Copy encrypted EBS snapshot to another account

Question

I'm trying to copy an encrypted EBS instance from one AWS account to another as part of a disaster recovery process. I'm hoping someone has done this before, I'm basically looking for a clever way to approach it. The big problem seems to with the encryption keys. I've been able to create a k8s pod to do the "backup" automatically but when introducing encryption it seems to break because it can't find the key.

One more note, I've familiarized myself with the sharing process, that is the EBS is shared with a different account then form that account I would do the copy and so forth - found a few posts here but nothing similar to exactly what I'm looking for.

Advanced thanks.

Answer 1

You can find some additional information about how to copy encrypted EBS snapshot to another account in this link:

https://n2ws.com/how-to-guides/how-to-copy-encrypted-aws-snapshots.html

Another handy solution for AWS disaster recovery that we implemented in my company is to copy EBS snapshots from one region to another. It can be done by using the AWS Management Console or the AWS CLI.

Answer 2

When you create an encrypted EBS volume, you will want to specify an custom encryption key. The key can then be shared across regions/accounts.

You must use a custom key if you want to copy the snapshot to another account

When you start the copy operation you can specify a new key. According to AWS:

Using a new key for the copy provides an additional level of isolation between the two accounts. As part of the copy operation, the data will be re-encrypted using the new key.

Please review https://aws.amazon.com/blogs/aws/new-cross-account-copying-of-encrypted-ebs-snapshots/