Use encryption
When you start a new snapshot using StartSnapshot, the encryption status depends on the values that you specify for Encrypted, KmsKeyArn, and ParentSnapshotId, and whether your Amazon account is enabled for encryption by default.
-
You might need additional IAM permissions to use the EBS direct APIs with encryption. For moreinformation, see Permissions to use Amazon KMS keys.
-
If Amazon EBS encryption by default is enabled on your Amazon account, you can't create unencrypted snapshots.
-
If Amazon EBS encryption by default is enabled on your Amazon account, you cannot start a new snapshot using an unencrypted parent snapshot. You must first encrypt the parent snapshot by copying it. For more information, see Copy an Amazon EBS snapshot.
Topics
Encryption outcomes: Unencrypted parent snapshot
The following table describes the encryption outcome for each possible combination of settings when specifying an unencrypted parent snapshot.
| ParentSnapshotId | Encrypted | KmsKeyArn | Encryption by default | Result |
|---|---|---|---|---|
| Unencrypted | Omitted | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | The snapshot is unencrypted. | |||
| Specified | Enabled | |||
| Disabled | ||||
| Unencrypted | True | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | ||||
| Specified | Enabled | |||
| Disabled | ||||
| Unencrypted | False | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | ||||
| Specified | Enabled | |||
| Disabled |
Encryption outcomes: Encrypted parent snapshot
The following table describes the encryption outcome for each possible combination of settings when specifying an encrypted parent snapshot.
| ParentSnapshotId | Encrypted | KmsKeyArn | Encryption by default | Result |
|---|---|---|---|---|
| Encrypted | Omitted | Omitted | Enabled | The snapshot is encrypted using the same KMS key as the parent snapshot. |
| Disabled | ||||
| Specified | Enabled | The request fails with ValidationException. |
||
| Disabled | ||||
| Encrypted | True | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | ||||
| Specified | Enabled | |||
| Disabled | ||||
| Encrypted | False | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | ||||
| Specified | Enabled | |||
| Disabled |
Encryption outcomes: No parent snapshot
The following tables describe the encryption outcome for each possible combination of settings when not using a parent snapshot.
| ParentSnapshotId | Encrypted | KmsKeyArn | Encryption by default | Result |
|---|---|---|---|---|
| Omitted | True | Omitted | Enabled | The snapshot is encrypted using the default KMS key for your account. * |
| Disabled | ||||
| Specified | Enabled | The snapshot is encrypted using the KMS key specified for KmsKeyArn. | ||
| Disabled | ||||
| Omitted | False | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | The snapshot is unencrypted. | |||
| Specified | Enabled | The request fails with ValidationException. |
||
| Disabled | ||||
| Omitted | Omitted | Omitted | Enabled | The snapshot is encrypted using the default KMS key for your account. * |
| Disabled | The snapshot is unencrypted. | |||
| Specified | Enabled | The snapshot is encrypted using the KMS key specified for KmsKeyArn. | ||
| Disabled |
* This default KMS key could be a customer managed key or the default Amazon managed KMS key for Amazon EBS encryption.