Sharing Amazon EBS Snapshots - AWS Security Incident Response Guide

Sharing Amazon EBS Snapshots

Many customers use Amazon Elastic Block Store (Amazon EBS) snapshots as part of their investigation for security events that involve their Amazon EC2 instances. Snapshots of Amazon EBS volumes are incremental backups. For more information about Amazon EBS incremental snapshots, see Amazon EBS snapshots.

To perform an investigation of an Amazon EBS volume in a separate, isolated account, you must modify the permissions of the snapshot to share it with the other specified AWS accounts. Users that you have authorized can use the snapshots you share as the basis to create their own EBS volumes, while your original snapshot remains unaffected. For more information, see Share an Amazon EBS snapshot.

If your snapshot is encrypted, you must also share the custom AWS Key Management Service (AWS KMS) Customer Managed Key (CMK) used to encrypt the snapshot. You can apply cross-account permissions to a custom CMK when it is created or at a later time. Snapshots are constrained to the Region in which they were created, but you can share a snapshot with another Region by copying the snapshot to that Region. For more information, see Copy an Amazon EBS snapshot.