Sharing an Amazon EBS Snapshot
You can share your unencrypted snapshots with your co-workers or others in the AWS community by modifying the permissions of the snapshot. Users that you have authorized can quickly use your unencrypted shared snapshots as the basis for creating their own EBS volumes. If you choose, you can also make your unencrypted snapshots available publicly to all AWS users.
You can share an encrypted snapshot with specific AWS accounts, though you cannot make it public. For others to use the snapshot, you must also share the custom CMK key used to encrypt it. Cross-account permissions may be applied to a custom key either when it is created or at a later time. Users with access can copy your snapshot and create their own EBS volumes based on your snapshot while your original snapshot remains unaffected.
When you share a snapshot (whether by sharing it with another AWS account or making it public to all), you are giving others access to all the data on your snapshot. Share snapshots only with people with whom you want to share all your snapshot data.
Several technical and policy restrictions apply to sharing snapshots:
Snapshots are constrained to the region in which they were created. If you would like to share a snapshot with another region, you need to copy the snapshot to that region. For more information about copying snapshots, see Copying an Amazon EBS Snapshot.
If your snapshot uses the longer resource ID format, you can only share it with another account that also supports longer IDs. For more information, see Resource IDs.
AWS prevents you from sharing snapshots that were encrypted with your default CMK. Snapshots that you intend to share must instead be encrypted with a custom CMK. For information about creating keys, see Creating Keys.
Users of your shared CMK who will be accessing encrypted snapshots must be granted
ReEncryptpermissions. For information about managing and sharing CMK keys, see Controlling Access to Customer Master Keys.
If you have access to a shared encrypted snapshot and you wish to restore a volume from it, you must create a personal copy of the snapshot and then use that copy to restore the volume. We recommend that you re-encrypt the snapshot during the copy process with a different key that you control. This protects your access to the volume if the original key is compromised, or if the owner revokes the key for any reason.
To modify snapshot permissions using the console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
Choose Snapshots in the navigation pane.
Select a snapshot and then choose Modify Permissions from the Actions list.
Choose whether to make the snapshot public or to share it with specific AWS accounts:
To make the snapshot public, choose Public.
This is not a valid option for encrypted snapshots or snapshots with AWS Marketplace product codes.
To expose the snapshot to only specific AWS accounts, choose Private, enter the ID of the AWS account (without hyphens) in the AWS Account Number field, and choose Add Permission. Repeat until you've added all the required AWS accounts.
If your snapshot is encrypted, you must ensure that the following are true:
The snapshot is encrypted with a custom CMK, not your default CMK. If you attempt to change the permissions of a snapshot encrypted with your default CMK, the console will display an error message.
You are sharing the custom CMK with the accounts that have access to your snapshot.
To view and modify snapshot permissions using the command line
To view the
createVolumePermission attribute of a snapshot, you can
use one of the following commands. For more information about these command line interfaces,
see Accessing Amazon EC2.