Local snapshots in Dedicated Local Zones - Amazon EBS
Frequently asked questionsConsiderationsControlling access with IAM

Local snapshots in Dedicated Local Zones

Amazon EBS snapshots are a point-in-time copy of your EBS volumes.

Snapshots of EBS volumes in a Dedicated Local Zone can be stored in Amazon S3 in the same Dedicated Local Zone or in the parent Region of that Dedicated Local Zone. Storing snapshots in a Dedicated Local Zone can help you meet data residency needs by ensuring that snapshot data is processed and stored in a specific country, state, or municipality. You can also set up data residency enforcement policies using IAM to ensure that snapshot data does not leave the Dedicated Local Zone.

AWS Dedicated Local Zones are a type of AWS Infrastructure that is fully managed by AWS, built for exclusive use by you or your community, and placed in a location or data center specified by you to help comply with regulatory requirements. Dedicated Local Zones are a type of AWS Local Zone offering. For more information, see AWS Dedicated Local Zones.

Local snapshots are not currently supported in other AWS Local Zones locations.

Frequently asked questions

1. What are Local snapshots in Dedicated Local Zones?

Local snapshots in Dedicated Local Zones are snapshots that are stored in Amazon S3 in a Dedicated Local Zone. Like snapshots in AWS Regions, Local snapshots in Dedicated Local Zones are incremental, which means that only the blocks of the volume that have changed after your most recent snapshot are saved. You can use these snapshots to restore an Amazon EBS volume in the same Dedicated Local Zone at any time.

2. Why should I use local snapshots?

Use Local snapshots in Dedicated Local Zones to meet data residency or data isolation requirements by ensuring that your snapshot data resides in a specific geographic location, such as a country, state, or municipality.

3. How do I enforce snapshot data residency in Dedicated Local Zones?

You can use AWS Identity and Access Management (IAM) policies to control the permissions that principals (AWS accounts, IAM users, and IAM roles) have when working with Local snapshots in Dedicated Local Zones and to enforce data residency. For example, you can create a policy that prevents users from creating snapshots from volumes in a Dedicated Local Zones and storing those snapshots in an AWS Region. For more information, see Controlling access with IAM.

4. Are multi-volume, crash-consistent local snapshots supported?

Yes, you can create multi-volume, crash-consistent Local snapshots in Dedicated Local Zones from instances in a Dedicated Local Zone.

5. How do I create Local snapshots in Dedicated Local Zones?

You can create Local snapshots in Dedicated Local Zones manually using the AWS CLI or the Amazon EC2 console. For more information see, Create an Amazon EBS snapshot of an EBS volume. You can also automate the lifecycle of Local snapshots in Dedicated Local Zones using Amazon Data Lifecycle Manager. For more information see, Create Amazon Data Lifecycle Manager custom policy for EBS snapshots.

6. Can I copy Local snapshots in Dedicated Local Zones?

No, you can't currently copy snapshots from a Region to a Dedicated Local Zone, from a Dedicated Local Zone to a Region, or from one Dedicated Local Zone to another.

7. How can I restore data from Local snapshots in Dedicated Local Zones?

You can use Local snapshots in Dedicated Local Zones to create Amazon EBS volumes in the same Dedicated Local Zone only.

8. How are Local snapshots in Dedicated Local Zones encrypted?

Local snapshots in Dedicated Local Zones are encrypted by default. Unencrypted Local snapshots in Dedicated Local Zones are not supported. Local snapshots in Dedicated Local Zones are encrypted using the same KMS key as the source Amazon EBS volume.

9. Can I create EBS-backed AMIs using Local snapshots in Dedicated Local Zones?

No, you can't currently create EBS-backed AMIs using Local snapshots in Dedicated Local Zones.

10. Can I share Local snapshots in Dedicated Local Zones?

Yes, you can share Local snapshots in Dedicated Local Zones with other AWS accounts that have enabled the Dedicated Local Zone for use in their account.

Considerations

Keep the following in mind when working with Local snapshots in Dedicated Local Zones.

  • Local snapshots are supported in AWS Dedicated Local Zones only. They are not supported in other Local Zones locations.

  • The following features can't be used with Local snapshots in Dedicated Local Zones:

    • VM Import/Export actions

    • Fast snapshot restore

    • EBS direct APIs

    • Recycle Bin

    • Snapshot archive

    • Snapshot lock

  • You must use IAM policies to enforce your data residency requirements. For more information, see Controlling access with IAM.

Controlling access with IAM

You can use AWS Identity and Access Management (IAM) policies to control the permissions that principals (AWS accounts, IAM users, and IAM roles) have when working with Local snapshots in Dedicated Local Zones. The following are example policies that you can use to grant or deny permission to perform specific actions with Local snapshots in Dedicated Local Zones.

Enforce data residency for Local snapshots in Dedicated Local Zones

The following example policy restricts users to creating only Local snapshots in Dedicated Local Zones from volumes and instances in a Dedicated Local Zone. It prevents users from creating snapshots in a Region from volumes and instances in a Dedicated Local Zone.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:CreateSnapshots"
            ],
            "Resource": "arn:aws:ec2:region::snapshot/*",
            "Condition": {
                "StringEquals": {
                    "ec2:SourceAvailabilityZone": "dedicated_local_zone"
                },
                "StringEquals": {
                    "ec2:Location": "local"
                }
            }
        }
    ]
}

Prevent sharing of Local snapshots in Dedicated Local Zones

The following example policy prevents all users from sharing Local snapshots in Dedicated Local Zones.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:ModifySnapshotAttribute"
            ],
            "Resource": "arn:aws:ec2:region::snapshot/*",
            "Condition": {
                "StringEquals": {
                    "ec2:AvailabilityZone": "dedicated_local_zone"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:ModifySnapshotAttribute"
            ],
            "Resource": "*"
        }
    ]
}

Prevent principals from deleting Local snapshots in Dedicated Local Zones

The following example policy prevents all users from deleting Local snapshots in Dedicated Local Zones.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:DeleteSnapshot"
            ],
            "Resource": "arn:aws:ec2:region::snapshot/*",
            "Condition": {
                "StringEquals": {
                    "ec2:AvailabilityZone": "dedicated_local_zone"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*"
        }
    ]
}