How can I share an encrypted EBS snapshot or volume with another AWS account?

2 minute read
0

I want to share an Amazon Elastic Block Store (Amazon EBS) snapshot or volume with another AWS account.

Short description

Consider the following prerequisites for Amazon EBS volumes and EBS snapshots before sharing a volume or snapshot:

  • Amazon EBS encryption is available on all current generation and previous generation Amazon Elastic Compute Cloud (Amazon EC2) instance types.
  • To attach an EBS volume to an Amazon EC2 instance, both must be in the same Availability Zone.
  • Volumes that are created from encrypted snapshots are automatically encrypted using the same key as the snapshot. You can also use a different key that you specify.
  • Volumes that are created from unencrypted snapshots are automatically unencrypted, but you can encrypt these volumes.
  • If you don't see a volume that you created from an encrypted snapshot in the Volumes list, then you might not have the correct permissions.
  • A snapshot in an error state might indicate permissions issues.

Resolution

You can't directly share an encrypted EBS volume with another AWS account, so you must complete the following steps to share a volume.

Important: Review the snapshot creation and snapshot sharing information before you start.

  1. In the source account, create an EBS snapshot of the EBS volume.
  2. In the source account, share the snapshot with the target account.
  3. When the snapshot is encrypted with a customer managed key, share the customer managed key with the target account from the source account.
  4. In the target account, create a copy of the shared snapshot and encrypt the snapshot copy.
    Note: Be sure to select your customer managed key. Otherwise, EBS encryption uses the default key. For more information on copying a snapshot, see Copy an Amazon EBS snapshot, and review the information in Prerequisites, Considerations, and Pricing.
    Note: When you don't have a customer managed key, see Creating keys.
  5. In the target account, create a new volume from the copy of the shared snapshot.
AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago