Considerations for Amazon EBS snapshot lock - Amazon EBS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Considerations for Amazon EBS snapshot lock

  • You can lock a snapshot only if it is in the pending or completed state.

    • If you lock a snapshot while it is in the pending state, and you lock it for a specific duration, the lock duration starts only when the snapshot reaches the completed state. The snapshot can't be deleted while it is in the pending state.

    • If you lock a snapshot while it is in the pending state and the snapshot creation fails for any reason, the lock is canceled.

  • If you extend the lock duration for a snapshot that is locked in compliance mode after the cooling-off period has expired, you can't specify another cooling-off period. If you specify a cooling-off period, the request fails.

  • You can lock archived snapshots. And you can archive locked snapshots.

  • You can lock snapshots that are associated with an AMI.

  • You can deregister an AMI that has associated snapshots that are locked.

  • You can delete the KMS key used to encrypt a locked snapshot.

  • We recommend that you do not lock snapshots created by Amazon Backup. Amazon Backup already ensures that its snapshots are not deleted before their retention period expires. To add an additional layer of security for snapshots managed by Amazon Backup, we recommend that you use Amazon Backup Vault Lock. For more information, see Amazon Backup Vault Lock.

  • You can't lock snapshots during creation or during AMI registration.

  • You can't lock local Amazon EBS snapshots on Amazon Outposts.

  • The only way to delete a snapshot that is locked in compliance mode before its lock expires is to close the associated Amazon account.

    If you close your Amazon account while you have locked snapshots, Amazon suspends your account for 90 days with your snapshots intact. If you do not reopen your account within the 90 days, Amazon deletes your snapshots, even if they are locked.