View EBS snapshot details for your AWS account or organization

Created by Arun Chandapillai (AWS) and Parag Nagwekar (AWS)

Environment: Production

Technologies: Operations; Storage & backup

AWS services: Amazon EBS

Summary

This pattern describes how you can automatically generate an on-demand report of all Amazon Elastic Block Store (Amazon EBS) snapshots in your Amazon Web Services (AWS) account or organizational unit (OU) in AWS Organizations. 

Amazon EBS is an easy-to-use, scalable, high-performance block- storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). An EBS volume provides durable and persistent storage that you can attach to your EC2 instances. You can use EBS volumes as primary storage for your data and take a point-in-time backup of your EBS volumes by creating a snapshot. You can use the AWS Management Console or the AWS Command Line Interface (AWS CLI) to view the details of specific EBS snapshots. This pattern provides a programmatic way to retrieve information about all EBS snapshots in your AWS account or OU.

You can use the script provided by this pattern to generate a comma-separated values (CSV) file that has the following information about each snapshot: account ID, snapshot ID, volume ID and size, the date the snapshot was taken, instance ID, and description. If your EBS snapshots are tagged, the report also includes the owner and team attributes.

Prerequisites and limitations

Prerequisites

• An active AWS account

• AWS CLI version 2 installed and configured

• AWS Identity and Access Management (IAM) role with the appropriate permissions (access permissions for a specific account or for all accounts in an OU if you’re planning to run the script from AWS Organizations)

Architecture

The following diagram shows the script workflow that generates an on-demand report of EBS snapshots that are spread across multiple AWS accounts in an OU.

Tools

AWS services

• AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.

• Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with EC2 instances. 

• AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.

• AWS Organizations is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.

Code 

The code for the sample application used in this pattern is available on GitHub, in the aws-ebs-snapshots-awsorganizations repository. Follow the instructions in the next section to use the sample files.

Epics

Download the script

Task	Description	Skills required
Download the Python script.	Download the script  GetSnapshotDetailsAllAccountsOU.py from the GitHub repository.	General AWS

Get EBS snapshot details for an AWS account

Task	Description	Skills required
Run the Python script.	Run the command: python3 getsnapshotinfo.py --file <output-file>.csv --region <region-name> where <output-file> refers to the CSV output file where you want information about the EBS snapshots placed, and <region-name> is the AWS Region where the snapshots are stored. For example: python3 getsnapshotinfo.py --file snapshots.csv --region us-east-1	General AWS

Get EBS snapshot details for an organization

Task	Description	Skills required
Run the Python script.	Run the command: python3 getsnapshotinfo.py --file <output-file>.csv --role <IAM-role> --region <region-name> where <output-file> refers to the CSV output file where you want information about the EBS snapshots placed, <IAM-role> is a role that provides permissions to access AWS Organizations, and <region-name> is the AWS Region where the snapshots are stored. For example: python3 getsnapshotinfo.py --file snapshots.csv --role <IAM role> --region us-west-2	General AWS

Related resources

• Amazon EBS documentation

• Amazon EBS actions

• Amazon EBS API reference

• Improving Amazon EBS performance

• Amazon EBS resources

• EBS snapshot pricing

Additional information

EBS snapshot types

Amazon EBS provides three types of snapshots, based on ownership and access:

• Owned by you – By default, only you can create volumes from snapshots that you own.

• Public snapshots – You can share snapshots publicly with all other AWS accounts. To create a public snapshot, you modify the permissions for a snapshot to share it with the AWS accounts that you specify. Users that you will authorize can then use the snapshots you share by creating their own EBS volumes, while your original snapshot remains unaffected. You can also make your unencrypted snapshots available publicly to all AWS users. However, you can't make your encrypted snapshots available publicly for security reasons. Public snapshots pose a significant security risk because of the possibility of exposing personal and sensitive data. We strongly recommend against sharing your EBS snapshots with all AWS accounts. For more information about sharing snapshots, see the AWS documentation.

• Private snapshots – You can share snapshots privately with individual AWS accounts that you specify. To share the snapshot privately with specific AWS accounts, follow the instructions in the AWS documentation, and choose Private for the permissions setting. Users that you have authorized can use the snapshots that you share to create their own EBS volumes, while your original snapshot remains unaffected.

Overviews and procedures

The following table provides links to more information about EBS snapshots, including how you can lower EBS volume costs by finding and deleting unused snapshots, and archive rarely accessed snapshots that do not require frequent or fast retrieval. 

For information about	See
Snapshots, their features, and limitations	Create Amazon EBS snapshots
How to create a snapshot	Console: Create a snapshot AWS CLI: create-snapshot command For example: aws ec2 create-snapshot --volume-id vol-1234567890abcdef0 --description " volume snapshot"
Deleting snapshots (general information)	Delete an Amazon EBS snapshot
How to delete a snapshot	Console: Delete a snapshot AWS CLI: delete-snapshot command For example: aws ec2 delete-snapshot --snapshot-id snap-1234567890abcdef0
Archiving snapshots (general information)	Archive Amazon EBS snapshots Amazon EBS Snapshots Archive (blog post)
How to archive a snapshot	Console: Archive a snapshot AWS CLI: modify-snapshot-tier command
How to retrieve an archived snapshot	Console: Restore an archived snapshot AWS CLI: restore-snapshot-tier command
Snapshot pricing	Amazon EBS pricing

FAQ

What is the minimum archive period?

The minimum archive period is 90 days.

How long would it take to restore an archived snapshot?

It can take up to 72 hours to restore an archived snapshot from the archive tier to the standard tier, depending on the size of the snapshot.

Are archived snapshots full snapshots?

Archived snapshots are always full snapshots.

Which snapshots can a user archive?

You can archive only snapshots that you own in your account.

Can you archive a snapshot of the root device volume of a registered Amazon Machine Image (AMI)?

No, you can’t archive a snapshot of the root device volume of a registered AMI.

What are security considerations for sharing a snapshot?

When you share a snapshot, you are giving others access to all the data on the snapshot. Share snapshots only with people that you trust with your data.

How do you share a snapshot with another AWS Region?

Snapshots are constrained to the Region in which they were created. To share a snapshot with another Region, copy the snapshot to that Region and then share the copy.

Can you share snapshots that are encrypted?

You can't share snapshots that are encrypted with the default AWS managed key. You can share snapshots that are encrypted with a customer managed key only. When you share an encrypted snapshot, you must also share the customer managed key that was used to encrypt the snapshot.

What about unencrypted snapshots?

You can share unencrypted snapshots publicly.