How can I share an encrypted Amazon EBS volume with another AWS account?

Last updated: 2019-11-21

How can I share an Amazon Elastic Block Store (Amazon EBS) volume with another Amazon Elastic Compute Cloud (Amazon EC2) instance? 

Short Description

It's not possible to directly share an encrypted Amazon EBS volume with another AWS account. Instead, create and share an encrypted Amazon EBS snapshot with the destination AWS account, copy the shared snapshot, and then create a new EBS volume from the snapshot.

Resolution

1.    Create an Amazon EBS snapshot.

Note: If the EBS volume is attached to an instance, stop the instance to assure data consistency.

2.    Share an encrypted snapshot using the following example AWS Key Management Service (AWS KMS) key policy:

{
  "Sid": "Allow use of the key with destination account",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::TARGET-ACCOUNT-ID:role/ROLENAME"
  },
  "Action": [
    "kms:Decrypt",
    "kms:CreateGrant"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "ec2.REGION.amazonaws.com",
      "kms:CallerAccount": "TARGET-ACCOUNT-ID"
    }
  }
}

Note: The AWS Identity and Access Management (IAM) user for the source account must call the ModifySnapshotAttribute action, and then use the DescribeKey and ReEncypt actions on the key associated with the shared snapshot. This example key policy allows the target account to perform Decrypt and CreateGrant actions on the snapshot with grant least privilege permissions. The IAM user for the target account must be able to call the CreateGrant, Encrypt, Decrypt, DescribeKey, and GenerateDataKeyWithoutPlaintext actions on the key associated with CopySnapshot.

3.    Create a copy of the shared snapshot. For more information, see Copy a Snapshot.

Note: Be sure to select a customer master key (CMK) in your AWS account, or else the default master key is used.

4.    Create an EBS volume from the snapshot. For more information, see Restoring an Amazon EBS Volume from a Snapshot.

Note: Snapshots can be restored only in the AWS Region that they were created in. For EBS volumes in another Region, copy the snapshot to that Region first, and then restore the snapshot.


Did this article help you?

Anything we could improve?


Need more help?