Creating a Snapshot Copy of Amazon EC2 in a Different Account

Amazon EC2 snapshots are vulnerable if the production Amazon account hosting the EC2 instances is compromised. In case of a security incident, a malicious user can delete the snapshots by gaining access to the production account, or the snapshots can be affected by ransomware. In certain cases, the snapshots might be deleted by the user accidentally or by a malfunctioning script.

As an additional security measure, you can copy the Amazon EC2 snapshots to an alternate Amazon account, which is separate from the production account. This operation makes a copy of the snapshot that is independent of the source snapshot. You can restore data from the copied snapshot even if the source snapshot or the source EC2 instance is deleted, thereby providing an additional layer of security or air gap.

You copy the snapshot to a different account by copying the snapshot to the target geographic region first, and then to the destination account.

In managed environments, this separate account can also be managed by a Service Provider for further isolation.

Support

• Copy Amazon EC2 snapshot to a different account.

• Copy encrypted snapshots to a different account.

Before You Begin

• To replicate a copy of encrypted EC2 snapshots, the user can either have a key with alias cvlt-ec2 or cvlt-master at the destination region. If the user is using the key with a different alias, then the user must create a tag for the KMS key with the tag name cvlt-ec2 or cvlt-master at the destination region

• Verify that the destination account user has the following permissions:

  • kms:CreateGrant

  • kms:Encrypt

  • kms:Decrypt

  • kms:ReEncrypt*

  • kms:GenerateDataKey*

  • kms:DescribeKey

• Configure encryption key sharing in the AWS console:

  1. Make a note of the AWS Account ID of the account that you are sharing the EC2 snapshots to.

  2. Log on to the AWS Console as the user or or with a role associated with account that is sharing the snapshot.

  3. From the AWS Console ribbon, clickServices.

  4. ClickKey Management Service.

  5. Under Key users, select the key tagged with cvlt-ec2 or cvlt-master.

  6. Under Other AWS accounts, click Add Other AWS Account.

  7. The Other AWS accounts page appears.

  8. In the arn:aws:iam:: box, enter the account number of the destination account to which you will be sharing the snapshot.

  9. Click Save changes.

Procedure

1. From the CommCell Browser, go to Client Computers > client > Virtual Server > Amazon, and then click the instance.

2. Right-click the subclient, and then select Properties.

   The Subclient Properties dialog box appears.

3. On the IntelliSnap Operations tab, select the snapshot copying options:

   1. Select the IntelliSnap check box.

   2. From the Secondary Snap Copy list, select a secondary snapshot copy.

   3. Under Region Map, from the Source Region and Destination Region lists, select the source and target regions.

      You can map only one destination region to each configured source region per subclient.

   4. Click Add Region to save the region mapping in the database.

   5. To copy to a different Amazon account, complete the following steps:

      1. Select the Enable Cross Account Operations check box.

      2. Click Create Full Copy.

      3. From the Destination Client list, select the destination client for the account.

   6. Click OK.

4. Perform an auxiliary copy operation.