Open menu
-->

AWS EBS volumes recent snapshots

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Reliability

Risk level: Medium (should be achieved)

Ensure that your EBS volumes (available or in-use) have recent snapshots (taken weekly) available for point-in-time recovery for a better, more reliable data backup strategy. The threshold for the time frame between the volume snapshots is 7 days, meaning there should be a snapshot taken at least every 7 days.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Creating point-in-time EBS snapshots periodically will allow you to handle efficiently your data recovery process in the event of a failure, to save your data before shutting down an EC2 instance, to back up data for geographical expansion and to maintain your disaster recovery stack up to date.

Audit

To determine if you have any recent (< 7 days) snapshots available for your EBS volumes, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Snapshots.

04 Select the EBS volume snapshot that you need to examine.

05 Select the Description tab from the bottom panel.

06 Under Volume ID check for the Started parameter value to determine the date and time when the selected snapshot was taken:

heck for the Started parameter value

If the volume snapshot has been created more than 7 days ago, you must take a new snapshot (see Remediation / Resolution section).

07 Repeat step no. 4, 5 and 6 for each EBS snapshot available in the current region. Change the AWS region from the navigation bar:

Change the AWS region from the navigation bar

to repeat the process for the other regions.

Using AWS CLI

01 Run describe-snapshots command (OSX/Linux/UNIX) to determine if your EBS volume snapshots are older than 7 days. The next example expose the metadata for each completed snapshot available in the US East region, for the AWS account with the ID 353366855517:

aws ec2 describe-snapshots
	--owner-ids 353366855517
	--region us-east-1
	--filters Name=status,Values=completed

02 The command output should reveal the creation date and time for each snapshot available in the selected region. Check the StartTime parameter value to determine if there are any snapshots older than 7 days:

{
    "Snapshots": [
        {
            "Description": "EBS Snapshot March 2016",
            "Encrypted": false,
            "VolumeId": "vol-78ad1aa9",
            "State": "completed",
            "VolumeSize": 15,
            "Progress": "100%",
            "StartTime": "2016-03-18T10:26:08.000Z",
            "SnapshotId": "snap-6ae87605",
            "OwnerId": "353366855517"
        },
	       ...
        {
            "Description": "EBS attached volume",
            "Encrypted": false,
            "VolumeId": "vol-44853295",
            "State": "completed",
            "VolumeSize": 15,
            "Progress": "100%",
            "StartTime": "2016-03-22T11:43:31.000Z",
            "SnapshotId": "snap-8ad1379f",
            "OwnerId": "353366855517"
        }
    ]
}

Remediation / Resolution

To maintain your EBS backup stack up-to-date, you need to create new EBS snapshots. To complete the process perform the following:

Note: if you have encrypted EBS volumes, any associated snapshots should remain also protected as the snapshots taken from encrypted volumes are automatically encrypted.

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Volumes.

04 Select the EBS volume that you need to back up.

05 Click Actions dropdown button from the dashboard top menu and select Create Snapshot:

Click Actions dropdown button from the dashboard top menu and select Create Snapshot

06 In the Create Snapshot dialog box, provide a name and a description for the volume snapshot and click Create.

07 Repeat step no. 4, 5 and 6 for each EBS volume (available or in-use) within the current region. Change the AWS region from the navigation bar:

Change the AWS region from the navigation bar

to repeat the same process for the other regions.

Using AWS CLI

01 Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from your selected volume (regardless the volume encryption status). The following example use an EBS volume with the ID vol-78ad1aa9:

aws ec2 create-snapshot
	--volume-id vol-78ad1aa9

02 The command output should return the new EBS snapshot metadata. The current state for the snapshot should be pending:

{
    "Description": "",
    "Encrypted": false,
    "VolumeId": "vol-78ad1aa9",
    "State": "pending",
    "VolumeSize": 15,
    "Progress": "",
    "StartTime": "2016-04-18T13:33:50.000Z",
    "SnapshotId": "snap-009d1314",
    "OwnerId": "123456789012"
}

03 Run describe-snapshots command (OSX/Linux/UNIX) to determine the state of the newly created snapshot:

aws ec2 describe-snapshots
	--snapshot-id snap-009d1314

04 The command output should return the current snapshot state. If the State parameter value is completed, the EBS volume snapshot has been successfully created:

{
    "Snapshots": [
        {
            "Description": "",
            "Encrypted": false,
            "VolumeId": "vol-78ad1aa9",
            "State": "completed",
            "VolumeSize": 15,
            "Progress": "100%",
            "StartTime": "2016-04-18T13:33:50.000Z",
            "SnapshotId": "snap-009d1314",
            "OwnerId": "123456789012"
        }
    ]
}

References

Publication date Apr 18, 2016