How to encrypt EBS Snapshot using AWS CLI

Pragti Chauhan
Feature image


Elastic Block Storage (EBS) snapshots are snapshots of the volume at a particular moment in time. These snapshots can be shared and recreated into volumes for other instances. AWS provides the provision to share these snapshots with other AWS customers via the “Permissions” tab of the snapshot.

Since a snapshot is equivalent to the EBS volume, an attacker with access to a snapshot can read and gain access to data within the snapshot if it is unencrypted. It is recommended to implement data encryption in order to protect it from attackers or unauthorised users.

In this article we will take a look at how to encrypt an EBS snapshot using AWS CLI.

AWS CLI commands to encrypt EBS snapshot

Following are the AWS CLI commands to encrypt an EBS snapshot:

  1. Run describe snapshots command

    aws ec2 describe-snapshots --owner-ids self  --region <region> --query 'Snapshots[]'

    Describe snapshot command

  2. Make an encrypted copy of the unencrypted snapshot by running the following command

    aws ec2 copy-snapshot --region <region> --source-region <region>  --destination-region <region> --source-snapshot-id <snapshot id> --description <description> --encrypted

    Encrypted copy of unencrypted snapshot

  3. Delete the unencrypted snapshot by providing its ID as identifier

    aws ec2 delete-snapshot --region <region> --snapshot-id <snapshot id>

    Delete unencrypted snapshot

← Back to Academy