Adam Pippin
4 years ago
2 changed files with 133 additions and 0 deletions
@ -0,0 +1 @@ |
|||||
|
Proprietary |
@ -0,0 +1,132 @@ |
|||||
|
# Cross Account Snapshots |
||||
|
|
||||
|
Two lambdas: |
||||
|
|
||||
|
* One to share all snapshots of a volume with a target account. |
||||
|
* One to copy all snapshots shared with an account into the local account. |
||||
|
|
||||
|
## Source Account Setup |
||||
|
|
||||
|
The volume you want to manage must be encrypted with a customer managed key, |
||||
|
not the default KMS key. |
||||
|
|
||||
|
### Lambda |
||||
|
|
||||
|
Create a lambda containing `share_snapshots.py`. |
||||
|
|
||||
|
Adjust: |
||||
|
|
||||
|
* `VOLUME_ID` to the volume id you want to share the snapshots of |
||||
|
* `TARGET_ACCOUNT` to the AWS account ID of the target account you want to |
||||
|
share with |
||||
|
|
||||
|
### IAM |
||||
|
|
||||
|
Attach the following IAM policy to the role you set up for your lambda, |
||||
|
replacing the `ca-central-1` region with the region you want to manage. |
||||
|
|
||||
|
{ |
||||
|
"Version": "2012-10-17", |
||||
|
"Statement": [ |
||||
|
{ |
||||
|
"Sid": "AllowModifySnapshotAttribute", |
||||
|
"Effect": "Allow", |
||||
|
"Action": "ec2:ModifySnapshotAttribute", |
||||
|
"Resource": "arn:aws:ec2:ca-central-1::snapshot/*" |
||||
|
}, |
||||
|
{ |
||||
|
"Sid": "AllowManageSnapshots", |
||||
|
"Effect": "Allow", |
||||
|
"Action": [ |
||||
|
"ec2:DescribeSnapshotAttribute", |
||||
|
"ec2:DescribeVolumes", |
||||
|
"ec2:DescribeSnapshots" |
||||
|
], |
||||
|
"Resource": "*" |
||||
|
} |
||||
|
] |
||||
|
} |
||||
|
|
||||
|
### KMS |
||||
|
|
||||
|
In the AWS console, navigate to your KMS key and scroll down to the "Other AWS Accounts" |
||||
|
section. Add your target account by id. |
||||
|
|
||||
|
## Target Account Setup |
||||
|
|
||||
|
### Lambda |
||||
|
|
||||
|
Create a lambda containing `clone_snapshots_locally.py`. |
||||
|
|
||||
|
Adjust: |
||||
|
|
||||
|
* `SOURCE_ACCOUNT` the source account's id |
||||
|
* `TARGET_ACCOUNT` your target account's id |
||||
|
* `KMS_KEYS` a dictionary mapping a source account KMS key arn to a KMS key arn in |
||||
|
your target account, specifying which key to reencrypt the snapshot with when |
||||
|
copying |
||||
|
* `RETENTION` a dictionary mapping strings in the description field to a number of |
||||
|
seconds to retain a snapshot after it has been detected that it was deleted |
||||
|
* `REGION` the region the source account's snapshots are located in |
||||
|
|
||||
|
### IAM |
||||
|
|
||||
|
Attach the following IAM policy to allow managing snapshots, replacing `ca-central-1` |
||||
|
with the region you want to manage. |
||||
|
|
||||
|
{ |
||||
|
"Version": "2012-10-17", |
||||
|
"Statement": [ |
||||
|
{ |
||||
|
"Sid": "AllowCopyAndDelete", |
||||
|
"Effect": "Allow", |
||||
|
"Action": [ |
||||
|
"ec2:CopySnapshot", |
||||
|
"ec2:DeleteSnapshot" |
||||
|
], |
||||
|
"Resource": "arn:aws:ec2:ca-central-1::snapshot/*" |
||||
|
}, |
||||
|
{ |
||||
|
"Sid": "AllowReadAndTag", |
||||
|
"Effect": "Allow", |
||||
|
"Action": [ |
||||
|
"ec2:CreateTags", |
||||
|
"ec2:DescribeSnapshots" |
||||
|
], |
||||
|
"Resource": "*" |
||||
|
} |
||||
|
] |
||||
|
} |
||||
|
|
||||
|
Add the following IAM policy to allow use of the shared KMS key from the source account, |
||||
|
replacing the resource arn with the arn of your source account's key: |
||||
|
|
||||
|
{ |
||||
|
"Version": "2012-10-17", |
||||
|
"Statement": [ |
||||
|
{ |
||||
|
"Sid": "AllowUseOfKey", |
||||
|
"Effect": "Allow", |
||||
|
"Action": [ |
||||
|
"kms:Encrypt", |
||||
|
"kms:Decrypt", |
||||
|
"kms:ReEncrypt*", |
||||
|
"kms:GenerateDataKey*", |
||||
|
"kms:DescribeKey", |
||||
|
"kms:CreateGrant" |
||||
|
], |
||||
|
"Resource": [ |
||||
|
"arn:aws:kms:ca-central-1:987698769876:key/abcd-abcd-abcd" |
||||
|
] |
||||
|
} |
||||
|
] |
||||
|
} |
||||
|
|
||||
|
## Test |
||||
|
|
||||
|
1. Run the lambda in your source account, it should output that it has shared several snapshots. |
||||
|
2. Run the lambda in your target account, it should output that it has copied several snapshots. |
||||
|
|
||||
|
## Run Automatically |
||||
|
|
||||
|
Set up CloudWatch Events triggers to run your lambdas on a schedule. |
Loading…
Reference in new issue