Copying and Sharing Amazon EC2 Snapshots in the AWS Console

You can configure replication of AWS-encrypted snapshots of Amazon EC2 instances from the AWS Console.

For default-encrypted volumes, Commvault automatically converts such snapshots to custom-encrypted snapshots, and shares the snapshots with the destination account. If the cvlt keys or tags are not configured in the target region, then the snapshots of default-encrypted volumes cannot be shared with the destination account.


  1. Log on to the AWS Console as a user associated with the access key and secret key or the IAM role that is configured for the Amazon EC2 client from which you will be sharing the snapshots.

  2. In the ribbon, click Services.

  3. Click IAM.

  4. Click Users.

  5. Select the required user, and then add the kms:ListResourceTags permission to the permission policy.

    For IAM role authentication, the security policy associated with the IAM role must be updated with kms:ListResourceTags permission.

  6. In the ribbon, click Services.

  7. Click Key Management Service.

  8. Select the region to replicate the snapshots to.

  9. To use a key, do one of the following:

    • To use an existing key, add either cvlt-ec2 or cvlt-master as a tag to the key.

      When you tag a key with cvlt-ec2, Commvault uses it for all EC2 specific snapshot replication of volumes. If however, such a key does not exist, then any key tagged with cvlt-master will be used for encryption.

      If there is no key tagged with cvlt-master, then the replicated volume snapshot will be encrypted using the default encryption method of Amazon.

    • To create a new key, click Create a key, and follow the instructions to create a key.

      Specify the alias as cvlt-ec2 or cvlt-master.

      The precedence of keys is as follows: A key with the alias cvlt-ec2 has the highest precedence, followed by a key with the alias cvlt-master, followed by the key associated with the tag cvlt-ec2, with the key associated with cvlt-master having the lowest precedence. If none of the keys are found, then the replicated volume snapshot is encrypted using default encryption method of Amazon Web Services.

  10. If you used a key, verify that the key is associated with the user whose permissions were updated.