How do I share an encrypted Amazon EBS snapshot or volume with another AWS account?

Resolution

Important: Amazon EBS encryption is available on all current and previous generation Amazon Elastic Compute Cloud (Amazon EC2) instance types.

Check whether you can share your Amazon EBS volume. Review the following factors:

• You can't directly share an encrypted EBS volume with another account.
• To attach an EBS volume only to an Amazon EC2 instance that's in the same Availability Zone.
• Amazon EBS automatically encrypts EBS volumes that you create from encrypted EBS snapshots. By default, an EBS volume that you create uses the same AWS Key Management Service (AWS KMS) key as the EBS snapshot that you use to create it. However, you can specify a different AWS KMS key.
• Amazon EBS doesn't automatically encrypt EBS volumes that you create from unencrypted EBS snapshots. However, you can encrypt them.
• If an EBS volume that you create from an encrypted EBS snapshot isn’t in the Volumes list, then you might not have the necessary permissions.
• You can share only EBS snapshots that you encrypt with a customer managed AWS KMS key.
• Amazon EBS constrains EBS snapshots to the AWS Region that you create them in. To share an EBS snapshot with another Region, copy the EBS snapshot to that Region and then share the copy. For more information, see Copy an Amazon EBS snapshot.
• When you share an encrypted EBS snapshot, you must also share the customer managed AWS KMS key that you use to encrypt the EBS snapshot. For more information, see Share the KMS key used to encrypt a shared Amazon EBS snapshot.

Share your Amazon EBS volume

To share an EBS volume, complete the following steps:

1. In the source account, create an EBS snapshot of the EBS volume.
2. In the source account, share the EBS snapshot with the target account.
3. If the EBS snapshot is encrypted, then share the customer managed AWS KMS key from its source account with the target account.
4. In the target account, create a copy of the shared EBS snapshot.
   important: You must activate encryption your EBS snapshot copy. When you specify your EBS snapshot copy's encryption status, select your customer managed AWS KMS key. Otherwise, EBS encryption uses the default AWS KMS key. If you don't have a customer managed AWS KMS key, then create an AWS KMS key.
5. In the target account, create a new EBS volume. For Snapshot ID, select the EBS snapshot copy that you created in step 4.

Related information

View Amazon EBS snapshot information