Share an Amazon EBS snapshot with other Amazon accounts - Amazon EBS
Before you share a snapshotShare a snapshotDetermine the use of snapshots that you share
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Share an Amazon EBS snapshot with other Amazon accounts

You can modify the permissions of a snapshot if you want to share it with other Amazon accounts. You can share snapshots publicly with all other Amazon accounts, or you can share them privately with individual Amazon accounts that you specify. Users that you have authorized can use the snapshots that you share to create their own EBS volumes, while your original snapshot remains unaffected.

Important

When you share a snapshot, you are giving others access to all of the data on the snapshot. Share snapshots only with people that you trust with all of your snapshot data.

To prevent the public sharing of snapshots, you can enable Block public access for Amazon EBS snapshots.

Topics

Before you share a snapshot

The following considerations apply to sharing snapshots:

  • If block public access for snapshots is enabled for the Region, attempts to publicly share snapshots will be blocked. Snapshots can still be privately shared.

  • Snapshots are constrained to the Region in which they were created. To share a snapshot with another Region, copy the snapshot to that Region and then share the copy. For more information, see Copy an Amazon EBS snapshot.

  • You can't share snapshots that are encrypted with the default Amazon managed key. You can only share snapshots that are encrypted with a customer managed key. For more information, see Creating Keys in the Amazon Key Management Service Developer Guide.

  • You can share only unencrypted snapshots publicly.

  • When you share an encrypted snapshot, you must also share the customer managed key used to encrypt the snapshot. For more information, see Share the KMS key used to encrypt a shared Amazon EBS snapshot.

Share a snapshot

You can share a snapshot publicly or with specific Amazon accounts.

Console
To share a snapshot

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose Snapshots.

  3. Select the snapshot to share, and then choose Actions, Modify permissions.

  4. Specify the snapshot's permissions. Current setting indicates the snapshot's current sharing permissions.

    • To share the snapshot publicly with all Amazon accounts, choose Public.

    • To share the snapshot privately with specific Amazon accounts, choose Private. Then, in the Sharing accounts section, choose Add account, and enter the 12-digit account ID (without hyphens) of the account to share with.

  5. Choose Save changes.

Amazon CLI

The permissions for a snapshot are specified using the createVolumePermission attribute of the snapshot. To make a snapshot public, set the group to all. To share a snapshot with a specific Amazon account, set the user to the ID of the Amazon account.

To share a snapshot publicly

Use the modify-snapshot-attribute command.

For --attribute, specify createVolumePermission. For --operation-type, specify add. For --group-names, specify all.

aws ec2 modify-snapshot-attribute \
    --snapshot-id snap-0abcdef1234567890 \
    --attribute createVolumePermission \
    --operation-type add \
    --group-names all
To share a snapshot privately

Use the modify-snapshot-attribute command.

For --attribute, specify createVolumePermission. For --operation-type, specify add. For --user-ids, specify the 12-digit IDs of the Amazon accounts with which to share the snapshots.

aws ec2 modify-snapshot-attribute \
    --snapshot-id snap-0abcdef1234567890 \
    --attribute createVolumePermission \
    --operation-type add \
    --user-ids 123456789012 111122223333
PowerShell

The permissions for a snapshot are specified using the createVolumePermission attribute of the snapshot. To make a snapshot public, set the group to all. To share a snapshot with a specific Amazon account, set the user to the ID of the Amazon account.

To share a snapshot publicly

Use the Edit-EC2SnapshotAttribute cmdlet.

For -Attribute, specify CreateVolumePermission. For -OperationType, specify Add. For -GroupName, specify all.

Edit-EC2SnapshotAttribute `
    -SnapshotId snap-0abcdef1234567890 `
    -Attribute CreateVolumePermission `
    -OperationType Add `
    -GroupName all
To share a snapshot privately

Use the Edit-EC2SnapshotAttribute cmdlet.

For -Attribute, specify CreateVolumePermission. For -OperationType, specify Add. For UserId, specify the 12-digit IDs of the Amazon accounts with which to share the snapshots.

Edit-EC2SnapshotAttribute `
    -SnapshotId snap-0abcdef1234567890 `
    -Attribute CreateVolumePermission `
    -OperationType Add `
    -UserId 123456789012 111122223333

Determine the use of snapshots that you share

You can use Amazon CloudTrail to monitor whether a snapshot that you have shared with others is copied or used to create a volume. The following events are logged in CloudTrail when an action is taken on a snapshot you have shared::

  • SharedSnapshotCopyInitiated — A shared snapshot is being copied.

  • SharedSnapshotVolumeCreated — A shared snapshot is being used to create a volume.

For more information about using CloudTrail, see Log Amazon EC2 and Amazon EBS API calls with Amazon CloudTrail.