Copy an Amazon EBS snapshot - Amazon EBS

Copy an Amazon EBS snapshot

After you create a snapshot, and it has reached the completed state, you can copy it from one AWS Region to another, or within the same Region. The snapshot copy is an exact copy of the original, but it has a unique resource ID. You can copy snapshots that you own and snapshots that are shared with you, privately or publicly. You might need to copy a snapshot for the following use cases:

  • Geographic expansion — You need to launch your applications in a new Region.

  • Migration — You need to move an application to a new Region, to enable better availability or to minimize cost.

  • Disaster recovery — You need to back up your data and logs to secondary Regions for data redundancy purposes.

  • Encryption — You need to encrypt a previously unencrypted snapshot or reencrypt an encrypted snapshot using a different KMS key.

  • Copy a shared snapshot — You need to copy a snapshot that is shared with you.

  • Data retention and auditing requirements — You need to copy encrypted snapshots from one AWS account to another to preserve data for auditing or data retention. Using a different account protects you if your main AWS account is compromised.

To copy multi-volume snapshots to another AWS Region, identify all of the snapshots that are part of that set using the tags that you assigned during creation, then individually copy the snapshots to the required Region.

For information about copying an Amazon RDS snapshot, see Copying a DB Snapshot in the Amazon RDS User Guide.

Pricing

For pricing information about copying snapshots across AWS Regions and accounts, see Amazon EBS Pricing.

Considerations for copying snapshots

  • You can copy AWS Marketplace, VM Import/Export, and Storage Gateway snapshots, but you must verify that the snapshot is supported in the destination Region.

  • There is a limit of 20 concurrent snapshot copy requests per destination Region. If you exceed this quota, you receive a ResourceLimitExceeded error. If you receive this error, wait for one or more of the copy requests to complete before making a new snapshot copy request.

  • User-defined tags are not copied from the source snapshot to the snapshot copy. You can add user-defined tags during or after the copy operation.

  • Snapshots created by a snapshot copy operation have an arbitrary volume ID, such as vol-ffff or vol-ffffffff. These arbitrary volume IDs should not be used for any purpose.

  • Resource-level permissions specified for the snapshot copy operation apply only to the snapshot copy. You can't specify resource-level permissions for the source snapshot. For an example, see Example: Copying snapshots.

  • If you copy a snapshot that is enabled for fast snapshot restore, the snapshot copy is not automatically enabled for fast snapshot restore. You must explicitly enable fast snapshot restore for the snapshot copy.

  • If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.

  • If you copy a snapshot to a new Region, a full (non-incremental) copy is created. This results in additional storage costs. Subsequent copies of the same snapshot are incremental.

  • If you use external or cross-Region data transfers, additional EC2 data transfer charges will apply. If you delete any snapshots after initiation, you are still charged for the data that has already been transferred.

Destinations for snapshot copies

You can copy snapshots to AWS Regions and to AWS outposts, if you have outposts in your account. The allowed destinations depend on the location of the source snapshot.

  • If the source snapshot is in a Region, you can copy it within that Region, to another Region, or to an outpost associated with that Region.

  • If the source snapshot is on an Outpost, you can can't copy it.

Incremental snapshot copying

Snapshot copy operations within the same account and Region using the same KMS key are always incremental copies. However, if you encrypt the snapshot copy using a different KMS key, the copy is a full copy.

When you copy a snapshot across Regions or accounts, the copy is an incremental copy if the following conditions are met:

  • The snapshot was copied to the destination Region or account previously.

  • The most recent snapshot copy still exists in the destination Region or account.

  • The most recent snapshot copy has not been archived.

  • All copies of the snapshot in the destination Region or account are either unencrypted or were encrypted using the same KMS key.

Tip

We recommend that you tag your snapshot copies with the volume ID and creation time so that you can keep track of the most recent snapshot copy of a volume in the destination Region or account.

To see whether your snapshot copies are incremental, check the copySnapshot CloudWatch event.

Encryption and snapshot copying

Note

Amazon S3 server-side encryption (256-bit AES) protects a snapshot's data in transit during a copy operation.

You can create an encrypted snapshot copy of a source snapshot that is unencrypted. And you can encrypt a snapshot copy with a KMS key that is different from the source snapshot. However, changing the encryption status of a snapshot copy during a copy operation could result in a full (not incremental) copy, which might incur greater data transfer and storage charges.

Tip

When using an encrypted snapshot that is shared with you, we recommend that you re-encrypt the snapshot by copying it and using a KMS key that you own. This protects you if the original KMS key is compromised, or if the owner revokes your access, which could cause you to lose access to the snapshot and any encrypted volumes that you created from it.

Permissions for copying encrypted snapshots

To copy an encrypted snapshot, your user must have the following permissions to use Amazon EBS encryption.

    • kms:DescribeKey

    • kms:CreateGrant

    • kms:GenerateDataKey

    • kms:GenerateDataKeyWithoutPlaintext

    • kms:ReEncrypt

    • kms:Decrypt

  • To copy an encrypted snapshot that is shared from another AWS account, you must have permissions to use customer managed key that was used to encrypt that snapshot. For more information, see Share the KMS key used to encrypt a shared Amazon EBS snapshot.

Encryption outcomes for snapshot copies

The following table describes the encryption outcomes when copying snapshots that you own and snapshots that are shared with you.

Encryption by default for destination Region Source snapshot Snapshot copy encryption outcome Note
Disabled Unencrypted Optional encryption If you encrypt the copy, you can specify the KMS key to use. If you encrypt the copy but do not specify a KMS key, the AWS managed key (aws/ebs) is used.
Disabled Encrypted Automatically encrypted You can specify the KMS key to use. If you do not specify a KMS key, the AWS managed key (aws/ebs) is used.
Enabled Unencrypted Automatically encrypted You can specify the KMS key to use. If you do not specify a KMS key, the key specified for encryption by default is used.
Enabled Encrypted Automatically encrypted You can specify the KMS key to use. If you do not specify a KMS key, the key specified for encryption by default is used.

Copy a snapshot

To copy a snapshot, use one of the following methods.

Console
To copy a snapshot using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Snapshots.

  3. Select the snapshot to copy, and then choose Actions, Copy snapshot.

  4. For Description, enter a brief description for the snapshot copy.

    By default, the description includes information about the source snapshot so that you can identify a copy from the original.

  5. For Destination Region, select the Region in which to create the snapshot copy.

  6. (Outpost customers only) To create the snapshot copy on an outpost in the selected Region, for Snapshot destination choose AWS Outpost, and then for Destination Outpost ARN, enter the ARN of the outpost to which to copy the snapshot. The Snapshot destination field appears only if you have outposts in the selected Region.

  7. Specify the encryption status for the snapshot copy.

    If the source snapshot is encrypted, or if your account is enabled for encryption by default, the snapshot copy is automatically encrypted. If the source snapshot is unencrypted and your account is not enabled for encryption by default, encryption is optional.

  8. Choose Copy snapshot.

Note

If you attempt to copy an encrypted snapshot without having permissions to use the encryption key, the operation fails silently. The error state is not displayed in the console until you refresh the page.

AWS CLI
To copy a snapshot using the AWS CLI

Use the copy-snapshot command.

To copy a snapshot using the Tools for Windows PowerShell

Use the Copy-EC2Snapshot command.

Note

If you attempt to copy an encrypted snapshot without having permissions to use the encryption key, the operation fails silently and the snapshot copy receives the "Given key ID is not accessible" status message.