AWS: Elastic block storage 2nd part

SHARING EBS SNAPSHOTS:

By default, only the account owner can create volumes from the account snapshots.

You can share your unencrypted snapshots with the AWS community by making them public (modifying the snapshot permission to the public)

Also, you can share your unencrypted snapshots with a selected AWS account(s), by making them private then selecting the AWS accounts to share with

You can NOT make your encrypted snapshots public.

You can NOT make a snapshot of an encrypted snapshot public on AWS.

  • However, you can share it with other AWS accounts if needed, but you need to mark it “private” then share it.

You can share your encrypted snapshots with specific AWS accounts as follows:

  • Make sure that you use a non-default/Custom CMK key to encrypt the snapshot, not the default CMK key (AWS will not allow the sharing if default CMK is used).

* Without this, the other accounts will not be able to copy the snapshot, nor will be able to create volumes of the snapshot.

  • Mark the snapshot private then enter the AWS accounts with which you want to share the snapshot.

COPYING SNAPSHOTS

You can copy a snapshot within the same region, or from one region to another.

To move a snapshot to another region, you need to copy it to that region.

You can only make a copy of the snapshot when it has been fully saved to S3(its status shows as complete). and not during the snapshots pending status(when data blocks are being moved to S3).

Amazon S3’s Server-Side Encryption (SSE) encryption (SSE) protects the snapshot data-in-transit while copying (Since the snapshot and the copy are both on S3)

User-defined tags are NOT copied from the original snapshot to the copy

You can have up to 5 snapshot copy requests running in a single destination per account.

If you try to copy an encrypted snapshot without having permissions to the encrypted key, the copy process will fail silently.

  • This is why “Cross account permissions” were required when sharing encrypted snapshots.

USE CASES-COPYING A SNAPSHOT

Use cases for copying a snapshot

  • Geographic expansion

Copy data and logs to another AWS account for auditing

This also protects against account compromise

CREATING/REGISTERING AMIs

To create your own AMI, from an Instance store backed EC2 instance’s root volume, you need to:

  • Launch an EC2 instance from an instance store backed AMI

You need to specify the S3 bucket (User Bucket) to load the AMI/bundle to

  • Register the AMI (Manually), such that AWS EC2 can find it to launch further EC2 instances

Since your new AMI is stored in an AWS S3 bucket S3 charges apply until you de-register the AMI and delete the S3 stored objects.

For changes to the source AMI (stored in S3) to become in effect, you must deregister and reregister the AMI before the changes take effect.

LAUNCHING EC2 INSTANCES FROM INSTANCE STORE BACKED AMI

Instances launched from an Instance store backed AMI will have an instance store as the root device volume.

When an instance is launched using an instance store backed-AMI, the image (saved in S3) is copied from S3 to the instance’s root device volume.

  • The root device volume is then used to boot the instance.

DEREGISTERING USER CREATED AMI’S

When you do not need an AMI any further, you can deregister it,

  • If you do this, you will not be able to use it again to launch further instances (AWS will not find it)

Deregistering an AMI will not impact those instances created from the AMI while it was registered.

USER CREATED EBS BACKED AMI

For EBS Backed instances, when you create an AMI, stop the instance to ensure data consistency and integrity, then create the AMI.

For EBS backed Instances, AWS registers the created AMIs automatically.

During the AMI-creation process, Amazon EC2 creates snapshots of your instance’s root volume and any other EBS volumes attached to your instance.

  • You are charged for storage costs as long as the snapshots are stored in S3.

If any volumes attached to the instances are encrypted, the new AMI only launches successfully on instances that support Amazon EBS encryption.

CLEANING UP THE EBS BACKED AMI

To delete the snapshot of the EBS backed instance’s root device volume used by a registered AMI (The one that was created by AWS during the AMI creation process)

  • You must de-register the AMI first

When you deregister the Amazon EBS backed AMI, it doesn't affect the snapshot that was created for the root volume of the instance during the AMI creation process.

  • Then you can delete the snapshot.

EBS REDUNDANT ARRAY OF INDEPENDENT DISKS (RAID)

  • Stripping means, distributing the data to be written over the array disks and writing to medical disks in parallel without redundancy.

RAID ARRAY TYPES

  • RAID 0:

It has stripping and no mirroring.

Provides the best I/O performance among RAID types.

Resulting I/O is the sum of the individual disks I/O’s.

Failure of one EBS volume means the failure of the entire array.

  • RAID 1:

Redundancy (writing the same data to multiple drives), no stripping

No I/O performance enhancement

  • RAID 10:

Redundancy and Stripping ( combines both RAID 0 and RAID 1)

Good performance and Redundancy

As a rule of thumb, An EC2 instance’s max bandwidth needs to be greater or equal to the total I/O of EBS volume.

It is not recommended to use a RAID array as a root/boot volume of an instance.

In my next coming blog, I will start the blog with #ELB which is considered as one of the important topics in AWS. So, Kindly stay connected.

Thank you,

Bharathi.

--

--

--

Bharathi is a self driven and purpose-oriented person.The main mission is to create profound change in her career. contact her on bharathi.batthula6@gmail.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Splunking The Modern Honey Network: Getting Value From Your Honeypots Data (Part 1)

Rainbow Tables (probably) aren’t what you think.

Google Authenticator Integrated into PointPay

Order Crypto Debit Card at PointPay

{UPDATE} 三國志:趙雲傳奇—放置掛機遊戲 Hack Free Resources Generator

How to exploit Directory traversal vulnerabilities

IDENTITY FRAUD IS THE SILENT PROBLEM WE MUST CONFRONT

QuickBooks File Doctor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bharathi Batthula

Bharathi Batthula

Bharathi is a self driven and purpose-oriented person.The main mission is to create profound change in her career. contact her on bharathi.batthula6@gmail.com

More from Medium

Client Authentication with AMQ Stream Operator #2

Pointer variables in Delphi: how to use them?

High Frequency Estimator of Future Prices — Micro-price paper & code walkthrough

How to upload a Image to Amazon S3 using Swift