AWS Storage Blog
Retaining Amazon EC2 AMI snapshots for compliance using Amazon EBS Snapshots Archive
Many organizations have the need to retain data for a number of years to comply with regulations or IT requirements. They move cold data to archive storage in the cloud to optimize storage costs while staying compliant. For example, Amazon Machine Image (AMI) is a critical data resource that many customers want to retain long term to meet compliance. Until now, when customers wanted to clean up unused and obsolete AMIs to save cost, they needed to de-register these AMIs. The de-registration was often deemed unfeasible due to regulatory compliance, IT governance, or internal policy mandates. These constraints can lead to a growing number of active AMIs that increase management overhead, impact discoverability, and raise security concerns for launching new instances from an outdated image.
Customers use an AMI to launch an Amazon Elastic Compute Cloud (Amazon EC2) instance and often create AMIs for updates with security patches and for backup purposes, which increases the need for long-term retention. An Amazon Elastic Block Store (Amazon EBS)-backed AMI includes one or more Amazon EBS Snapshots. With the announcement that Amazon EC2 now supports setting AMIs to disabled state, customers can disable and retain old and obsolete AMIs while preventing new instance launches from these AMIs. Furthermore, customers can archive the snapshots associated with disabled EBS-backed AMIs to lower cost while maintaining compliance. This can be done by disabling AMIs and archiving the underlying snapshots to Amazon EBS Snapshots Archive. Archival of EBS Snapshots provides a low-cost storage tier to archive full, point-in-time copies of EBS Snapshots that you must retain for 90 days or more for regulatory and compliance reasons, or for future project releases. Snapshots Archive is recommended for monthly, quarterly, or yearly snapshots of disabled EBS-backed AMIs.
In this post, we walk through how to easily disable an AMI and archive EBS Snapshots of the disabled AMI. This lets you move snapshots of your rarely accessed AMIs from the standard snapshots tier to EBS Snapshots Archive to achieve up to 75% lower storage costs. In addition, we show you how to re-enable an AMI after restoring the archived snapshot(s) to the standard snapshot tier. Depending on the snapshot size, it may take up to 72 hours to move a snapshot from Snapshots Archive to the standard snapshot tier.
Solution overview
When you create an EBS-backed AMI of an EC2 instance, the process generates a snapshot of EBS volumes attached to the instance and maintains launch permissions, as well as a block device mapping that specifies the volumes to attach to the instance when it’s launched.
To archive the EBS Snapshots associated with these EBS-backed AMIs, either for long-term retention or compliance reasons, you must first disable the EBS-backed AMI. Then, you must identify the associated snapshots with the disabled AMI and archive them. The process of disabling AMIs, identifying the associated snapshots, and archiving the snapshots can be achieved through the or using the AWS API. In the following walkthrough, we demonstrate how to achieve this using the Console.
Prerequisites
You must have an AWS account with sufficient AWS Identity and Access Management (IAM) permissions to access EC2 instances, EBS volumes, and create EBS-backed AMIs. Additionally, to run API actions, you must have access to a terminal window that would have AWS Command Line Interface (AWS CLI) installed as well as configured. Your account must also own the AMIs and snapshots that you want to archive.
Walkthrough
To disable an EBS-backed AMI and archive its associated snapshots:
1. Navigate to the Amazon EC2 console.
2. Disable the EBS-backed AMI that you want to prevent from being used to launch instances.
3. Archive the EBS snapshots associated with the disabled AMI ID.
To enable an EBS-backed AMI containing archived snapshots:
4. Identify the archived EBS snapshots belonging to disabled AMI.
5. Restore the snapshots to the Standard tier.
6. Enable the EBS-backed AMI.
Step 1: Navigate to the Amazon EC2 console
1. Navigate to the Amazon EC2 console and select AMIs from the left navigation pane.
Step 2: Disable the EBS-backed AMI that you want to prevent from being used to launch instances
1. Select the EBS-backed AMI from the list of AMIs that you want to disable under Owned by me.
2. Once selected, go to Actions > Disable AMI.
3. Select Disable AMI to disable this AMI.
Step 3: Archive the EBS Snapshots associated with the disabled AMI ID
1. Go to AMIs on the left navigation pane > select the drop down and select Disabled Images > select the AMI that you want to archive > go to the Storage tab > and note the snapshots listed under the Device ID.
2. Go to Snapshots on the left navigation pane, select the Snapshot IDs that you noted in the previous step > select Actions on the top right > Archive Snapshots.
3. Make sure the Snapshot IDs are correct, and then select Archive snapshots to confirm the archival.
4. To check the progress of archival, select the individual Snapshot IDs and go to Storage tier. This should change from Standard to Archive.
Step 4: Identify the archived EBS snapshots belonging to the disabled AMI
1. Copy the Snapshot ID(s) of the AMI that you want to enable. To do so, go to AMIs on the left navigation pane, select the dropdown menu on the top left, and select Disabled images > select the AMI that you want to enable > select the Storage tab > note snapshots listed under the Device ID column.
Step 5: Restore the snapshots to the Standard Tier
1. Go to the Snapshots on the left navigation pane. Select the Snapshot IDs that you noted in the previous step > select Actions on the top right > select Restore snapshots from archive command.
2. Set Restore type to “Permanent” > select Restore snapshots to confirm restoring to standard tier.
3. To view the progress of snapshot restoration, select the individual Snapshot IDs and then select the Storage tier The status in Storage tier should change from Archive to Standard. To monitor the progress of restore, you can see the Tier change progress.
Step 6: Enable the EBS-backed AMI
1. Once you make sure that all the snapshots linked to the AMI are moved to the standard tier, you can enable the EBS-backed AMI. Navigate to AMIs on the left navigation pane > select the dropdown on the top left and select Disabled images > select the AMI, and then go to Actions on the top right > select Enable AMI.
2. Select Enable AMI again to confirm your action as seen in the following screenshot.
3. To verify that the AMI was enabled, you can select the dropdown on the top left in the AMI console page and select Owned by me > then look for the AMI ID that you enabled.
Cleaning up
If you no longer need to retain the disabled EBS-backed AMI, you can deregister the AMI and delete the associated snapshots in Snapshots Archive. Note that the minimum archival period is 90 days. If you delete or permanently restore an archived snapshot before the minimum archival period of 90 days, you will be billed for the remaining days in the archive tier.
Conclusion
In this post, we showed you how to use Snapshots Archive for disabled EC2 AMIs for long term retention needs. You can stay compliant by retaining the disabled EC2 AMI snapshots for regulatory requirements while saving on costs. Using Snapshots Archive, you can also easily transition data to a low-cost storage tier without having to worry about how to move the data. We recommend that you explore the capabilities of disabled EC2 AMI and Snapshots Archive to meet your compliance and cost optimization needs.
Thank you for reading. We welcome your feedback and questions in the comment section.