local snapshots](#volumes)
+ [Launch instances from AMIs backed by local snapshots](#instances)
+ [Delete local snapshots](#delete-snapshots)
+ [Automate snapshots on an Outpost](#dlm)
### Rules for storing snapshots
The following rules apply to snapshot storage:
+ If the most recent snapshot of a volume is stored on an Outpost, then all successive snapshots must be stored on the same Outpost.
+ If the most recent snapshot of a volume is stored in an AWS Region, then all successive snapshots must be stored in the same Region. To start creating local snapshots from that volume, do the following:
1. Create a snapshot of the volume in the AWS Region.
1. Copy the snapshot to the Outpost from the AWS Region.
1. Create a new volume from the local snapshot.
1. Attach the volume to an instance on the Outpost.
For the new volume on the Outpost, the next snapshot can be stored on the Outpost or in the AWS Region. All successive snapshots must then be stored in that same location.
+ Local snapshots, including snapshots created on an Outpost and snapshots copied to an Outpost from an AWS Region, can be used only to create volumes on the same Outpost.
+ If you create a volume on an Outpost from a snapshot in a Region, then all successive snapshots of that new volume must be in the same Region.
+ If you create a volume on an Outpost from a local snapshot, then all successive snapshots of that new volume must be on the same Outpost.
### Create local snapshots from volumes on an Outpost
You can create local snapshots from volumes on your Outpost. You can choose to store the snapshots on the same Outpost as the source volume, or in the Region for the Outpost.
Local snapshots can be used to create volumes on the same Outpost only.
For more information, see [Create Amazon EBS snapshots](ebs-creating-snapshot.md)
### Create AMIs from local snapshots
You can create Amazon Machine Images (AMIs) using a combination of local snapshots and snapshots that are stored in the Region of the Outpost. For example, if you have an Outpost in `us-east-1`, you can create an AMI with data volumes that are backed by local snapshots on that Outpost, and a root volume that is backed by a snapshot in the `us-east-1` Region.
**Note**
You can't create AMIs that include backing snapshots stored across multiple Outposts.
You can’t currently create AMIs directly from instances on an Outpost using **CreateImage** API or the Amazon EC2 console for an Outpost.
AMIs that are backed by local snapshots can be used to launch instances on the same Outpost only.
**To create an AMI on an Outpost from snapshots in a Region**
1. Copy the snapshots from the Region to the Outpost. For more information, see [Copy snapshots from an AWS Region to an Outpost](#copy-snapshots).
1. Use the Amazon EC2 console or the [ register-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) command to create the AMI using the snapshot copies on the Outpost. For more information, see [ Creating an AMI from a snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#creating-launching-ami-from-snapshot).
**To create an AMI on an Outpost from an instance on an Outpost**
1. Create snapshots from the instance on the Outpost and store the snapshots on the Outpost. For more information, see [Create Amazon EBS snapshots](ebs-creating-snapshot.md).
1. Use the Amazon EC2 console or the [ register-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) command to create the AMI using the local snapshots. For more information, see [ Creating an AMI from a snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#creating-launching-ami-from-snapshot).
**To create an AMI in a Region from an instance on an Outpost**
1. Create snapshots from the instance on the Outpost and store the snapshots in the Region. For more information, see [Create local snapshots from volumes on an Outpost](#create-snapshot) or [Create Amazon EBS snapshots](ebs-creating-snapshot.md).
1. Use the Amazon EC2 console or the [ register-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) command to create the AMI using the snapshot copies in the Region. For more information, see [ Creating an AMI from a snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#creating-launching-ami-from-snapshot).
### Copy snapshots from an AWS Region to an Outpost
You can copy snapshots from an AWS Region to an Outpost. You can do this only if the snapshots are in the Region for the Outpost. If the snapshots are in a different Region, you must first copy the snapshot to the Region for the Outpost, and then copy it from that Region to the Outpost.
**Note**
You can't copy local snapshots from an Outpost to a Region, from one Outpost to another, or within the same Outpost.
