Copy an Amazon EBS snapshot
After you create a snapshot, and it has reached the completed
state, you
can copy it from one Amazon Region to another, or within the same Region. The snapshot copy
is an exact copy of the original, but it has a unique resource ID. You can copy snapshots
that you own and snapshots that are shared with you, privately or publicly. You might need
to copy a snapshot for the following use cases:
-
Geographic expansion — You need to launch your applications in a new Region.
-
Migration — You need to move an application to a new Region, to enable better availability or to minimize cost.
-
Disaster recovery — You need to back up your data and logs to secondary Regions for data redundancy purposes.
-
Encryption — You need to encrypt a previously unencrypted snapshot or reencrypt an encrypted snapshot using a different KMS key.
-
Copy a shared snapshot — You need to copy a snapshot that is shared with you.
-
Data retention and auditing requirements — You need to copy encrypted snapshots from one Amazon account to another to preserve data for auditing or data retention. Using a different account protects you if your main Amazon account is compromised.
To copy multi-volume snapshots to another Amazon Region, identify all of the snapshots that are part of that set using the tags that you assigned during creation, then individually copy the snapshots to the required Region.
For information about copying an Amazon RDS snapshot, see Copying a DB Snapshot in the Amazon RDS User Guide.
Pricing
For pricing information about copying snapshots across Amazon Regions and accounts, see
Amazon EBS Pricing
Contents
Considerations for copying snapshots
-
You can copy Amazon Web Services Marketplace, VM Import/Export, and Storage Gateway snapshots, but you must verify that the snapshot is supported in the destination Region.
-
There is a limit of
20
concurrent snapshot copy requests per destination Region. If you exceed this quota, you receive aResourceLimitExceeded
error. If you receive this error, wait for one or more of the copy requests to complete before making a new snapshot copy request. -
User-defined tags are not copied from the source snapshot to the snapshot copy. You can add user-defined tags during or after the copy operation.
-
Snapshots created by a snapshot copy operation have an arbitrary volume ID, such as
vol-ffff
orvol-ffffffff
. These arbitrary volume IDs should not be used for any purpose. -
Resource-level permissions specified for the snapshot copy operation apply only to the snapshot copy. You can't specify resource-level permissions for the source snapshot. For an example, see Example: Copying snapshots.
-
If you copy a snapshot that is enabled for fast snapshot restore, the snapshot copy is not automatically enabled for fast snapshot restore. You must explicitly enable fast snapshot restore for the snapshot copy.
-
If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.
-
If you copy a snapshot to a new Region, a full (non-incremental) copy is created. This results in additional storage costs. Subsequent copies of the same snapshot are incremental.
-
If you use external or cross-Region data transfers, additional EC2 data transfer
charges will apply. If you delete any snapshots after initiation, you are still charged for the data that has already been transferred.
Destinations for snapshot copies
You can copy snapshots to Amazon Regions and to Amazon outposts, if you have outposts in your account. The allowed destinations depend on the location of the source snapshot.
-
If the source snapshot is in a Region, you can copy it within that Region, to another Region, or to an outpost associated with that Region.
-
If the source snapshot is on an Outpost, you can can't copy it.
Incremental snapshot copying
Snapshot copy operations within the same account and Region using the same KMS key are always incremental copies. However, if you encrypt the snapshot copy using a different KMS key, the copy is a full copy.
When you copy a snapshot across Regions or accounts, the copy is an incremental copy if the following conditions are met:
-
The snapshot was copied to the destination Region or account previously.
-
The most recent snapshot copy still exists in the destination Region or account.
-
The most recent snapshot copy has not been archived.
-
All copies of the snapshot in the destination Region or account are either unencrypted or were encrypted using the same KMS key.
Tip
We recommend that you tag your snapshot copies with the volume ID and creation time so that you can keep track of the most recent snapshot copy of a volume in the destination Region or account.
To see whether your snapshot copies are incremental, check the copySnapshot CloudWatch event.
Encryption and snapshot copying
Note
Amazon S3 server-side encryption (256-bit AES) protects a snapshot's data in transit during a copy operation.
You can create an encrypted snapshot copy of a source snapshot that is unencrypted. And you can encrypt a snapshot copy with a KMS key that is different from the source snapshot. However, changing the encryption status of a snapshot copy during a copy operation could result in a full (not incremental) copy, which might incur greater data transfer and storage charges.
Tip
When using an encrypted snapshot that is shared with you, we recommend that you re-encrypt the snapshot by copying it and using a KMS key that you own. This protects you if the original KMS key is compromised, or if the owner revokes your access, which could cause you to lose access to the snapshot and any encrypted volumes that you created from it.
Permissions for copying encrypted snapshots
To copy an encrypted snapshot, your user must have the following permissions to use Amazon EBS encryption.
-
-
kms:DescribeKey
-
kms:CreateGrant
-
kms:GenerateDataKey
-
kms:GenerateDataKeyWithoutPlaintext
-
kms:ReEncrypt
-
kms:Decrypt
-
-
To copy an encrypted snapshot that is shared from another Amazon account, you must have permissions to use customer managed key that was used to encrypt that snapshot. For more information, see Share the KMS key used to encrypt a shared Amazon EBS snapshot.
Encryption outcomes for snapshot copies
The following table describes the encryption outcomes when copying snapshots that you own and snapshots that are shared with you.
Encryption by default for destination Region | Source snapshot | Snapshot copy encryption outcome | Note |
---|---|---|---|
Disabled | Unencrypted | Optional encryption | If you encrypt the copy, you can specify the KMS key to use. If you encrypt
the copy but do not specify a KMS key, the Amazon managed key (aws/ebs )
is used. |
Disabled | Encrypted | Automatically encrypted | You can specify the KMS key to use. If you do not specify a KMS key, the
Amazon managed key (aws/ebs ) is used. |
Enabled | Unencrypted | Automatically encrypted | You can specify the KMS key to use. If you do not specify a KMS key, the key specified for encryption by default is used. |
Enabled | Encrypted | Automatically encrypted | You can specify the KMS key to use. If you do not specify a KMS key, the key specified for encryption by default is used. |
Copy a snapshot
To copy a snapshot, use one of the following methods.