From 95e610a1abb9bc69bbba7d7bf7cc33c1ac23aaa8 Mon Sep 17 00:00:00 2001 From: Adam Pippin Date: Sun, 29 Dec 2019 11:40:44 -0800 Subject: [PATCH] license and readme --- LICENSE.md | 1 + README.md | 132 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+) create mode 100644 LICENSE.md create mode 100644 README.md diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..5b51f0a --- /dev/null +++ b/LICENSE.md @@ -0,0 +1 @@ +Proprietary diff --git a/README.md b/README.md new file mode 100644 index 0000000..16f1037 --- /dev/null +++ b/README.md @@ -0,0 +1,132 @@ +# Cross Account Snapshots + +Two lambdas: + +* One to share all snapshots of a volume with a target account. +* One to copy all snapshots shared with an account into the local account. + +## Source Account Setup + +The volume you want to manage must be encrypted with a customer managed key, +not the default KMS key. + +### Lambda + +Create a lambda containing `share_snapshots.py`. + +Adjust: + + * `VOLUME_ID` to the volume id you want to share the snapshots of + * `TARGET_ACCOUNT` to the AWS account ID of the target account you want to + share with + +### IAM + +Attach the following IAM policy to the role you set up for your lambda, +replacing the `ca-central-1` region with the region you want to manage. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowModifySnapshotAttribute", + "Effect": "Allow", + "Action": "ec2:ModifySnapshotAttribute", + "Resource": "arn:aws:ec2:ca-central-1::snapshot/*" + }, + { + "Sid": "AllowManageSnapshots", + "Effect": "Allow", + "Action": [ + "ec2:DescribeSnapshotAttribute", + "ec2:DescribeVolumes", + "ec2:DescribeSnapshots" + ], + "Resource": "*" + } + ] + } + +### KMS + +In the AWS console, navigate to your KMS key and scroll down to the "Other AWS Accounts" +section. Add your target account by id. + +## Target Account Setup + +### Lambda + +Create a lambda containing `clone_snapshots_locally.py`. + +Adjust: + + * `SOURCE_ACCOUNT` the source account's id + * `TARGET_ACCOUNT` your target account's id + * `KMS_KEYS` a dictionary mapping a source account KMS key arn to a KMS key arn in + your target account, specifying which key to reencrypt the snapshot with when + copying + * `RETENTION` a dictionary mapping strings in the description field to a number of + seconds to retain a snapshot after it has been detected that it was deleted + * `REGION` the region the source account's snapshots are located in + +### IAM + +Attach the following IAM policy to allow managing snapshots, replacing `ca-central-1` +with the region you want to manage. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowCopyAndDelete", + "Effect": "Allow", + "Action": [ + "ec2:CopySnapshot", + "ec2:DeleteSnapshot" + ], + "Resource": "arn:aws:ec2:ca-central-1::snapshot/*" + }, + { + "Sid": "AllowReadAndTag", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DescribeSnapshots" + ], + "Resource": "*" + } + ] + } + +Add the following IAM policy to allow use of the shared KMS key from the source account, +replacing the resource arn with the arn of your source account's key: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowUseOfKey", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:CreateGrant" + ], + "Resource": [ + "arn:aws:kms:ca-central-1:987698769876:key/abcd-abcd-abcd" + ] + } + ] + } + +## Test + + 1. Run the lambda in your source account, it should output that it has shared several snapshots. + 2. Run the lambda in your target account, it should output that it has copied several snapshots. + +## Run Automatically + +Set up CloudWatch Events triggers to run your lambdas on a schedule.