For more information, see [Copy an Amazon EBS snapshot](ebs-copy-snapshot.md).
### Copy AMIs from an AWS Region to an Outpost
You can copy AMIs from an AWS Region to an Outpost. When you copy an AMI from a Region to an Outpost, all of the snapshots associated with the AMI are copied from the Region to the Outpost.
You can copy an AMI from a Region to an Outpost only if the snapshots associated with the AMI are in the Region for the Outpost. If the snapshots are in a different Region, you must first copy the AMI to the Region for the Outpost, and then copy it from that Region to the Outpost.
**Note**
You can't copy an AMI from an Outpost to a Region, from one Outpost to another, or within an Outpost.
You can copy AMIs from a Region to an Outpost using the [ copy-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-image.html) AWS CLI command only.
### Create volumes from local snapshots
You can create volumes on an Outpost from local snapshots. Volumes must be created on the same Outpost as the source snapshots. You cannot use local snapshots to create volumes in the Region for the Outpost.
When you create a volume from a local snapshot, you cannot re-encrypt the volume using different KMS key. Volumes created from local snapshots must be encrypted using the same KMS key as the source snapshot.
For more information, see [Create an Amazon EBS volume](ebs-creating-volume.md).
### Launch instances from AMIs backed by local snapshots
You can launch instances from AMIs that are backed by local snapshots. You must launch Instances on the same Outpost as the source AMI. For more information, see [ Launch an instance on your Outpost](https://docs.aws.amazon.com/outposts/latest/userguide/launch-instance.html) in the *AWS Outposts User Guide*.
### Delete local snapshots
You can delete local snapshots from an Outpost. After you delete a snapshot from an Outpost, the Amazon S3 storage capacity used by the deleted snapshot becomes available within 72 hours after deleting the snapshot and the volumes that reference that snapshot.
Because Amazon S3 storage capacity does not become available immediately, we recommend that you use Amazon CloudWatch alarms to monitor your Amazon S3 storage capacity. Delete snapshots and volumes that you no longer need to avoid running out of storage capacity.
For more information about deleting snapshots, see [Delete a snapshot](ebs-deleting-snapshot.md#ebs-delete-snapshot).
### Automate snapshots on an Outpost
You can create Amazon Data Lifecycle Manager snapshot lifecycle policies that automatically create, copy, retain, and delete snapshots of your volumes and instances on an Outpost. You can choose whether to store the snapshots in a Region or whether to store them locally on an Outpost. Additionally, you can automatically copy snapshots that are created and stored in an AWS Region to an Outpost.
The following table provides an overview of the supported features.
|
|
| Resource location | Snapshot destination | Cross-region copy | Fast snapshot restore | Cross-account sharing |
| --- |--- |--- |--- |--- |
| To Region | To Outpost |
| --- |--- |
| Region | Region | ✓ | ✓ | ✓ | ✓ |
| Outpost | Region | ✓ | ✓ | ✓ | ✓ |
| Outpost | Outpost | ✗ | ✗ | ✗ | ✗ |
**Considerations**
+ Only Amazon EBS snapshot lifecycle policies are currently supported. EBS-backed AMI policies and Cross-account sharing event policies are not supported.
+ If a policy manages snapshots for volumes or instances in a Region, then snapshots are created in the same Region as the source resource.
+ If a policy manages snapshots for volumes or instances on an Outpost, then snapshots can be created on the source Outpost, or in the Region for that Outpost.
+ A single policy can't manage both snapshots in a Region and snapshots on an Outpost. If you need to automate snapshots in a Region and on an Outpost, you must create separate policies.
+ Fast snapshot restore is not supported for snapshots created on an Outpost, or for snapshots copied to an Outpost.
+ Cross-account sharing is not supported for snapshots created on an Outpost.
For more information about creating a snapshot lifecycle that manages local snapshots, see [Automating snapshot lifecycles](snapshot-ami-policy.md).
