The Copy Snapshots action copies your EBS Snapshots to a different region and/or account.
If your snapshot is encrypted, you can choose to use the same KMS key when creating the destination snapshot, or to re-encrypt the snapshot with a different key.
When the source snapshot is unencrypted, you can choose to apply encryption to the destination snapshot by selecting a KMS key.
The Copy Snapshots action uses the following endpoints in AWS’s EC2 API:
The following use cases do not require any new permissions:
If these are your only scenarios then you do not need to use the AWS Console. Please return to GorillaStack and configure your rule.
The following use case does require new permissions:
These new permissions are specified in a key policy and an IAM policy in AWS. To protect your security, we do not ask to change these policies automatically on your behalf. Instead, you must update these policies yourself. Details for doing this via the AWS Console are below. These instructions assume you intend to re-encrypt your copied snapshots with a new key, as that is the most secure option.
Once you have updated these policies in AWS, the Copy Snapshots action will take care of the rest. This includes adding the destination account to the sharing permissions on the EBS Snapshot.
Statement
arrayStatement
array, after the comma<<arn-of-gs-role-in-source-account>>
with the actual ARN from GorillaStack’s Platforms page<<arn-of-gs-role-in-destination-account>>
with the actual ARN from GorillaStack’s Platforms page<<arn-of-key-in-source-account>>
The new permissions:
{
"Sid": "CopySnapshotsUseSourceKeyInSourceAccount",
"Effect": "Allow",
"Principal": {
"AWS": "<<arn-of-gs-role-in-source-account>>"
},
"Action": [
"kms:DescribeKey",
"kms:ReEncrypt*"
],
"Resource": "*"
},
{
"Sid": "CopySnapshotsUseSourceKeyInDestinationAccount",
"Effect": "Allow",
"Principal": {
"AWS": "<<arn-of-gs-role-in-destination-account>>"
},
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
<<arn-of-key-in-source-account>>
to the key ARN you noted above<<region-of-key-in-source-account>>
to the region string in the key ARN (e.g. us-east-2
)The new permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CopySnapshotsUseSourceKeyInDestinationAccount",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ReEncrypt*"
],
"Resource": "<<arn-of-key-in-source-account>>"
},
{
"Sid":
"CopySnapshotsAttachPersistentResourcesWithSourceKeyInDestinationAccount",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "<<arn-of-key-in-source-account>>",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
},
"ForAnyValue:StringEquals": {
"kms:ViaService": "ec2.<<region-of-key-in-source-account>>.amazonaws.com"
}
}
}
]
}
Log into GorillaStack and create a rule with a Copy Snapshots action.
Select your source account(s) in the rule context.
Note that your destination account must not be one of your source accounts.
Select your destination account in the Snapshot Destination panel of the Copy Snapshots action.