AWS Storage Blog

Reduce costs with customized delete protection for HAQM EBS Snapshots and EBS-backed AMIs

Safeguarding business-critical cloud resources against accidental loss and external threats such as ransomware is a top priority for modern organizations. These companies utilize privacy-enhancing technologies, malware scanning, and the ability to protect from accidental deletion to form key pillars of a strong data security posture. This combination helps ensure that data remains secure, protected from unauthorized access or tampering, and remains intact in the event of accidents or malicious actions. At the same time, when protecting resources from accidental deletion, they strive to minimize costs by avoiding the retention of non-critical resources, such as temporary or test/dev data. Although tagging is commonly used to identify and protect resources, misapplied or accidentally removed tags can leave vital assets unprotected.

A more reliable approach is to exclude non-critical resources proactively, making sure that critical ones remain protected even if tags aren’t applied correctly. For this purpose, users can use Recycle Bin, enabling users to protect HAQM EBS Snapshots and EBS-backed HAQM Machine Images (AMIs) from accidental deletion. Applying appropriate retention rules allows deleted snapshots or AMIs to be restored, thereby safeguarding vital resources. Furthermore, the newly added support for exclusion tags feature allows users to create or edit AWS Region-level retention rules to exclude non-critical resources from Recycle Bin. This feature helps to ensure that critical data remains secure while helping organizations reduce storage costs by limiting retention to essential resources only.

In this post, we expand on previous guides on Recycle Bin to demonstrate how to create and edit rules that exclude non-critical resources from accidental deletion protection. This capability offers users peace-of-mind that temporary backups of non-essential workloads aren’t retained in Recycle Bin, reducing storage cost and freeing up management overhead, all while continuing to protect critical resources.

Solution overview

In the following example, we have an account that is used by two different teams (A and B) to run critical applications supported by EBS volumes (V1 and V2). The teams are regularly creating EBS Snapshots (S1 and S2) to backup these volumes, and want to protect these critical snapshots from accidental deletion with Recycle Bin. At the same time, the account is running a security scanning process that creates temporary EBS Snapshots (S1t and S2t) of those volumes. These snapshots are used to spin up new volumes (in a different account), which are then scanned. They don’t need to protect these snapshots from accidental deletion.

Team A has remembered to add a specific set of tags (Prod: Yes) to snapshots of their volumes to indicate that they are critical backups and need to be protected from accidental deletion. However, Team B has forgotten to apply tags to their critical snapshots. At the same time, for all snapshots created by the scanning process, our storage administrator can apply tags indicating that the snapshots are temporary (“Temp:Yes” or “NonProd:True”). Therefore, to make sure that temporary snapshots aren’t protected from accidental deletion, we create a Recycle Bin rule to exclude those resources, as shown in Figure 1.

Example solution

Figure 1 – Example solution

Prerequisites

You must appropriately tag any EBS Snapshots or EBS-backed AMIS that don’t need delete protection, e.g. “Temp: Yes” and/or “NonProd: True.” If they aren’t tagged, then they are retained in Recycle Bin when deleted.

Walkthrough

The following steps walk through using Recycle Bin and exclusion tags to ensure only critical EBS Snapshots and EBS-backed AMIs and retained.

1. Navigate to the Recycle Bin page in the Console either by using the search bar, or through the EBS Snapshot/EC2 Images pages, as shown in the following figure.

Find Recycle Bin in AWS Console

Figure 2 – Find Recycle Bin in AWS Console

2. Choose Retention rules followed by Create retention rule, as shown in the following figure.

List of Recycle Bin retention rules

Figure 3 – List of Recycle Bin retention rules

3. Fill in the retention rule fields based on your requirements. Adding both Temp:Yes and NonProd:True as exclusion tags means that any deleted EBS Snapshot with at least one of these tags isn’t protected by the Recycle Bin rule, as shown in the following figure.

If you want to use exclusion tags, then you must choose to create AWS Region-level retention rules (Apply to all resources). You can’t use exclusion tags with Tag-level rules.

Retention rule name: Exclude-temp-snap-7-days

Retention rule description: Region-level rule that excludes temporary snapshots

Resource type: EBS Snapshots

Apply to all resources: Yes (Checked)

Retention period: 7 days

Exclusion tags: “Temp: Yes”; “NonProd: True”

Defining exclusion tags

Figure 4 – Defining exclusion tags

4. Add tags (“Temp: Yes” and “NonProd: True”) to the retention rule, then choose Create retention rule, as shown in the following figure.

You cannot apply Rule Lock on any rules with Exclusion tags. If the rule is already locked, then you must unlock the rule and wait for the unlock delay period to elapse before you can add Exclusion tags.

Rule lock cannot be enabled when exclusion tags have been set

Figure 5 – Rule lock cannot be enabled when exclusion tags have been set

5. If you want to add Exclusion tags to an existing AWS Region-level retention rule, then choose the rule, followed by Actions and Edit rule settings. If the rule is locked, then you must first unlock the rule and wait for the lock period to elapse. When the rule is fully unlocked, you can edit the retention rule and add any exclusion tags as needed, as shown in the following figure.

Rules can be edited when they are unlocked

Figure 6 – Rules can be edited when they are unlocked

Cleaning up

You can delete the Retention rule by choosing Actions followed by Delete retention rule. Any resources that are already in Recycle Bin are automatically deleted when the retention period has elapsed.

Conclusion

In this post, we covered how to use Recycle Bin to protect critical resources from accidental deletion. We encourage you to use this feature in conjunction with your other cybersecurity technologies such as security scanning software to make sure critical resources are protected. Creating a Region-level retention rule with exclusion tag(s) means that any non-critical resources with at least one of the corresponding resource tag(s) won’t move to Recycle Bin upon deletion. We hope this saves you from having to spend time managing resources and reduces your overall storage cost.

As a final suggestion, we encourage you to try this on your own environments by navigating to the AWS Console or by using the AWS Command Line Interface (AWS CLI). You can learn more about Recycle Bin in our technical documentation.

Thank you for reading this post. If you have questions or suggestions, leave them in the comments section.

TAGS: , , ,
Denton He

Denton He

Denton He is a Senior Product Manager at HAQM Elastic Block Store (EBS). He is passionate about developing features that drive customer success, utilizing high-performance block storage and advanced cloud computing to address complex use cases such as AI foundation model processing, data protection, and cybersecurity.

Luyao Chen

Luyao Chen

Luyao Chen is a Software Engineer at HAQM Elastic Block Store (HAQM EBS), developing software solutions for complex business problems. Her expertise lies in data storage management, big data processing, and distributed systems.

Chaitanya Mudragada

Chaitanya Mudragada

Chaitanya Mudragada manages software development for HAQM Elastic Block Store (HAQM EBS). He is a passionate learner with an affinity for solving complex problems and specializes in distributed systems. Over the past 19 years, Chaitanya has excelled in roles as an SDE, Software Architect, Reliability Engineering Leader, and SDM. Outside of work, he unwinds with coffee, beach visits, movies, family time, and journaling.