How can I share an encrypted Amazon EBS volume with another AWS account?

Last updated: 2020-09-18

How can I share an Amazon Elastic Block Store (Amazon EBS) volume with another Amazon Web Services (AWS) account?

Short description

It's not possible to directly share an encrypted Amazon EBS volume with another AWS account. Instead, create and share an encrypted Amazon EBS snapshot with the destination AWS account. Then, create a new EBS volume from a copy of the shared snapshot.

Resolution

1. Create an Amazon EBS snapshot.

Important: If the EBS volume is attached to an instance, stop the instance to assure data consistency.

2. Share an encrypted snapshot using the following example AWS Key Management Service (AWS KMS) key policy:

{
  "Sid": "Allow use of the key with destination account",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::TARGET-ACCOUNT-ID:role/ROLENAME"
  },
  "Action": [
    "kms:Decrypt",
    "kms:CreateGrant"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "ec2.REGION.amazonaws.com",
      "kms:CallerAccount": "TARGET-ACCOUNT-ID"
    }
  }
}

This example key policy allows the target account to perform Decrypt and CreateGrant actions on the snapshot with grant least privilege permissions.

The AWS Identity and Access Management (IAM) user for the source account must first call the ModifySnapshotAttribute action. Then, use the DescribeKey and ReEncrypt actions on the key associated with the shared snapshot.

The IAM user for the target account must be able to call the following actions on the key associated with CopySnapshot:

3. Create a copy of the shared snapshot.

Note: Be sure to select a customer master key (CMK) in your AWS account, otherwise EBS encryption uses the default key.

4. Create an EBS volume from the snapshot.

Note: You can restore snapshots only in the AWS Region in which you created the snapshot. For EBS volumes in another Region, copy the snapshot to that Region first, and then restore the snapshot.


Did this article help?


Do you need billing or technical support?