Copying Amazon EC2 Snapshots to a Different AWS Account

You can copy Amazon EC2 snapshots to a different AWS account.

Amazon EC2 snapshots are vulnerable to attacks and mistakes. To secure snapshots, you can copy them to a separate AWS account. In managed environments, this separate account can be managed by a service provider.

Copies of snapshots are independent of the source snapshots, so you can restore data from copies even when the source snapshot or source Amazon EC2 instance is deleted.

To copy snapshots to a different account, copy them to the target geographic region, and then copy them to the destination account.

Live browse from a replicated snapshot copy is not supported.

Verify that Your Environment Meets the Requirements

  • To copy encrypted snapshots, the user must have a key with alias cvlt-ec2 or cvlt-master at the destination region.

  • If the user is using the key with a different alias, then the user must create a tag for the KMS key with the tag name cvlt-ec2 or cvlt-master at the destination region.

  • The AWS account that you want to copy the snapshots to must have the following permissions:

    • kms:CreateGrant

    • kms:Encrypt

    • kms:Decrypt

    • kms:ReEncrypt*

    • kms:GenerateDataKey*

    • kms:DescribeKey

Configure Encryption Key Sharing in the AWS Console

  1. Log on to the AWS Console as the user or or with a role associated with the account that contains the snapshots.

  2. On the ribbon, clickServices.

  3. ClickKey Management Service.

  4. Under Key users, select a key:

    • If you select a key that is tagged with cvlt-ec2 or cvlt-master, you can add another account by adding the account root in JSON.

    • If you select your own custom key, complete the following steps:

      1. Under Other AWS accounts, click Add Other AWS Account. The Other AWS accounts page appears.
      2. In the arn:aws:iam:: box, enter the number of the AWS account that you want to copy the snapshots to.
      3. Click Save changes.
  5. Click Save changes.

Configure Snapshot Replication in Commvault

  1. From the Command Center navigation pane, go to Protect > Virtualization.

    The Virtual machines page appears.

  2. On the VM groups tab, click the VM group that contains the snapshots that you want to copy.

    The VM group page appears.

  3. On the Configuration tab, in the Snapshot section, move the Cross account operations toggle key to the right.

    The Cross account operations dialog box displays.

  4. Select Full Copy.

  5. For Destination account, select the account to copy the snapshots to.

    The next auxiliary copy job copies the snapshots.