Copying an Amazon EBS Snapshot
With Amazon EBS, you can create point-in-time snapshots of volumes which we store for you in
Amazon Simple Storage Service (Amazon S3). After you've created a snapshot and it has finished copying to Amazon S3 (when
snapshot status is
completed), you can copy it from one AWS region to
another, or within the same region. Amazon S3 server-side encryption (256-bit AES) protects a
snapshot's data-in-transit during copying. The snapshot copy receives a snapshot ID different
from the original snapshot's ID.
To copy an Amazon Relational Database Service (Amazon RDS) snapshot, see Copying a DB Snapshot in the Amazon Relational Database Service User Guide.
You can use a copy of a snapshot in the following ways:
Geographic expansion: Launch your applications in a new region.
Migration: Move an application to a new region, to enable better availability and minimize cost.
Disaster recovery: Back up your data and logs across different geographical locations at regular intervals. In case of disaster, you can restore your applications using point-in-time backups stored in the secondary region. This minimizes data loss and recovery time.
Encryption: Encrypt a previously unencrypted snapshot, change the key with which the snapshot is encrypted, or, for encrypted snapshots that have been shared with you, create a copy that you own in order to restore the volume from it.
Data retention and auditing requirements: Copy your encrypted EBS snapshots from one AWS account to another to preserve data logs or other files for auditing or data retention. Using a different account helps prevent accidental snapshot deletions, and protects you if your main AWS account is compromised.
Snapshots created by the CopySnapshot action have an arbitrary volume ID that should not be used for any purpose.
You can have up to five snapshot copy requests in progress to a single destination per
account. You can copy any accessible snapshots that have a
including shared snapshots and snapshots that you've created. You can also copy AWS
Marketplace, VM Import/Export, and AWS Storage Gateway snapshots, but you must verify that the snapshot is
supported in the destination region.
The first snapshot copy to another region is always a full copy. Each subsequent snapshot copy is incremental (which makes the copy process faster), meaning that only the blocks in the snapshot that have changed after your last snapshot copy to the same destination are transferred. Support for incremental snapshots is specific to a region pair where a previous complete snapshot copy of the source volume is already available in the destination region, and it is limited to the default EBS CMK for encrypted snapshots. For example, if you copy an unencrypted snapshot from the US East (N. Virginia) region to the US West (Oregon) region, the first snapshot copy of the volume is a full copy and subsequent snapshot copies of the same volume transferred between the same regions are incremental.
Snapshot copies within a single account and region do not copy any data at all and are are cost-free as long as the following conditions apply:
The encryption status of the snapshot copy does not change during the copy operation.
For encrypted snapshots, both the source snapshot and the copy are encrypted with the default EBS CMK.
If you would like another account to be able to copy your snapshot, you must either modify the snapshot permissions to allow access to that account or make the snapshot public so that all AWS accounts may copy it. For more information, see Sharing an Amazon EBS Snapshot.
For pricing information about copying snapshots across regions and accounts, see Amazon EBS Pricing.
When you copy a snapshot, you can choose to encrypt the copy (if the original snapshot was not encrypted) or you can specify a CMK different from the original one, and the resulting copied snapshot will use the new CMK. However, changing the encryption status of a snapshot or using a non-default EBS CMK during a copy operation always results in a full copy (not incremental), which may incur greater data transfer and storage charges.
To copy an encrypted snapshot from another account, you must have permissions to use the snapshot and you must have permissions to use the customer master key (CMK) that was used to encrypt the original snapshot. For more information, see Sharing an Amazon EBS Snapshot.
When copying an encrypted snapshot that was shared with you, you should consider re-encrypting the snapshot during the copy process with a different key that you control. This protects you if the original key is compromised, or if the owner revokes the key for any reason, which could cause you to lose access to the volume you created.
To copy a snapshot using the Amazon EC2 console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Snapshots.
Select the snapshot to copy, and then choose Copy from the Actions list.
In the Copy Snapshot dialog box, update the following as necessary:
Destination region: Select the region where you want to write the copy of the snapshot.
Description: By default, the description includes information about the source snapshot so that you can identify a copy from the original. You can change this description as necessary.
Encryption: If the source snapshot is not encrypted, you can choose to encrypt the copy. You cannot decrypt an encrypted snapshot.
Master Key: The customer master key (CMK) that will be used to encrypt this snapshot. You can select from master keys in your account or type/paste the ARN of a key from a different account. You can create a new master encryption key in the IAM console.
In the Copy Snapshot confirmation dialog box, choose Snapshots to go to the Snapshots page in the region specified, or choose Close.
To view the progress of the copy process later, switch to the destination region, and then refresh the Snapshots page. Copies in progress are listed at the top of the page.
To check for failure
If you attempt to copy an encrypted snapshot without having permissions to use the encryption key, the operation will fail silently. The error state will not be displayed in the console until you refresh the page. You can also check the state of the snapshot from the command line. For example:
aws ec2 describe-snapshots --snapshot-id snap-0123abcd
If the copy failed because of insufficient key permissions, you will see the following message:
"StateMessage": "Given key ID is not accessible"
When copying an encrypted snapshot, you must have describe permissions on the default CMK. Explicitly denying these permissions will result in copy failure.