AWS snapshot automation

Question

Sorry bit new here. I had to take over managing aws for a small company with about 10 ec2 instances. it looks like the instances are being backed up via snapshots everyday. Currently there are over 400 snapshots. What I can't figured out is how they are being automated so I can review policy.

When I look under Lifecycle Manager there are currently no policies. I also looked under events in cloudwatch and there were no rules under events. Finally I looked on the servers themselves to see if perhaps a script was running via cron and there was nothing.

So I am at a loss as to how these snapshots are automated to work everyday? If anyone knows where I should look to find this it would be much appreciated.

Answer 1

You may have to look in CloudTrail to find out what IAM Role was used to create the snapshots. That should take you in the right direction - whether it's a CloudWatch role, EC2 role, or some external script using IAM User keys.

Also have a look at AWS Backup - perhaps that is being used to create the images. In that case you can set the lifecycle policy there, e.g. delete snapshots after 4 weeks, etc.

Hope that helps :)

Answer 2

Your best friend here will be CloudTrail. Turn it on if it's not enabled already and look for the CreateSnapshot activity, you can filter the results. Once you find out which service is doing it or which user/role authorized it, you'll have a starting point. Don't be afraid to ask around your coworkers if you find a non-descriptive user or role. You can go into the role's details in IAM and use the "Access Advisor" to see where and by what the role is being used (afaik this doesn't work with user access keys).

After you tracked it down, I would highly suggest implementing the Data Lifecycle Manager instead of doing anything yourselves, but I have a hunch you're already planning this, just needed to mention.