Automate cross-account snapshot copies with Data Lifecycle Manager - Amazon EBS
Create cross-account snapshot copy policiesSpecify snapshot description filtersConsiderations for cross-account snapshot copy policiesAdditional resources

Automate cross-account snapshot copies with Data Lifecycle Manager

Automating cross-account snapshot copies enables you to copy your Amazon EBS snapshots to specific Regions in an isolated account and encrypt those snapshots with an encryption key. This enables you to protect yourself against data loss in the event of your account being compromised.

Automating cross-account snapshot copies involves two accounts:

  • Source account—The source account is the account that creates and shares the snapshots with the target account. In this account, you must create an EBS snapshot policy that creates snapshots at set intervals and then shares them with other AWS accounts.

  • Target account—The target account is the account with destination account with which the snapshots are shared, and it is the account that creates copies of the shared snapshots. In this account, you must create a cross-account copy event policy that automatically copies snapshots that are shared with it by one or more specified source accounts.

Create cross-account snapshot copy policies

To prepare the source and target accounts for cross-account snapshot copying, you need to perform the following steps:

Topics

    In the source account, create an EBS snapshot policy that will create the snapshots and share them with the required target accounts.

    When you create the policy, ensure that you enable cross-account sharing and that you specify the target AWS accounts with which to share the snapshots. These are the accounts with which the snapshots are to be shared. If you are sharing encrypted snapshots, then you must give the selected target accounts permission to use the KMS key used to encrypt the source volume. For more information, see Step 2: Share the customer managed key (Source account).

    Note

    You can only share snapshots that are unencrypted or that are encrypted using a customer managed key. You can't share snapshots that are encrypted with the default EBS encryption KMS key. If you share encrypted snapshots, then you must also share the KMS key that was used to encrypt the source volume with the target accounts. For more information, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Developer Guide.

    For more information about creating an EBS snapshot policy, see Create Amazon Data Lifecycle Manager custom policy for EBS snapshots.

    Use one of the following methods to create the EBS snapshot policy.

    If you are sharing encrypted snapshots, you must grant the IAM role and the target AWS accounts (that you selected in the previous step) permissions to use the customer managed key that was used to encrypt the source volume.

    Note

    Perform this step only if you are sharing encrypted snapshots. If you are sharing unencrypted snapshots, skip this step.

    Console

    1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

    2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

    3. In the navigation pane, choose Customer managed key and then select the KMS key that you need to share with the target accounts.

      Make note of the KMS key ARN, you'll need this later.

    4. On the Key policy tab, scroll down to the Key users section. Choose Add, enter the name of the IAM role that you selected in the previous step, and then choose Add.

    5. On the Key policy tab, scroll down to the Other AWS accounts section. Choose Add other AWS accounts, and then add all of the target AWS accounts that you chose to share the snapshots with in the previous step.

    6. Choose Save changes.

    Command line

    Use the get-key-policy command to retrieve the key policy that is currently attached to the KMS key.

    For example, the following command retrieves the key policy for a KMS key with an ID of 9d5e2b3d-e410-4a27-a958-19e220d83a1e and writes it to a file named snapshotKey.json.

    $ aws kms get-key-policy \
    --policy-name default \
    --key-id 9d5e2b3d-e410-4a27-a958-19e220d83a1e \
    --query Policy \
    --output text > snapshotKey.json

    Open the key policy using your preferred text editor. Add the ARN of the IAM role that you specified when you created the snapshot policy and the ARNs of the target accounts with which to share the KMS key.

    For example, in the following policy, we added the ARN of the default IAM role, and the ARN of the root account for target account 222222222222.

    Tip

    To follow the principle of least privilege, do not allow full access to kms:CreateGrant. Instead, use the kms:GrantIsForAWSResource condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an AWS service, as shown in the following example.

