You can share snapshots of Amazon EC2 instances to a different AWS account by copying the snapshot to the target geographic region, and then by sharing the copied snapshot cross account. Tags attached to the source snapshot are not copied to the destination account or to a regional snapshot copy.
To copy the snapshots, you must map the source region to the target region.
Support for Operations
-
Replicating a snapshot from a region to the same or a different region.
-
Sharing a snapshot to a different account. If you are sharing encrypted snapshots, the KMS key must be shared with the destination account.
-
Sharing an encrypted Amazon EC2 instance snapshot that uses the KMS key encryption is supported by using an account that has an access key and secret key, or an STS role ARN based IAM role.
-
Live browse from a replicated snapshot copy is not supported.
Requirements
-
The source account can be configured with an STS role ARN.
-
The destination account must be configured with an STS role ARN.
-
To replicate a copy of encrypted Amazon EC2 snapshots, the user must have a key with alias cvlt-ec2 or cvlt-master at the destination region. Or, if the user is using the key with a different alias, the user must create a tag for the KMS key with the tag name cvlt-ec2 or cvlt-master at the destination region.
Verify the Destination Account Has the Necessary Permissions
Verify that the destination account user has the following permissions:
-
kms:CreateGrant
-
kms:Encrypt
-
kms:Decrypt
-
kms:ReEncrypt*
-
kms:GenerateDataKey*
-
kms:DescribeKey
Configure Encryption Key Sharing in the AWS Console
-
Log on to the AWS Console as a user associated with the access key and secret key that is configured for the Amazon EC2 client from which you will be sharing the snapshot.
-
From the AWS Console ribbon, clickServices.
-
ClickKey Management Service.
-
Select the required destination account.
-
Under Key users, select the key tagged with
cvlt-ec2orcvlt-master. -
Under Other AWS accounts, click Add Other AWS Account.
The Other AWS accounts page appears.
-
In the arn:aws:iam:: box, enter the account number of the destination account to which you will be sharing the snapshot.
-
Click Save changes.
Configure Cross-Account Sharing
-
Go to the VM group that contains the snapshots that you want to share.
Since the server plan has replication configured, you will see the Snapshot tile in the VM group configuration.
-
Move the Cross account operations toggle switch to the right.
The Cross Account Operations window appears.
-
Select Share only.
-
Select the destination account where you want to share the snapshot.
An auxiliary copy job will run automatically based on the schedules you specified. The job will share the snapshots.