# Share an Amazon EBS snapshot with other AWS accounts
You can modify the permissions of a snapshot if you want to share it with other AWS accounts. You can share snapshots publicly with all other AWS accounts, or you can share them privately with individual AWS accounts that you specify. Users that you have authorized can use the snapshots that you share to create their own EBS volumes, while your original snapshot remains unaffected.
**Important**
When you share a snapshot, you are giving others access to all of the data on the snapshot. Share snapshots only with people that you trust with *all* of your snapshot data.
To prevent the public sharing of snapshots, you can enable [Block public access for Amazon EBS snapshots](block-public-access-snapshots.md).
**Topics**
+ [
## Before you share a snapshot
](#share-snapshot-considerations)
+ [
## Share a snapshot
](#share-unencrypted-snapshot)
+ [Share a KMS key](share-kms-key.md)
+ [Use shared snapshots](view-shared-snapshot.md)
+ [
## Determine the use of snapshots that you share
](#shared-snapshot-cloudtrail-logging)
## Before you share a snapshot
The following considerations apply to sharing snapshots:
+ If block public access for snapshots is enabled for the Region, attempts to publicly share snapshots will be blocked. Snapshots can still be privately shared.
+ Snapshots are constrained to the Region in which they were created. To share a snapshot with another Region, copy the snapshot to that Region and then share the copy. For more information, see [Copy an Amazon EBS snapshot](ebs-copy-snapshot.md).
+ You can't share snapshots that are encrypted with the default AWS managed key. You can only share snapshots that are encrypted with a customer managed key. For more information, see [Creating Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*.
+ You can share only unencrypted snapshots publicly.
+ When you share an encrypted snapshot, you must also share the customer managed key used to encrypt the snapshot. For more information, see [Share the KMS key used to encrypt a shared Amazon EBS snapshot](share-kms-key.md).
## Share a snapshot
You can share a snapshot publicly or with specific AWS accounts.
------
#### [ Console ]
**To share a snapshot**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot to share, and then choose **Actions**, **Modify permissions**.
1. Specify the snapshot's permissions. *Current setting* indicates the snapshot's current sharing permissions.
+ To share the snapshot publicly with all AWS accounts, choose **Public**.
+ To share the snapshot privately with specific AWS accounts, choose **Private**. Then, in the **Sharing accounts** section, choose **Add account**, and enter the 12-digit account ID (without hyphens) of the account to share with.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
The permissions for a snapshot are specified using the `createVolumePermission` attribute of the snapshot. To make a snapshot public, set the group to `all`. To share a snapshot with a specific AWS account, set the user to the ID of the AWS account.
**To share a snapshot publicly**
Use the [modify-snapshot-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html) command.
For `--attribute`, specify `createVolumePermission`. For `--operation-type`, specify `add`. For `--group-names`, specify `all`.
```
aws ec2 modify-snapshot-attribute \
--snapshot-id snap-0abcdef1234567890 \
--attribute createVolumePermission \
--operation-type add \
--group-names all
```
**To share a snapshot privately**
Use the [modify-snapshot-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html) command.
For `--attribute`, specify `createVolumePermission`. For `--operation-type`, specify `add`. For `--user-ids`, specify the 12-digit IDs of the AWS accounts with which to share the snapshots.
```
aws ec2 modify-snapshot-attribute \
--snapshot-id snap-0abcdef1234567890 \
--attribute createVolumePermission \
--operation-type add \
--user-ids 123456789012 111122223333
```
------
#### [ PowerShell ]
The permissions for a snapshot are specified using the `createVolumePermission` attribute of the snapshot. To make a snapshot public, set the group to `all`. To share a snapshot with a specific AWS account, set the user to the ID of the AWS account.
**To share a snapshot publicly**
Use the [Edit-EC2SnapshotAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2SnapshotAttribute.html) cmdlet.
For `-Attribute`, specify `CreateVolumePermission`. For `-OperationType`, specify `Add`. For `-GroupName`, specify `all`.
```
Edit-EC2SnapshotAttribute `
-SnapshotId snap-0abcdef1234567890 `
-Attribute CreateVolumePermission `
-OperationType Add `
-GroupName all
```
**To share a snapshot privately**
Use the [Edit-EC2SnapshotAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2SnapshotAttribute.html) cmdlet.
For `-Attribute`, specify `CreateVolumePermission`. For `-OperationType`, specify `Add`. For `UserId`, specify the 12-digit IDs of the AWS accounts with which to share the snapshots.
