Copy Snapshots

The Copy Snapshots action copies your EBS Snapshots to a different region and/or account.

If your snapshot is encrypted, you can choose to use the same KMS key when creating the destination snapshot, or to re-encrypt the snapshot with a different key.

When the source snapshot is unencrypted, you can choose to apply encryption to the destination snapshot by selecting a KMS key.

The Copy Snapshots action uses the following endpoints in AWS’s EC2 API:

• CopySnapshot
• CreateTags
• DescribeSnapshots
• ModifySnapshotAttribute

The following use cases do not require any new permissions:

• Copying unencrypted snapshots
• Copying and encrypting unencrypted snapshots
• Copying snapshots to a different region in the same AWS account

If these are your only scenarios then you do not need to use the AWS Console. Please return to GorillaStack and configure your rule.

The following use case does require new permissions:

• Copying encrypted snapshots to a different AWS account

These new permissions are specified in a key policy and an IAM policy in AWS. To protect your security, we do not ask to change these policies automatically on your behalf. Instead, you must update these policies yourself. Details for doing this via the AWS Console are below. These instructions assume you intend to re-encrypt your copied snapshots with a new key, as that is the most secure option.

Once you have updated these policies in AWS, the Copy Snapshots action will take care of the rest. This includes adding the destination account to the sharing permissions on the EBS Snapshot.

Key terms

1. Source Account: the AWS account that you have linked to GorillaStack and which contains the snapshot that you want to copy
2. Destination Account: the AWS account that you have linked to GorillaStack and to which you want to copy the snapshot from the source account

Step 1. Allow The Destination Account To Copy Shared Snapshots

1. Log into the source account in the AWS Console
2. Select KMS Key Management Service
3. Select Customer Managed Keys
4. Select the destination region
5. Select the key you are willing to share with the destination account — if the snapshot is encrypted, this must be the key that was used to encrypt it
6. If Switch To Policy View is visible, click it
7. Click Edit
8. Add a comma followed by a new line to the last statement in the Statement array
9. Add the following new permissions to the Statement array, after the comma
10. Replace <<arn-of-gs-role-in-source-account>> with the actual ARN from GorillaStack’s Platforms page
11. Replace <<arn-of-gs-role-in-destination-account>> with the actual ARN from GorillaStack’s Platforms page
12. Save
13. Note the key’s ARN so you can use it later as <<arn-of-key-in-source-account>>

The new permissions:

{
  "Sid": "CopySnapshotsUseSourceKeyInSourceAccount",
    "Effect": "Allow",
    "Principal": {
      "AWS": "<<arn-of-gs-role-in-source-account>>"
    },
    "Action": [
      "kms:DescribeKey",
      "kms:ReEncrypt*"
    ],
    "Resource": "*"
},
{
  "Sid": "CopySnapshotsUseSourceKeyInDestinationAccount",
  "Effect": "Allow",
  "Principal": {
    "AWS": "<<arn-of-gs-role-in-destination-account>>"
  },
  "Action": [
    "kms:CreateGrant",
    "kms:Decrypt",
    "kms:DescribeKey",
    "kms:Encrypt",
    "kms:GenerateDataKey*"
  ],
  "Resource": "*",
  "Condition": {
    "Bool": {
      "kms:GrantIsForAWSResource": "true"
    }
  }
}

Step 2: Allow The Destination Account To Access The Snapshots Using The Shared Keys

1. Log into the destination account in the AWS Console
2. Select Identity & Access Management (IAM)
3. Select Policies
4. Click Create Policy
5. Select JSON
6. Add the following new permissions
7. Change <<arn-of-key-in-source-account>> to the key ARN you noted above
8. Change <<region-of-key-in-source-account>> to the region string in the key ARN (e.g. us-east-2)
9. Save the policy with a meaningful name
10. Select Roles within Identity & Access Management (IAM)
11. Select your GorillaStack cross-account access role — the same one you see listed in GorillaStack’s Platforms page
12. Add the new policy to the role
13. Save

The new permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CopySnapshotsUseSourceKeyInDestinationAccount",
      "Effect": "Allow",
      "Action": [
        "kms:DescribeKey",
        "kms:ReEncrypt*"
       ],
       "Resource": "<<arn-of-key-in-source-account>>"
     },
     {
       "Sid":
       "CopySnapshotsAttachPersistentResourcesWithSourceKeyInDestinationAccount",
       "Effect": "Allow",
       "Action": [
         "kms:CreateGrant",
         "kms:Decrypt",
         "kms:DescribeKey",
         "kms:Encrypt",
         "kms:GenerateDataKey*"
       ],
       "Resource": "<<arn-of-key-in-source-account>>",
       "Condition": {
         "Bool": {
           "kms:GrantIsForAWSResource": "true"
         },
         "ForAnyValue:StringEquals": {
           "kms:ViaService": "ec2.<<region-of-key-in-source-account>>.amazonaws.com"
         }
       }
     }
   ]
}

Step 3. Configure GorillaStack

Log into GorillaStack and create a rule with a Copy Snapshots action.

Select your source account(s) in the rule context.

Note that your destination account must not be one of your source accounts.

Select your destination account in the Snapshot Destination panel of the Copy Snapshots action.