You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
133 lines
3.8 KiB
133 lines
3.8 KiB
4 years ago
|
# Cross Account Snapshots
|
||
|
|
||
|
Two lambdas:
|
||
|
|
||
|
* One to share all snapshots of a volume with a target account.
|
||
|
* One to copy all snapshots shared with an account into the local account.
|
||
|
|
||
|
## Source Account Setup
|
||
|
|
||
|
The volume you want to manage must be encrypted with a customer managed key,
|
||
|
not the default KMS key.
|
||
|
|
||
|
### Lambda
|
||
|
|
||
|
Create a lambda containing `share_snapshots.py`.
|
||
|
|
||
|
Adjust:
|
||
|
|
||
|
* `VOLUME_ID` to the volume id you want to share the snapshots of
|
||
|
* `TARGET_ACCOUNT` to the AWS account ID of the target account you want to
|
||
|
share with
|
||
|
|
||
|
### IAM
|
||
|
|
||
|
Attach the following IAM policy to the role you set up for your lambda,
|
||
|
replacing the `ca-central-1` region with the region you want to manage.
|
||
|
|
||
|
{
|
||
|
"Version": "2012-10-17",
|
||
|
"Statement": [
|
||
|
{
|
||
|
"Sid": "AllowModifySnapshotAttribute",
|
||
|
"Effect": "Allow",
|
||
|
"Action": "ec2:ModifySnapshotAttribute",
|
||
|
"Resource": "arn:aws:ec2:ca-central-1::snapshot/*"
|
||
|
},
|
||
|
{
|
||
|
"Sid": "AllowManageSnapshots",
|
||
|
"Effect": "Allow",
|
||
|
"Action": [
|
||
|
"ec2:DescribeSnapshotAttribute",
|
||
|
"ec2:DescribeVolumes",
|
||
|
"ec2:DescribeSnapshots"
|
||
|
],
|
||
|
"Resource": "*"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
|
||
|
### KMS
|
||
|
|
||
|
In the AWS console, navigate to your KMS key and scroll down to the "Other AWS Accounts"
|
||
|
section. Add your target account by id.
|
||
|
|
||
|
## Target Account Setup
|
||
|
|
||
|
### Lambda
|
||
|
|
||
|
Create a lambda containing `clone_snapshots_locally.py`.
|
||
|
|
||
|
Adjust:
|
||
|
|
||
|
* `SOURCE_ACCOUNT` the source account's id
|
||
|
* `TARGET_ACCOUNT` your target account's id
|
||
|
* `KMS_KEYS` a dictionary mapping a source account KMS key arn to a KMS key arn in
|
||
|
your target account, specifying which key to reencrypt the snapshot with when
|
||
|
copying
|
||
|
* `RETENTION` a dictionary mapping strings in the description field to a number of
|
||
|
seconds to retain a snapshot after it has been detected that it was deleted
|
||
|
* `REGION` the region the source account's snapshots are located in
|
||
|
|
||
|
### IAM
|
||
|
|
||
|
Attach the following IAM policy to allow managing snapshots, replacing `ca-central-1`
|
||
|
with the region you want to manage.
|
||
|
|
||
|
{
|
||
|
"Version": "2012-10-17",
|
||
|
"Statement": [
|
||
|
{
|
||
|
"Sid": "AllowCopyAndDelete",
|
||
|
"Effect": "Allow",
|
||
|
"Action": [
|
||
|
"ec2:CopySnapshot",
|
||
|
"ec2:DeleteSnapshot"
|
||
|
],
|
||
|
"Resource": "arn:aws:ec2:ca-central-1::snapshot/*"
|
||
|
},
|
||
|
{
|
||
|
"Sid": "AllowReadAndTag",
|
||
|
"Effect": "Allow",
|
||
|
"Action": [
|
||
|
"ec2:CreateTags",
|
||
|
"ec2:DescribeSnapshots"
|
||
|
],
|
||
|
"Resource": "*"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
|
||
|
Add the following IAM policy to allow use of the shared KMS key from the source account,
|
||
|
replacing the resource arn with the arn of your source account's key:
|
||
|
|
||
|
{
|
||
|
"Version": "2012-10-17",
|
||
|
"Statement": [
|
||
|
{
|
||
|
"Sid": "AllowUseOfKey",
|
||
|
"Effect": "Allow",
|
||
|
"Action": [
|
||
|
"kms:Encrypt",
|
||
|
"kms:Decrypt",
|
||
|
"kms:ReEncrypt*",
|
||
|
"kms:GenerateDataKey*",
|
||
|
"kms:DescribeKey",
|
||
|
"kms:CreateGrant"
|
||
|
],
|
||
|
"Resource": [
|
||
|
"arn:aws:kms:ca-central-1:987698769876:key/abcd-abcd-abcd"
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
|
||
|
## Test
|
||
|
|
||
|
1. Run the lambda in your source account, it should output that it has shared several snapshots.
|
||
|
2. Run the lambda in your target account, it should output that it has copied several snapshots.
|
||
|
|
||
|
## Run Automatically
|
||
|
|
||
|
Set up CloudWatch Events triggers to run your lambdas on a schedule.
|