AWS lambda functions to handle mirroring EBS snapshots in another account
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Adam Pippin 95e610a1ab license and readme 2 years ago
LICENSE.md license and readme 2 years ago
README.md license and readme 2 years ago
clone_snapshots_locally.py lambda code 2 years ago
share_snapshots.py lambda code 2 years ago

README.md

Cross Account Snapshots

Two lambdas:

  • One to share all snapshots of a volume with a target account.
  • One to copy all snapshots shared with an account into the local account.

Source Account Setup

The volume you want to manage must be encrypted with a customer managed key, not the default KMS key.

Lambda

Create a lambda containing share_snapshots.py.

Adjust:

  • VOLUME_ID to the volume id you want to share the snapshots of
  • TARGET_ACCOUNT to the AWS account ID of the target account you want to share with

IAM

Attach the following IAM policy to the role you set up for your lambda, replacing the ca-central-1 region with the region you want to manage.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowModifySnapshotAttribute",
            "Effect": "Allow",
            "Action": "ec2:ModifySnapshotAttribute",
            "Resource": "arn:aws:ec2:ca-central-1::snapshot/*"
        },
        {
            "Sid": "AllowManageSnapshots",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        }
    ]
}

KMS

In the AWS console, navigate to your KMS key and scroll down to the "Other AWS Accounts" section. Add your target account by id.

Target Account Setup

Lambda

Create a lambda containing clone_snapshots_locally.py.

Adjust:

  • SOURCE_ACCOUNT the source account's id
  • TARGET_ACCOUNT your target account's id
  • KMS_KEYS a dictionary mapping a source account KMS key arn to a KMS key arn in your target account, specifying which key to reencrypt the snapshot with when copying
  • RETENTION a dictionary mapping strings in the description field to a number of seconds to retain a snapshot after it has been detected that it was deleted
  • REGION the region the source account's snapshots are located in

IAM

Attach the following IAM policy to allow managing snapshots, replacing ca-central-1 with the region you want to manage.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCopyAndDelete",
            "Effect": "Allow",
            "Action": [
                "ec2:CopySnapshot",
                "ec2:DeleteSnapshot"
            ],
            "Resource": "arn:aws:ec2:ca-central-1::snapshot/*"
        },
        {
            "Sid": "AllowReadAndTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        }
    ]
}

Add the following IAM policy to allow use of the shared KMS key from the source account, replacing the resource arn with the arn of your source account's key:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey",
                "kms:CreateGrant"
            ],
            "Resource": [
                "arn:aws:kms:ca-central-1:987698769876:key/abcd-abcd-abcd"
            ]
        }
    ]
}

Test

  1. Run the lambda in your source account, it should output that it has shared several snapshots.
  2. Run the lambda in your target account, it should output that it has copied several snapshots.

Run Automatically

Set up CloudWatch Events triggers to run your lambdas on a schedule.