    {
    "Sid" : "Allow use of the key",
    "Effect" : "Allow",
    "Principal" : {
        "AWS" : [
            "arn:aws:iam::111111111111:role/service-role/AWSDataLifecycleManagerDefaultRole",
            "arn:aws:iam::222222222222:root"
        ]
    },
    "Action" : [ 
        "kms:Encrypt", 
        "kms:Decrypt", 
        "kms:ReEncrypt*", 
        "kms:GenerateDataKey*", 
        "kms:DescribeKey" 
    ],
    "Resource" : "*"
}, 
{
    "Sid" : "Allow attachment of persistent resources",
    "Effect" : "Allow",
    "Principal" : {
        "AWS" : [
            "arn:aws:iam::111111111111:role/service-role/AWSDataLifecycleManagerDefaultRole",
            "arn:aws:iam::222222222222:root"
        ]
    },
    "Action" : [ 
        "kms:CreateGrant", 
        "kms:ListGrants", 
        "kms:RevokeGrant"
    ],
    "Resource" : "*",
    "Condition" : {
        "Bool" : {
          "kms:GrantIsForAWSResource" : "true"
        }
    }
}

    Save and close the file. Then use the put-key-policy command to attach the updated key policy to the KMS key. 

    $ aws kms put-key-policy \
    --policy-name default \
    --key-id 9d5e2b3d-e410-4a27-a958-19e220d83a1e \
    --policy file://snapshotKey.json

    In the target account, you must create a cross-account copy event policy that will automatically copy snapshots that are shared by the required source accounts.

    This policy runs in the target account only when one of the specified source accounts shares snapshot with the account.

    Use one of the following methods to create the cross-account copy event policy.

    Console

    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

    2. In the navigation pane, choose Elastic Block Store, Lifecycle Manager, and then choose Create lifecycle policy.

    3. On the Select policy type screen, choose Cross-account copy event policy, and then choose Next.

    4. For Policy description, enter a brief description for the policy.

    5. For Policy tags, add the tags to apply to the lifecycle policy. You can use these tags to identify and categorize your policies.

    6. In the Event settings section, define the snapshot sharing event that will cause the policy to run. Do the following:

      1. For Sharing accounts, specify the source AWS accounts from which you want to copy the shared snapshots. Choose Add account, enter the 12-digit AWS account ID, and then choose Add.

      2. For Filter by description, enter the required snapshot description using a regular expression. Only snapshots that are shared by the specified source accounts and that have descriptions that match the specified filter are copied by the policy. For more information, see Specify snapshot description filters.

    7. For IAM role, choose the IAM role that has permissions to perform snapshot copy actions. To use the default role provided by Amazon Data Lifecycle Manager, choose Default role. Alternatively, to use a custom IAM role that you previously created, choose Choose another role and then select the role to use.

      If you are copying encrypted snapshots, you must grant the selected IAM role permissions to use the encryption KMS key used to encrypt the source volume. Similarly, if you are encrypting the snapshot in the destination Region using a different KMS key, you must grant the IAM role permission to use the destination KMS key. For more information, see Step 4: Allow IAM role to use the required KMS keys (Target account).

    8. In the Copy action section, define the snapshot copy actions that the policy should perform when it is activated. The policy can copy snapshots to up to three Regions. You must specify a separate copy rule for each destination Region. For each rule that you add, do the following:

      1. For Name, enter a descriptive name for the copy action.

      2. For Target Region, select the Region to which to copy the snapshots.

      3. For Expire, specify how long to retain the snapshot copies in the target Region after creation.

      4. To encrypt the snapshot copy, for Encryption, select Enable encryption. If the source snapshot is encrypted, or if encryption by default is enabled for your account, the snapshot copy is always encrypted, even if you do not enable encryption here. If the source snapshot is unencrypted and encryption by default is not enabled for your account, you can choose to enable or disable encryption. If you enable encryption, but do not specify a KMS key, the snapshots are encrypted using the default encryption KMS key in each destination Region. If you specify a KMS key for the destination Region, you must have access to the KMS key.

