Storage

Amazon EBS Encryption and Snapshot Sharing - Cross-Account and Cross-Region Design

A comprehensive guide covering default encryption setup, cross-account snapshot sharing, and cross-region copy for DR design.

約 3 分で読めます

EBS Default Encryption

Enabling EBS default encryption in the account's regional settings automatically encrypts all new EBS volumes and snapshots created in that region. Existing unencrypted volumes are not affected. You can choose between an AWS managed key (aws/ebs) or a customer managed key (CMK) for encryption. Using a CMK allows you to control access through key policies and enable automatic key rotation. The performance impact of encryption is negligible; on Nitro-based instances, hardware acceleration reduces the encryption overhead to near zero.

Cross-Account Snapshot Sharing

EBS snapshots can be shared with other AWS accounts. Unencrypted snapshots can be shared simply by specifying the account ID, but sharing encrypted snapshots requires additional configuration. You must grant the target account kms:DescribeKey, kms:CreateGrant, and kms:Decrypt permissions in the KMS key policy used for encryption. Snapshots encrypted with the AWS managed key (aws/ebs) cannot be shared, so if cross-account sharing is planned, encrypt with a CMK. When the target account creates a volume from the shared snapshot, it is recommended to re-encrypt with their own KMS key.

Cross-Region Copy and DR

Cross-region snapshot copy is a fundamental DR technique. Enabling cross-region copy in a DLM policy automatically copies snapshots to the DR region alongside daily snapshot creation. Retention generations can be configured independently for the destination region, allowing cost optimization such as retaining only the 3 most recent generations in the DR region. EBS Snapshots Archive moves infrequently accessed snapshots retained for 90 days or more to a low-cost archive tier, achieving up to 75% cost savings compared to standard storage. Restoring from the archive takes up to 72 hours, so snapshots requiring immediate recovery should remain in the standard tier. To broaden your knowledge of storage design, specialized books on Amazon can also be helpful.

EBS Snapshot Pricing

EBS snapshots use incremental backups, storing only changed blocks. Storage costs approximately $0.05 per GB/month. Cross-region copies incur storage costs in the destination region plus inter-region data transfer fees (approximately $0.02 per GB). Automate snapshot creation and deletion with DLM (Data Lifecycle Manager) and set appropriate retention periods to manage storage costs. EBS Snapshots Archive costs approximately $0.0125 per GB/month, reducing costs by 75% for snapshots retained 90 days or longer.

Summary

EBS encryption and snapshot management form the foundation of data protection and DR. Enforce encryption on all volumes with default encryption and control access with KMS keys. Build a multi-account, multi-region backup strategy through cross-account snapshot sharing and cross-region copy, and reduce long-term storage costs by up to 75% with EBS Snapshot Archive.

Related Services

Amazon EBSA block storage service that attaches to EC2 instancesAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAmazon EC2A compute service that provides virtual servers in the cloud

Related Articles

Amazon EBS Volume Design and Operations - Selection Criteria for gp3 and io2 with Snapshot StrategiesClarify the selection criteria for gp3 and io2 volume types, and learn practical IOPS/throughput design guidelines along with snapshot-based backup strategies.Confidential Computing - Isolating and Protecting Data in Use with AWS Nitro EnclavesLearn about isolated processing of sensitive data using AWS Nitro Enclaves. Covers cryptographic attestation, KMS integration, and use cases for PII processing and encryption key management.How to Choose Amazon EC2 Instances - Optimizing Instance Families and Purchase OptionsUnderstand the characteristics of instance families and the performance advantages of Graviton processors, along with guidelines for choosing between On-Demand, Reserved, and Spot purchase options.

More on This Topic

Protecting On-Premises VMware VMs with AWS Backup Gateway - A Hybrid Backup StrategyDeploy a gateway into your vSphere environment and centrally manage on-premises VMware VM backups with AWS Backup plans. Also covers cross-region copy for disaster recovery.Centralized Backup Management - Data Protection Strategy with AWS BackupLearn about centralized backup management with AWS Backup. Covers unified management of backups across multiple AWS services including EC2, RDS, DynamoDB, EFS, and S3, and how to build a data protection strategy that meets compliance requirements.Amazon EBS Volume Design and Operations - Selection Criteria for gp3 and io2 with Snapshot StrategiesClarify the selection criteria for gp3 and io2 volume types, and learn practical IOPS/throughput design guidelines along with snapshot-based backup strategies.How EBS Snapshots Are Incremental Yet Allow Full Restores - Inside Block-Level Differential ManagementDiscover how EBS snapshots can restore a complete volume from any snapshot despite being incremental backups, through block-level differential management, S3 storage structure, and fast snapshot restore internals.Building Shared File Storage with Amazon EFS - Mounting from Lambda, ECS, and EC2 with Design GuidelinesClarify the criteria for selecting performance modes and throughput modes, and learn how to optimize costs through lifecycle management with automatic tiering to the IA storage class.Choosing a Managed File System with Amazon FSx - When to Use Lustre, Windows, ONTAP, and OpenZFSCompare the four FSx file system types - Lustre, Windows, ONTAP, and OpenZFS - and learn guidelines for S3 integration and performance design.Amazon S3 Glacier Archive Strategy - Storage Class Selection and Retrieval OptionsClarify the selection criteria for Instant Retrieval, Flexible Retrieval, and Deep Archive. This guide covers automatic tiering with lifecycle policies and compliance support with Vault Lock.Hybrid Storage - Integrating On-Premises and Cloud with AWS Storage GatewayLearn about integrating on-premises and cloud storage with AWS Storage Gateway. Covers the four gateway types - S3 File Gateway, FSx File Gateway, Volume Gateway, and Tape Gateway - with use cases and deployment patterns.

Similar Articles and Services

How EBS Snapshots Are Incremental Yet Allow Full Restores - Inside Block-Level Differential ManagementDiscover how EBS snapshots can restore a complete volume from any snapshot despite being incremental backups, through block-level differential management, S3 storage structure, and fast snapshot restore internals.AWS KMSA fully managed key management service for centrally creating, managing, and rotating encryption keys, integrated with over 100 AWS servicesCentralized Backup Management with AWS Backup - Backup Plans and Cross-Region ProtectionManage backups for EC2, RDS, DynamoDB, and more under a unified policy. Covers Vault Lock WORM protection and automated restore testing.