# Local snapshots in Local Zones
Amazon EBS snapshots are a point-in-time copy of your EBS volumes.
Snapshots of EBS volumes in an AWS Local Zone can be stored in Amazon S3 in the same Local Zone or in the parent Region of that Local Zone. Storing snapshots in a Local Zone can help you meet data residency needs by ensuring that snapshot data is processed and stored in a specific country, state, or municipality. You can also set up data residency enforcement policies using IAM to ensure that snapshot data does not leave the Local Zone.
Local Zones are ideal for applications that require single-digit millisecond latency or local data processing by bringing AWS infrastructure closer to your end users and business centers. Additionally, you can meet data residency requirements for regulatory and compliance-sensitive workloads. For more information, see [What is AWS Local Zones](https://docs.aws.amazon.com//local-zones/latest/ug/what-is-aws-local-zones.html).
Local snapshots are currently supported in Local Zones that support Amazon S3. For more information, see [AWS Local Zones features.](https://aws.amazon.com/about-aws/global-infrastructure/localzones/features/).
**Topics**
+ [Frequently asked questions](#faq)
+ [Considerations](#considerations)
+ [Controlling access with IAM](#local-snaps-iam)
## Frequently asked questions
**1. What are Local snapshots in Local Zones?**
Local snapshots in Local Zones are snapshots that are stored in Amazon S3 in a Local Zone. By default, snapshots of Amazon EBS volumes in a Local Zone are stored in Amazon S3 in the parent Region. If the Local Zone supports Amazon S3, you can choose to store the snapshots locally in the Local Zone instead. Like snapshots in AWS Regions, Local snapshots in Local Zones are incremental, which means that only the blocks of the volume that have changed after your most recent snapshot are saved. You can use these snapshots to restore an Amazon EBS volume in the same Local Zone at any time.
**2. Why should I use Local snapshots?**
Use Local snapshots in Local Zones to meet data residency or data isolation requirements by ensuring that your snapshot data resides in a specific geographic location, such as a country, state, or municipality.
**3. How do I enforce snapshot data residency in Local Zones?**
You can use AWS Identity and Access Management (IAM) policies to control the permissions that principals (AWS accounts, IAM users, and IAM roles) have when working with Local snapshots in Local Zones and to enforce data residency. For example, you can create a policy that prevents users from creating snapshots from volumes in a Local Zones and storing those snapshots in an AWS Region. For more information, see [Controlling access with IAM](#local-snaps-iam).
**4. Are multi-volume, crash-consistent Local snapshots supported?**
Yes, you can create multi-volume, crash-consistent Local snapshots in Local Zones from instances in a Local Zone.
**5. How do I create Local snapshots in Local Zones?**
You can create Local snapshots in Local Zones manually using the AWS CLI or the Amazon EC2 console. For more information see, [Create a snapshot of an EBS volume](ebs-create-snapshot.md). You can also automate the lifecycle of Local snapshots in Local Zones using Amazon Data Lifecycle Manager. For more information see, [Create Amazon Data Lifecycle Manager custom policy for EBS snapshots](snapshot-ami-policy.md).
**6. Can I copy Local snapshots in Local Zones?**
Yes, you can copy snapshots from a Region to a Local Zone in the same Region, from a Local Zone to its Region, and from one Local Zone to another Local Zone in the same Local Zone group.
**7. How can I restore data from Local snapshots in Local Zones?**
You can use Local snapshots in Local Zones to create Amazon EBS volumes in the same Local Zone only.
**8. How are Local snapshots in Local Zones encrypted?**
Local snapshots can be unencrypted or encrypted by default. When encrypted by default, Local snapshots are encrypted using the same AWS KMS key as the source Amazon EBS volume. When you create a volume from a Local snapshot, you can't re-encrypt the volume using a different KMS key. Volumes created from Local snapshots must be encrypted using the same AWS KMS key as the source snapshot.