    9. To add additional snapshot copy actions, choose Add new Regions.

    10. For Policy status after creation, choose Enable policy to start the policy runs at the next scheduled time, or Disable policy to prevent the policy from running. If you do not enable the policy now, it will not start copying snapshots until you manually enable it after creation.

    11. Choose Create policy.

    Command line

    Use the create-lifecycle-policy command to create a policy. To create a cross-account copy event policy, for PolicyType, specify EVENT_BASED_POLICY.

    For example, the following command creates a cross-account copy event policy in target account 222222222222. The policy copies snapshots that are shared by source account 111111111111. The policy copies snapshots to sa-east-1 and eu-west-2. Snapshots copied to sa-east-1 are unencrypted and they are retained for 3 days. Snapshots copied to eu-west-2 are encrypted using KMS key 8af79514-350d-4c52-bac8-8985e84171c7 and they are retained for 1 month. The policy uses the default IAM role.

    $ aws dlm create-lifecycle-policy \
    --description "Copy policy" \
    --state ENABLED \
    --execution-role-arn arn:aws:iam::222222222222:role/service-role/AWSDataLifecycleManagerDefaultRole \
    --policy-details file://policyDetails.json

    The following shows the contents of the policyDetails.json file.

    {
    "PolicyType" : "EVENT_BASED_POLICY",
    "EventSource" : {
        "Type" : "MANAGED_CWE",
        "Parameters": {
            "EventType" : "shareSnapshot",
            "SnapshotOwner": ["111111111111"]
        }
    },
    "Actions" : [{
        "Name" :"Copy Snapshot to Sao Paulo and London",
        "CrossRegionCopy" : [{
            "Target" : "sa-east-1",
             "EncryptionConfiguration" : {
                 "Encrypted" : false
             },
             "RetainRule" : {
             "Interval" : 3,
            "IntervalUnit" : "DAYS"
            }
        },
        {
            "Target" : "eu-west-2",
            "EncryptionConfiguration" : {
                 "Encrypted" : true,
                 "CmkArn" : "arn:aws:kms:eu-west-2:222222222222:key/8af79514-350d-4c52-bac8-8985e84171c7"
            },
            "RetainRule" : {
                "Interval" : 1,
                "IntervalUnit" : "MONTHS"
            }
        }]
    }]
}

    If the request succeeds, the command returns the ID of the newly created policy. The following is example output.

    {
    "PolicyId": "policy-9876543210abcdef0"
}

    If you are copying encrypted snapshots, you must grant the IAM role (that you selected in the previous step) permissions to use the customer managed key that was used to encrypt the source volume.

    Note

    Only perform this step if you are copying encrypted snapshots. If you are copying unencrypted snapshots, skip this step.

    Use one of the following methods to add the required policies to the IAM role.

    Console

    1. Open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, select Roles. Search for and select the IAM role that you selected when you created the cross-account copy event policy in the previous step. If you chose to use the default role, the role is named AWSDataLifecycleManagerDefaultRole.

    3. Choose Add inline policy and then select the JSON tab.

    4. Replace the existing policy with the following, and specify the ARN of the KMS key that was used to encrypt the source volumes and that was shared with you by the source account in Step 2.

      Note

      If you are copying from multiple source accounts, then you must specify the corresponding KMS key ARN from each source account.

      In the following example, the policy grants the IAM role permission to use KMS key 1234abcd-12ab-34cd-56ef-1234567890ab, which was shared by source account 111111111111, and KMS key 4567dcba-23ab-34cd-56ef-0987654321yz, which exists in target account 222222222222.

      Tip

      To follow the principle of least privilege, do not allow full access to kms:CreateGrant. Instead, use the kms:GrantIsForAWSResource condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an AWS service, as shown in the following example.

