Use encryption
When you start a new snapshot using StartSnapshot, the encryption status depends on the values that you specify for Encrypted, KmsKeyArn, and ParentSnapshotId, and whether your Amazon account is enabled for encryption by default.
Note
-
You might need additional IAM permissions to use the EBS direct APIs with encryption. For moreinformation, see Permissions to use Amazon KMS keys.
-
If Amazon EBS encryption by default is enabled on your Amazon account, you can't create unencrypted snapshots.
-
If Amazon EBS encryption by default is enabled on your Amazon account, you cannot start a new snapshot using an unencrypted parent snapshot. You must first encrypt the parent snapshot by copying it. For more information, see Copy an Amazon EBS snapshot.
Topics
Encryption outcomes: Unencrypted parent snapshot
The following table describes the encryption outcome for each possible combination of settings when specifying an unencrypted parent snapshot.
| ParentSnapshotId | Encrypted | KmsKeyArn | Encryption by default | Result |
|---|---|---|---|---|
| Unencrypted | Omitted | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | The snapshot is unencrypted. | |||
| Specified | Enabled | |||
| Disabled | ||||
| Unencrypted | True | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | ||||
| Specified | Enabled | |||
| Disabled | ||||
| Unencrypted | False | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | ||||
| Specified | Enabled | |||
| Disabled |
Encryption outcomes: Encrypted parent snapshot
The following table describes the encryption outcome for each possible combination of settings when specifying an encrypted parent snapshot.
| ParentSnapshotId | Encrypted | KmsKeyArn | Encryption by default | Result |
|---|---|---|---|---|
| Encrypted | Omitted | Omitted | Enabled | The snapshot is encrypted using the same KMS key as the parent snapshot. |
| Disabled | ||||
| Specified | Enabled | The request fails with ValidationException. |
||
| Disabled | ||||
| Encrypted | True | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | ||||
| Specified | Enabled | |||
| Disabled | ||||
| Encrypted | False | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | ||||
| Specified | Enabled | |||
| Disabled |
Encryption outcomes: No parent snapshot
The following tables describe the encryption outcome for each possible combination of settings when not using a parent snapshot.
| ParentSnapshotId | Encrypted | KmsKeyArn | Encryption by default | Result |
|---|---|---|---|---|
| Omitted | True | Omitted | Enabled | The snapshot is encrypted using the default KMS key for your account. * |
| Disabled | ||||
| Specified | Enabled | The snapshot is encrypted using the KMS key specified for KmsKeyArn. | ||
| Disabled | ||||
| Omitted | False | Omitted | Enabled | The request fails with ValidationException. |
| Disabled | The snapshot is unencrypted. | |||
| Specified | Enabled | The request fails with ValidationException. |
||
| Disabled | ||||
| Omitted | Omitted | Omitted | Enabled | The snapshot is encrypted using the default KMS key for your account. * |
| Disabled | The snapshot is unencrypted. | |||
| Specified | Enabled | The snapshot is encrypted using the KMS key specified for KmsKeyArn. | ||
| Disabled |
* This default KMS key could be a customer managed key or the default Amazon managed KMS key for Amazon EBS encryption.