How to encrypt EBS Snapshot using AWS CLI

Pragti Chauhan

~ 2 min read

Encrypting EBS snapshots adds a layer of security and also helps in meeting compliance requirements. This article provides a walkthrough of how to encrypt an EBS snapshot in AWS.


Elastic Block Storage (EBS) snapshots are snapshots of the volume at a particular moment in time. These snapshots can be shared and recreated into volumes for other instances. AWS provides the provision to share these snapshots with other AWS customers via the “Permissions” tab of the snapshot.

Since a snapshot is equivalent to the EBS volume, an attacker with access to a snapshot can read and gain access to data within the snapshot if it is unencrypted. It is recommended to implement data encryption in order to protect it from attackers or unauthorised users.

In this article we will take a look at how to encrypt an EBS snapshot using AWS CLI.

AWS CLI commands to encrypt EBS snapshot

Following are the AWS CLI commands to encrypt an EBS snapshot:

  1. Run describe snapshots command

    aws ec2 describe-snapshots --owner-ids self  --region <region> --query 'Snapshots[]'

    Describe snapshot command

  2. Make an encrypted copy of the unencrypted snapshot by running the following command

    aws ec2 copy-snapshot --region <region> --source-region <region>  --destination-region <region> --source-snapshot-id <snapshot id> --description <description> --encrypted

    Encrypted copy of unencrypted snapshot

  3. Delete the unencrypted snapshot by providing its ID as identifier

    aws ec2 delete-snapshot --region <region> --snapshot-id <snapshot id>

    Delete unencrypted snapshot