       {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:RevokeGrant",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:111111111111:key/1234abcd-12ab-34cd-56ef-1234567890ab",
                "arn:aws:kms:us-east-1:222222222222:key/4567dcba-23ab-34cd-56ef-0987654321yz"		
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:111111111111:key/1234abcd-12ab-34cd-56ef-1234567890ab",
                "arn:aws:kms:us-east-1:222222222222:key/4567dcba-23ab-34cd-56ef-0987654321yz"
            ]
        }
    ]
}

    5. Choose Review policy

    6. For Name, enter a descriptive name for the policy, and then choose Create policy.

    Command line

    Using your preferred text editor, create a new JSON file named policyDetails.json. Add the following policy and specify the ARN of the KMS key that was used to encrypt the source volumes and that was shared with you by the source account in Step 2.

    Note

    If you are copying from multiple source accounts, then you must specify the corresponding KMS key ARN from each source account.

    In the following example, the policy grants the IAM role permission to use KMS key 1234abcd-12ab-34cd-56ef-1234567890ab, which was shared by source account 111111111111, and KMS key 4567dcba-23ab-34cd-56ef-0987654321yz, which exists in target account 222222222222.

    Tip

    To follow the principle of least privilege, do not allow full access to kms:CreateGrant. Instead, use the kms:GrantIsForAWSResource condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an AWS service, as shown in the following example.

     {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:RevokeGrant",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:111111111111:key/1234abcd-12ab-34cd-56ef-1234567890ab",
                "arn:aws:kms:us-east-1:222222222222:key/4567dcba-23ab-34cd-56ef-0987654321yz"		
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:111111111111:key/1234abcd-12ab-34cd-56ef-1234567890ab",
                "arn:aws:kms:us-east-1:222222222222:key/4567dcba-23ab-34cd-56ef-0987654321yz"
            ]
        }
    ]
}

    Save and close the file. Then use the put-role-policy command to add the policy to the IAM role.

    For example

    $ aws iam put-role-policy \
    --role-name AWSDataLifecycleManagerDefaultRole \
    --policy-name CopyPolicy \
    --policy-document file://AdminPolicy.json

    Specify snapshot description filters

    When you create the snapshot copy policy in the target account, you must specify a snapshot description filter. The snapshot description filter enables you to specify an additional level of filtering that lets you control which snapshots are copied by the policy. This means that a snapshot is only copied by the policy if it is shared by one of the specified source accounts, and it has a snapshot description that matches the specified filter. In other words, if a snapshot is shared by one of the specified course accounts, but it does not have a description that matches the specified filter, it is not copied by the policy.

    The snapshot filter description must be specified using a regular expression. It is a mandatory field when creating cross-account copy event policies using the console and the command line. The following are example regular expressions that can be used:

    • .*—This filter matches all snapshot descriptions. If you use this expression the policy will copy all snapshots that are shared by one of the specified source accounts.

    • Created for policy: policy-0123456789abcdef0.*—This filter matches only snapshots that are created by a policy with an ID of policy-0123456789abcdef0. If you use an expression like this, only snapshots that are shared with your account by one of the specified source accounts, and that have been created by a policy with the specified ID are copied by the policy.

    • .*production.*—This filter matches any snapshot that has the word production anywhere in its description. If you use this expression the policy will copy all snapshots that are shared by one of the specified source accounts and that have the specified text in their description.

    Considerations for cross-account snapshot copy policies

    The following considerations apply to cross-account copy event policies:

    • You can only copy snapshots that are unencrypted or that are encrypted using a customer managed key.

    • You can create a cross-account copy event policy to copy snapshots that are shared outside of Amazon Data Lifecycle Manager.

    • If you want to encrypt snapshots in the target account, then the IAM role selected for the cross-account copy event policy must have permission to use the required KMS key.

    Additional resources

    For more information, see the Automating copying encrypted Amazon EBS snapshots across AWS accounts AWS storage blog.