Menu
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Sharing an Amazon EBS Snapshot

You can share your unencrypted snapshots with your co-workers or others in the AWS community by modifying the permissions of the snapshot. Users that you have authorized can quickly use your unencrypted shared snapshots as the basis for creating their own EBS volumes. If you choose, you can also make your unencrypted snapshots available publicly to all AWS users.

You can share an encrypted snapshot with specific AWS accounts, though you cannot make it public. For others to use the snapshot, you must also share the custom CMK key used to encrypt it. Cross-account permissions may be applied to a custom key either when it is created or at a later time. Users with access can copy your snapshot and create their own EBS volumes based on your snapshot while your original snapshot remains unaffected.

Users of your shared CMK who will be accessing encrypted snapshots must be granted DescribeKey and ReEncrypt permissions. For information about managing and sharing CMK keys, see Controlling Access to Customer Master Keys.

Important

AWS prevents you from sharing snapshots that were encrypted with your default CMK. Snapshots that you intend to share must instead be encrypted with a custom CMK. For information about creating keys, see Creating Keys.

If you have access to a shared encrypted snapshot and you wish to restore a volume from it, you must create a personal copy of the snapshot and then use that copy to restore the volume.

Note

We recommend that you re-encrypt the snapshot during the copy process with a different key that you control. This protects your access to the volume if the original key is compromised, or if the owner revokes the key for any reason.

Snapshots are constrained to the region in which they are created. If you would like to share a snapshot with another region, you need to copy the snapshot to that region. For more information about copying snapshots, see Copying an Amazon EBS Snapshot.

Important

When you share a snapshot (whether by sharing it with another AWS account or making it public to all), you are giving others access to all the data on your snapshot. Share snapshots only with people with whom you want to share all your snapshot data.

To modify snapshot permissions using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Snapshots in the navigation pane.

  3. Select a snapshot and then choose Modify Permissions from the Actions list.

  4. Choose whether to make the snapshot public or to share it with specific AWS accounts:

    • To make the snapshot public, choose Public.

      Note

      This is not a valid option for encrypted snapshots or snapshots with AWS Marketplace product codes.
    • To expose the snapshot to only specific AWS accounts, choose Private, enter the ID of the AWS account (without hyphens) in the AWS Account Number field, and choose Add Permission. Repeat until you've added all the required AWS accounts.

      Important

      If your snapshot is encrypted, you must ensure that the following are true:

      • The snapshot is encrypted with a custom CMK, not your default CMK. If you attempt to change the permissions of a snapshot encrypted with your default CMK, the console will display an error message.

      • You are sharing the custom CMK with the accounts that have access to your snapshot.

  5. Choose Save.

To view and modify snapshot permissions using the command line

To view the createVolumePermission attribute of a snapshot, you can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

To modify the createVolumePermission attribute of a snapshot, you can use one of the following commands.