Skip to main content

Directory Service Manual Snapshot Quota

Overview

This check validates that your AWS Directory Service directories have adequate remaining manual snapshot capacity. AWS limits the number of manual snapshots per directory (typically 5). When this limit is reached, you cannot create new recovery points.

Risk

Without remaining snapshot capacity, you face significant operational and recovery risks:

  • No new recovery points: Cannot create snapshots before risky changes (schema updates, OS patches)
  • Higher data loss potential: Increased Recovery Point Objective (RPO) if scheduled backups fail
  • Reduced ransomware recovery options: Fewer rollback points available during security incidents
  • Failed backup operations: Automated processes that create manual snapshots will fail

Remediation Steps

Prerequisites

  • Access to the AWS Console with permissions to manage Directory Service snapshots
  • Knowledge of which snapshots are still needed for recovery purposes
Required IAM permissions

Your IAM user or role needs the following permissions:

  • ds:DescribeSnapshots
  • ds:DeleteSnapshot
  • ds:GetSnapshotLimits
  • ds:DescribeDirectories

AWS Console Method

  1. Open the AWS Directory Service console
  2. In the navigation pane, choose Directories
  3. Click on the Directory ID of your target directory
  4. Select the Maintenance tab
  5. Scroll to the Snapshots section to see your current snapshots
  6. Review the list and identify snapshots that are no longer needed:
    • Look at the Start time column for older snapshots
    • Consider keeping at least 2-3 recent snapshots for rollback purposes
  7. Select the checkbox next to a snapshot you want to remove
  8. Click Actions then Delete snapshot
  9. Confirm the deletion when prompted
  10. Repeat for additional snapshots until you have adequate remaining capacity

Recommendation: Keep at least 2-3 slots available (e.g., if your limit is 5, maintain no more than 2-3 manual snapshots).

AWS CLI (optional)

Check Current Snapshot Limits

First, identify your directory ID and check the current snapshot usage:

aws ds describe-directories \
  --region us-east-1 \
  --query "DirectoryDescriptions[*].[DirectoryId,Name,Type]" \
  --output table

Get the snapshot limits for your directory:

aws ds get-snapshot-limits \
  --directory-id d-1234567890 \
  --region us-east-1

Example output:

{
  "SnapshotLimits": {
    "ManualSnapshotsLimit": 5,
    "ManualSnapshotsCurrentCount": 5,
    "ManualSnapshotsLimitReached": true
  }
}

List Existing Snapshots

View all snapshots for your directory:

aws ds describe-snapshots \
  --directory-id d-1234567890 \
  --region us-east-1 \
  --query "Snapshots[?Type=='Manual'].{SnapshotId:SnapshotId,Name:Name,Status:Status,StartTime:StartTime}" \
  --output table

Delete Old Snapshots

Remove snapshots that are no longer needed (replace s-1234567890 with your snapshot ID):

aws ds delete-snapshot \
  --snapshot-id s-1234567890 \
  --region us-east-1

Verify Deletion

Confirm the snapshot was deleted and check remaining capacity:

aws ds get-snapshot-limits \
  --directory-id d-1234567890 \
  --region us-east-1
Automation Script (optional)

This script identifies the oldest manual snapshots and optionally deletes them:

#!/bin/bash
# List manual snapshots sorted by age (oldest first) for a directory
# Usage: ./list-old-snapshots.sh <directory-id>

DIRECTORY_ID="${1:-d-1234567890}"
REGION="us-east-1"

echo "Checking snapshot limits for $DIRECTORY_ID..."
aws ds get-snapshot-limits \
  --directory-id "$DIRECTORY_ID" \
  --region "$REGION"

echo ""
echo "Manual snapshots (oldest first):"
aws ds describe-snapshots \
  --directory-id "$DIRECTORY_ID" \
  --region "$REGION" \
  --query "Snapshots[?Type=='Manual'] | sort_by(@, &StartTime)" \
  --output table

Note: Only delete snapshots after confirming they are no longer needed for recovery purposes.

Verification

After deleting old snapshots:

  1. Return to the Maintenance tab of your directory in the AWS Console
  2. Verify the snapshot count has decreased
  3. Confirm you have at least 2-3 available slots remaining
CLI verification commands

Check snapshot limits after cleanup:

aws ds get-snapshot-limits \
  --directory-id d-1234567890 \
  --region us-east-1

Expected output should show ManualSnapshotsLimitReached: false and adequate remaining capacity:

{
  "SnapshotLimits": {
    "ManualSnapshotsLimit": 5,
    "ManualSnapshotsCurrentCount": 2,
    "ManualSnapshotsLimitReached": false
  }
}

Additional Resources

Notes

  • Automated backups: Consider enabling automated backups instead of relying solely on manual snapshots. Automated backups do not count against the manual snapshot limit.
  • Snapshot retention policy: Establish a rotation policy to regularly clean up old snapshots (e.g., keep only the 3 most recent).
  • Pre-change snapshots: Always ensure you have available capacity before making risky changes to your directory (schema modifications, OS updates).
  • Snapshot lifecycle: Snapshots are point-in-time copies. Plan your retention based on your Recovery Point Objective (RPO) requirements.
  • Limit increases: The manual snapshot limit is a hard limit and cannot be increased. Design your backup strategy around this constraint.
  • Snapshot costs: Snapshots incur storage costs. Removing unneeded snapshots also reduces costs.