**9. Can I create EBS-backed AMIs using Local snapshots in Local Zones?**
Yes, you can use Local snapshots in Local Zones when creating EBS-backed AMIs by specifying the snapshot destination as Local Zones. For more information, see [ Create an Amazon EBS-backed AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#creating-launching-ami-from-snapshot).
**10. Can I share Local snapshots in Local Zones?**
Yes, you can share Local snapshots in Local Zones with other AWS accounts that have enabled the Local Zone for use in their account.
**11. Can I create a Local snapshot of a volume and then switch to creating snapshots in the parent Region?**
No, after you create a Local snapshot of a volume, you can't create successive snapshots of that volume in the Parent Region. Since all snapshots are incremental, if the most recent snapshot of a volume is a Local snapshot, then all successive snapshots of that volume must be Local snapshots.
## Considerations
Keep the following in mind when working with Local snapshots in Local Zones.
+ Local snapshots are currently supported in Local Zones that support Amazon S3.
+ The following features can't be used with Local snapshots in Local Zones:
+ VM Import/Export actions
+ Fast snapshot restore
+ EBS direct APIs
+ Recycle Bin
+ Snapshot archive
+ You must use IAM policies to enforce your data residency requirements. For more information, see [Controlling access with IAM](#local-snaps-iam).
+ If the most recent snapshot of a volume is a Local snapshot, then all successive snapshots must be Local snapshots. Similarly, if the most recent snapshot of a volume is stored in an AWS Region, then all successive snapshots must be stored in the same Region.
## Controlling access with IAM
You can use AWS Identity and Access Management (IAM) policies to control the permissions that principals (AWS accounts, IAM users, and IAM roles) have when working with Local snapshots in Local Zones. The following are example policies that you can use to grant or deny permission to perform specific actions with Local snapshots in Local Zones.
**Topics**
+ [Enforce data residency for Local snapshots in Local Zones](#dlz-enforce-residency-snapshot)
+ [Prevent sharing of Local snapshots in Local Zones](#dlz-deny-sharing)
+ [Prevent principals from deleting Local snapshots in Local Zones](#dlz-deny-delete)
### Enforce data residency for Local snapshots in Local Zones
The following example policy restricts users to creating only Local snapshots in Local Zones from volumes and instances in a Local Zone. It prevents users from creating snapshots in a Region from volumes and instances in a Local Zone.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":
[
{
"Effect": "Deny",
"Action":
[
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Resource": "*",
"Condition":
{
"StringEquals":
{
"ec2:Location": "regional",
"ec2:SourceAvailabilityZone": "local_zone"
}
}
},
{
"Effect": "Deny",
"Action":
[
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Resource": "*",
"Condition":
{
"StringEquals":
{
"ec2:SourceAvailabilityZone": "local_zone"
},
"Null":
{
"ec2:Location": "true"
}
}
},
{
"Effect": "Allow",
"Action":
[
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Resource": "*"
}
]
}
```
------
### Prevent sharing of Local snapshots in Local Zones
The following example policy prevents all users from sharing Local snapshots in Local Zones.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenySnapshotModifyInLocalZone",
"Effect": "Deny",
"Action": [
"ec2:ModifySnapshotAttribute"
],
"Resource": "arn:aws:ec2:*::snapshot/*",
"Condition": {
"StringEquals": {
"ec2:AvailabilityZone": "use1-atl2-az1"
}
}
},
{
"Sid": "AllowSnapshotModifyElsewhere",
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute"
],
"Resource": "arn:aws:ec2:*::snapshot/*"
}
]
}
```
------
### Prevent principals from deleting Local snapshots in Local Zones
The following example policy prevents all users from deleting Local snapshots in Local Zones.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenySnapshotDeleteInLocalZone",
"Effect": "Deny",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "arn:aws:ec2:*::snapshot/*",
"Condition": {
"StringEquals": {
"ec2:AvailabilityZone": "use1-atl2-az1"
}
}
},
{
"Sid": "AllowSnapshotDeleteElsewhere",
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "arn:aws:ec2:*::snapshot/*"
}
]
}
```
------