```
Edit-EC2SnapshotAttribute `
-SnapshotId snap-0abcdef1234567890 `
-Attribute CreateVolumePermission `
-OperationType Add `
-UserId 123456789012 111122223333
```
------
# Share the KMS key used to encrypt a shared Amazon EBS snapshot
When you share an encrypted snapshot, you must also share the customer managed key used to encrypt the snapshot. You can apply cross-account permissions to a customer managed key either when it is created or at a later time.
Users of your shared customer managed key who are accessing encrypted snapshots must be granted permissions to perform the following actions on the key:
+ `kms:DescribeKey`
+ `kms:CreateGrant`
+ `kms:GenerateDataKey`
+ `kms:GenerateDataKeyWithoutPlaintext`
+ `kms:ReEncrypt`
+ `kms:Decrypt`
**Tip**
To follow the principle of least privilege, do not allow full access to `kms:CreateGrant`. Instead, use the `kms:GrantIsForAWSResource` condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an AWS service.
For more information about controlling access to a customer managed key, see [ Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*.
**To share customer managed key using the AWS KMS console**
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. To change the AWS Region, use the Region selector in the upper-right corner of the page.
1. Choose **Customer managed keys** in the navigation pane.
1. In the **Alias** column, choose the alias (text link) of the customer managed key that you used to encrypt the snapshot. The key details open in a new page.
1. In the **Key policy** section, you see either the *policy view* or the *default view*. The policy view displays the key policy document. The default view displays sections for **Key administrators**, **Key deletion**, **Key Use**, and **Other AWS accounts**. The default view displays if you created the policy in the console and have not customized it. If the default view is not available, you'll need to manually edit the policy in the policy view. For more information, see [Viewing a Key Policy (Console)](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-viewing.html#key-policy-viewing-console) in the *AWS Key Management Service Developer Guide*.
Use either the policy view or the default view, depending on which view you can access, to add one or more AWS account IDs to the policy, as follows:
+ (Policy view) Choose **Edit**. Add one or more AWS account IDs to the following statements: `"Allow use of the key"` and `"Allow attachment of persistent resources"`. Choose **Save changes**. In the following example, the AWS account ID `444455556666` is added to the policy.
```
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
}
```
+ (Default view) Scroll down to **Other AWS accounts**. Choose **Add other AWS accounts** and enter the AWS account ID as prompted. To add another account, choose **Add another AWS account** and enter the AWS account ID. When you have added all AWS accounts, choose **Save changes**.
# Use Amazon EBS snapshots that are shared with you
**To use a shared unencrypted snapshot**
Locate the shared snapshot by ID or description. You can use this snapshot as you would any other snapshot that you own in your account. For example, you can create a volume from the snapshot or copy it to a different Region.
**To use a shared encrypted snapshot**
Locate the shared snapshot by ID or description. Create a copy of the shared snapshot in your account, and encrypt the copy with a KMS key that you own. You can then use the copy to create volumes or you can copy it to different Regions.
------
#### [ Console ]
**To view snapshot permissions**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Snapshots**.
1. Select the snapshot.
1. If the filter is **Owned by me**, the snapshot is owned by this account. If the filter is **Private snapshots**, the snapshot is either owned by this account or shared specifically with this account. Select a snapshot and on the **Details** tab, check whether **Owner** specifies this account or a different account.
------
#### [ AWS CLI ]
**To view snapshot permissions**
Use the [describe-snapshot-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshot-attribute.html) command to get the snapshot permissions of the specified snapshot.
```
aws ec2 describe-snapshot-attribute \
--snapshot-id snap-0abcdef1234567890 \
--attribute createVolumePermission
```
The following is example output.
```
{
"SnapshotId": "snap-0abcdef1234567890",
"CreateVolumePermissions": [
{
"UserId": "111122223333"
}
]
}
```
------
#### [ PowerShell ]
**To view snapshot permissions**
Use the [Get-EC2SnapshotAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2SnapshotAttribute.html) cmdlet.
```
(Get-EC2SnapshotAttribute `
-SnapshotId snap-0abcdef1234567890 `
-Attribute createVolumePermission).CreateVolumePermissions
```
The following is example output.
```
Group UserId
----- ------
111122223333
```
------
## Determine the use of snapshots that you share
You can use AWS CloudTrail to monitor whether a snapshot that you have shared with others is copied or used to create a volume. The following events are logged in CloudTrail when an action is taken on a snapshot you have shared::
+ **SharedSnapshotCopyInitiated** — A shared snapshot is being copied.
+ **SharedSnapshotVolumeCreated** — A shared snapshot is being used to create a volume.
For more information about using CloudTrail, see [ Log Amazon EC2 and Amazon EBS API calls with AWS CloudTrail](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/monitor-with-cloudtrail.html).