How do I resolve issues with deleting my Amazon EBS snapshot?

Short description

The following are common reasons why Amazon EBS snapshot deletion fails:

• The AWS Identity and Access Management (IAM) user or role doesn't have permission to run the DeleteSnapshot API action.
• Another account owns the snapshot and shares it with your AWS account.
• The snapshot of the EBS volume root device is used by a registered Amazon Machine Image (AMI).
• The snapshot is in the Recycle Bin.
• The snapshot is created in AWS Backup, or the snapshot that's created in AWS Backup is restored from the Recycle Bin.
• The snapshot is created using Amazon Data Lifecycle Manager and is in or restored from the Recycle Bin.
• DeleteSnapshot API results aren't immediately visible to subsequent commands.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

The IAM user or role doesn't have permission to run the DeleteSnapshot API action

In AWS CloudTrail, you receive the error message: "You are not authorized to perform this operation. Encoded authorization failure message: Bght_tAZ......"

To decode the authorization failure message, run the following command:

$  aws sts decode-authorization-message --encoded-message encoded_message

Note: Replace encoded_message with the encoded authorization failure message that you received.

You can also use the IAM policy simulator to troubleshoot. Check the policy that's related to the IAM user or role to see if it has a rule that denies the ec2:DeleteSnapshot action.

Example JSON policy that denies the ec2:DeleteSnapshot action:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Deny",
      "Action": "ec2:DeleteSnapshot",
      "Resource": "*"
    }
  ]
}

Also, check for rules that deny any conditions that must be satisfied for the operation to complete, such as ec2:SnapshotID. Update the IAM user or role policy to allow snapshot deletion.

For a list of related condition keys, see the DeleteSnapshot section of Actions, resources, and condition keys for Amazon EC2.

The snapshot is owned and shared by a different AWS account

You receive the error message: "The snapshot 'snap-abcdef1234567890' does not exist."

You can't delete a snapshot from your account that another account owns and shares with your account. If you have access to the account that owns the snapshot, then you can delete it. If not, then you must contact the owner of that account.

To check the owner of the snapshot, run the following describe-snapshots AWS CLI command:

$ aws ec2 describe-snapshots --snapshot-id snap-abcdef1234567890

Note: Replace snap-abcdef1234567890 with your snapshot's ID.

You can also find information about the snapshot in the Amazon Elastic Compute Cloud (Amazon EC2) console. For more information see, View Amazon EBS snapshot information.

If you own the snapshot and want to revoke sharing the snapshot with other accounts, then follow these steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Snapshots.
3. Select the snapshot that you shared, and then choose Actions, Modify permissions.
4. Under Shared accounts, select the account ID of the account that you want to revoke snapshot sharing from. Then, choose Remove selected.
5. Choose, Save changes.

The snapshot of the Amazon EBS volume root device is used by a registered AMI

You receive the error message: "The snapshot 'snap-abcdef1234567890' is currently in use by ami-abcdef1234567890."

Use the AWS Management Console or AWS CLI to deregister your AMI. Then, delete the snapshot.

You can find the AMI ID in the error message. Or, you can run the following describe-snapshots AWS CLI command:

$ aws ec2 describe-snapshots --snapshot-ids snap-abcdef1234567890

You can find the AMI ID in the Description section:

{
  "Snapshots": [
    {
      "Description": "Created by CreateImage(i-abcdef1234567890) for ami-abcdef1234567890",
      "Encrypted": false,
      "OwnerId": "111122223333",
      "Progress": "100%",
      "SnapshotId": "snap-abcdef1234567890",
      "StartTime": "2022-11-12T03:15:16.272000+00:00",
      "State": "completed",
      "VolumeId": "vol-abcdef1234567890",
      "VolumeSize": 8,
      "StorageTier": "standard"
    }
  ]
}

The snapshot is in the Recycle Bin

You receive the error message: "An error occurred (InvalidSnapshot.NotFound) when calling the DeleteSnapshot operation. The snapshot 'snap-abcdef1234567890' does not exist."

If you delete a snapshot using the AWS CLI and receive the preceding error message, then the snapshot might be in the Recycle Bin. You can't delete a snapshot that's in the Recycle Bin. The snapshot is deleted only when the retention period expires.

To check if the snapshot is in the Recycle Bin, run the list-snapshots-in recycle-bin AWS CLI command:

aws ec2 list-snapshots-in-recycle-bin --snapshot-id snap-abcdef1234567890 --region region

Note: Replace region with your AWS Region.

Example output:

{
  "Snapshots": [
    {
      "SnapshotId": "snap-0460a240fc523552e",
      "RecycleBinEnterTime": "2022-11-13T16:33:54.707000+00:00",
      "RecycleBinExitTime": "2022-11-14T16:33:54.707000+00:00",
      "Description": "",
      "VolumeId": "vol-08d1428974b817a18"
    }
  ]
}

If you need to delete the snapshot before the retention period expires, then you can restore the snapshot from the Recycle Bin. Make sure that your IAM user or role has the correct permissions to view and recover snapshots that are in the Recycle Bin.

Then, check your AWS Region's retention rules. For a tag-level retention rule, modify the snapshot tags so that they don't match the retention rule. Then, delete the snapshot. For a Region-level rule, delete the retention rule, and then delete the snapshot. Deleting the retention rule doesn't affect the other snapshots in the Recycle Bin.

The snapshot is created in AWS Backup, or the snapshot that's created in AWS Backup was restored from the Recycle Bin

You receive the error message: "snap-abcdef1234567890 This snapshot is managed by AWS Backup service and cannot be deleted via EC2 APIs. If you wish to delete this snapshot, please do so via the Backup console."

You can't use the Amazon EC2 console or AWS CLI to delete a snapshot that's created and managed in AWS Backup. You must delete the snapshot from the AWS Backup console. Note the snapshot ID, and then follow the steps for Deleting backups.

However, you can't use the AWS Backup console to delete a snapshot that's created in AWS Backup, sent to the Recycle Bin, and then restored. You must delete the snapshot using the Amazon EC2 console or AWS CLI.

The snapshot is created using Amazon Data Lifecycle Manager and is stored in the Recycle Bin

Amazon Data Lifecycle Manager doesn't manage snapshots in the Recycle Bin that are created using Amazon Data Lifecycle Manager or snapshot policies. You must use the Amazon EC2 console or AWS CLI to delete the snapshot.

DeleteSnapshot API results aren't immediately visible to subsequent demands

All Amazon EC2 APIs follow an eventual consistency model. This means that when you use the DeleteSnapshot API, the results might not be immediately visible to subsequent commands that you run.

To check the status of a recently deleted snapshot, run the following describe-snapshots AWS CLI command:

$ aws ec2 describe-snapshots --region region --snapshot-ids snap-abcdef1234567890

If you receive the following error message, then the snapshot is successfully deleted: "An error occurred (InvalidSnapshot.NotFound) when calling the DescribeSnapshots operation: The snapshot 'snap-abcdef1234567890' does not exist."

---