How can I use the AWSSupport-ModifyEBSSnapshotPermission runbook to modify the permissions of snapshots?

3 分钟阅读

I want to use the AWS Systems Manager Automation runbook AWSSupport-ModifyEBSSnapshotPermission to modify the permissions of multiple snapshots from Public to Private or share snapshots with other accounts.

Short description

You can use the AWSSupport-ModifyEBSSnapshotPermission Systems Manager automation runbook to do the following:

  • Modify the permissions of multiple snapshots from Public to Private.
  • Share snapshots with other accounts.

You can't share a snapshot that's encrypted with the default AWS Key Management Service (AWS KMS) managed key. However, this runbook allows you to share snapshots that are encrypted with the AWS KMS customer managed key with another account. You can share these snapshots publicly with all other AWS accounts, or privately with specific AWS accounts. Users that you authorized can use the shared snapshots to create their own Amazon Elastic Block Store (Amazon EBS) volumes. Doing this doesn't affect your original snapshot. For more information on how to modify Amazon EBS snapshot permissions, see Share an Amazon EBS snapshot.


Check the prerequisites

Before you run the automation, make sure that your AWS Identity and Access Management (IAM) user or the role has the following permissions:

  • ssm:StartAutomationExecution
  • ssm:GetAutomationExecution
  • ec2:DescribeSnapshots
  • ec2:ModifySnapshotAttribute

For more information, see AWSSupport-ModifyEBSSnapshotPermission.

Note: If you're sharing an encrypted snapshot with another account, share the AWS KMS key with the destination account.

Run the Systems Manager automation runbook

  1. Open the AWS Systems Manager console.
  2. In the navigation pane, choose Documents.
  3. In the search bar, enter AWSSupport-ModifyEBSSnapshotPermission.
  4. Select the AWSSupport-ModifyEBSSnapshotPermission document.
  5. Choose Execute automation.
  6. For the input parameters, enter the following:
  • SnapshotIds (required): The IDs of Amazon EBS snapshots that you want to share or modify permissions of.
  • Private (required): Select No if you want to share the snapshot with specific account IDs and are providing these account IDs in the AccountIds parameter section.
  • AutomationAssumeRole (optional): The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that runs this document.
  • AccountIds (optional): The list of account IDs for accounts that you want to share the snapshot with.
  • AccountPermissionOperation (optional): Account level permissions - select "add", "remove", or "none".
  1. Choose Execute to initiate the automation.

After the automation is completed, review the Outputs section for detailed results:

  • MakePrivate.Results: If you selected Yes for Private, then this field includes the SnapshotID and result of the operation.
  • SharedOtherAccounts.Result: If you specified AccountPermissionOperation, then this field includes the result of that operation.
  • MakePrivate.Commands: This field includes the command that was used to modify the permissions of the EBS snapshot.
  • ValidateSnapshots.EncryptedSnapshots: This field displays the list of encrypted snapshots that are passed as inputs to share with other accounts.

View the snapshot with updated permissions

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. In the navigation pane, under Elastic Block Store, choose Snapshots.
  3. Select the snapshot that you used before.

Related information

Run an automation

Setting up Automation

Systems Manager Automation runbook reference

AWS 官方
AWS 官方已更新 10 个月前