How can I share an encrypted Amazon EBS volume with another AWS account?

Last updated: 2022-02-02

How can I share an Amazon Elastic Block Store (Amazon EBS) volume with another Amazon Web Services (AWS) account?

Short description

It's not possible to directly share an encrypted Amazon EBS volume with another AWS account. Instead, create and share an encrypted Amazon EBS snapshot with the destination AWS account. Then, create a new EBS volume from a copy of the shared snapshot.

When sharing EBS volumes, keep the following in mind:

  • You can't share snapshots that are encrypted with the AWS managed key. Instead, snapshots that you want to share must be encrypted with a customer managed key.
  • You can't share encrypted snapshots publicly. To share a snapshot publicly, make sure that it's not encrypted.

For more information, see Before you share a snapshot.

Resolution

Note: To complete these steps, you must have permissions to edit volumes and snapshots. If you create a volume from an encrypted snapshot but do not see it on the volume list, you might not have the correct permissions. For more information, see Share a KMS key. Similarly, a snapshot that goes into an error state indicates that there is a permissions issue.

1.    Create an Amazon EBS snapshot.

Important: If the EBS volume is attached to an instance, stop the instance to facilitate data consistency.

2.    Share an encrypted snapshot using the following example AWS Key Management Service (AWS KMS) key policy:

{
  "Sid": "Allow use of the key with destination account",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::TARGET-ACCOUNT-ID:role/ROLENAME"
  },
  "Action": [
    "kms:Decrypt",
    "kms:CreateGrant"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "ec2.REGION.amazonaws.com",
      "kms:CallerAccount": "TARGET-ACCOUNT-ID"
    }
  }
}

This example key policy allows the target account to perform Decrypt and CreateGrant actions on the snapshot with grant least privilege permissions.

The AWS Identity and Access Management (IAM) user for the source account must first call the ModifySnapshotAttribute action. Then, use the DescribeKey and ReEncrypt actions on the key associated with the shared snapshot.

The IAM user for the target account must be able to call the following actions on the key associated with CopySnapshot:

3.    Create a copy of the shared snapshot.

Note: Be sure to select an AWS KMS key in your AWS account, otherwise EBS encryption uses the default key.

4.    Create an EBS volume from the snapshot.

Note: You can restore snapshots only in the AWS Region where you created the snapshot. For EBS volumes in another Region, copy the snapshot to that Region first, and then restore the snapshot.


Did this article help?


Do you need billing or technical support?