How can I share an encrypted Amazon EBS snapshot or volume with another AWS account?

Short description

You can't directly share an encrypted EBS volume with another AWS account. Instead, you must first create and share an encrypted Amazon EBS snapshot with the other account. Then, create a new volume from the copy of the shared snapshot to share the volume.

When sharing EBS snapshots, keep the following in mind:

• You can't share snapshots that are encrypted with a default AWS Key Management Service (AWS KMS) key. Instead, you must encrypt the snapshot with a customer managed key.
• You can't share encrypted snapshots publicly. To share a snapshot publicly, make sure that it's not encrypted.

For more information, see Before you share a snapshot.

Resolution

Note: To complete the following steps, you must have permissions to edit volumes and snapshots. If you create a volume from an encrypted snapshot but don't see it on the volume list, then you might not have the correct permissions. Also, a snapshot that goes into an error state indicates that there is a permissions issue.

Share a snapshot that's encrypted with a customer managed key

To share a snapshot that's encrypted with a customer managed key, you must share the customer managed key that you used to encrypt the snapshot.

First, follow the steps to share a snapshot. Then, follow the steps to share an AWS KMS key.

Share a snapshot that's encrypted with a default AWS KMS key

You can't change a snapshot's default encryption after you create the snapshot. Therefore, to share a snapshot that's encrypted with a default AWS KMS key, you must first create a copy of the snapshot. Then, encrypt the snapshot copy with a customer managed key. For more information, see Encryption and snapshot copying.

If you don't have a customer managed key, then see Create an AWS KMS key in a custom key store (console).

Share an encrypted EBS volume with another account

To share an encrypted volume with another account, follow these steps.

From the source account:

1. Create a snapshot of the volume.
   Important: If the EBS volume is attached to an instance, then first stop the instance to maintain data consistency.
2. Complete the steps in the preceding section, Share a snapshot that's encrypted with a customer managed key.

From the target account:

1. Create a copy of the shared snapshot.
   Note: Be sure to select your customer managed key. Otherwise, Amazon EBS encryption uses the default key. For more information on copying a snapshot see, Copy an Amazon EBS snapshot, and review the Prerequisites, Considerations, and Pricing.
2. Create a volume from the snapshot.
   Note: You can't attach a volume to an Amazon Elastic Compute Cloud (Amazon EC2) instance that's in a different Availability Zone. Therefore, make sure to create the volume in the same Availability Zone where the Amazon EC2 instance is.

Important: You can restore snapshots only in the AWS Region where you created the snapshot. For EBS volumes in another Region, copy the snapshot to that Region first, and then restore the snapshot.