Skip to main content

EBS Snapshot Lifecycle Policy

Overview

This check verifies that AWS regions containing EBS snapshots have at least one Data Lifecycle Manager (DLM) policy configured. DLM automates the creation, retention, and deletion of EBS snapshots, ensuring your backup strategy is consistent and hands-free.

Risk

Without automated snapshot management:

  • Unreliable backups: Manual processes are error-prone and easy to forget
  • Data loss exposure: Critical volumes may go unprotected
  • Cost overruns: Old snapshots accumulate without cleanup
  • Compliance gaps: Inconsistent retention makes audits difficult
  • Recovery failures: When disaster strikes, you may not have the snapshots you need

Remediation Steps

Prerequisites

You need:

  • AWS account access with permissions to create DLM policies
  • An IAM role that DLM can use (AWS provides a default role, or you can create one)
IAM role setup details

AWS provides a default service role called AWSDataLifecycleManagerDefaultRole. If it does not exist in your account, you can create it:

  1. Go to IAM > Roles > Create role
  2. Select AWS service as the trusted entity
  3. Choose DLM - Data Lifecycle Manager as the use case
  4. Attach the AWSDataLifecycleManagerServiceRole managed policy
  5. Name it AWSDataLifecycleManagerDefaultRole

Alternatively, let DLM create it automatically when you create your first policy via the console.

AWS Console Method

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
  2. In the left navigation, under Elastic Block Store, click Lifecycle Manager
  3. Click Create lifecycle policy
  4. Choose a policy type:
    • EBS snapshot policy (most common) - backs up individual EBS volumes
    • EBS-backed AMI policy - creates full machine images
    • Cross-account copy event policy - copies snapshots to another account
  5. For a basic EBS snapshot policy:
    • Description: Enter a name like "Daily EBS Backups"
    • IAM role: Select Default role (or choose a custom role)
    • Target resource tags: Add a tag key/value that identifies volumes to back up (e.g., Backup = true)
    • Schedule name: e.g., "DailySchedule"
    • Frequency: Choose how often (e.g., every 24 hours)
    • Starting at: Pick a low-traffic time (e.g., 03:00 UTC)
    • Retention type: Choose Count (e.g., keep last 7 snapshots) or Age (e.g., delete after 30 days)
  6. Click Create policy

Tip: Tag your EBS volumes with the key/value you specified (e.g., Backup = true) so the policy knows which volumes to protect.

AWS CLI (optional)

Create a Basic Snapshot Lifecycle Policy

First, create a policy details JSON file:

cat > /tmp/dlm-policy-details.json << 'EOF'
{
    "PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
    "ResourceTypes": ["VOLUME"],
    "TargetTags": [
        {
            "Key": "Backup",
            "Value": "true"
        }
    ],
    "Schedules": [
        {
            "Name": "DailySnapshots",
            "CopyTags": true,
            "TagsToAdd": [
                {
                    "Key": "CreatedBy",
                    "Value": "DLM"
                }
            ],
            "CreateRule": {
                "Interval": 24,
                "IntervalUnit": "HOURS",
                "Times": ["03:00"]
            },
            "RetainRule": {
                "Count": 7
            }
        }
    ]
}
EOF

Then create the policy:

aws dlm create-lifecycle-policy \
    --region us-east-1 \
    --description "Daily EBS Snapshot Policy" \
    --state ENABLED \
    --execution-role-arn arn:aws:iam::<your-account-id>:role/AWSDataLifecycleManagerDefaultRole \
    --policy-details file:///tmp/dlm-policy-details.json

Replace <your-account-id> with your 12-digit AWS account ID.

Create a Default Policy (Simpler Alternative)

AWS also supports "default policies" that automatically protect all EBS volumes without requiring tags:

aws dlm create-lifecycle-policy \
    --region us-east-1 \
    --description "Default EBS Snapshot Policy" \
    --state ENABLED \
    --execution-role-arn arn:aws:iam::<your-account-id>:role/AWSDataLifecycleManagerDefaultRole \
    --default-policy VOLUME \
    --create-interval 1 \
    --retain-interval 7

This creates daily snapshots and retains them for 7 days.

List Existing Policies

aws dlm get-lifecycle-policies --region us-east-1

View Policy Details

aws dlm get-lifecycle-policy \
    --region us-east-1 \
    --policy-id policy-0123456789abcdef0
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: EBS Snapshot Lifecycle Policy

Parameters:
  TargetTagKey:
    Type: String
    Default: Backup
    Description: Tag key to identify volumes for backup
  TargetTagValue:
    Type: String
    Default: 'true'
    Description: Tag value to identify volumes for backup
  RetentionCount:
    Type: Number
    Default: 7
    Description: Number of snapshots to retain

Resources:
  DLMServiceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AWSDataLifecycleManagerDefaultRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: dlm.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSDataLifecycleManagerServiceRole

  EBSSnapshotLifecyclePolicy:
    Type: AWS::DLM::LifecyclePolicy
    Properties:
      Description: Daily EBS Snapshot Policy
      State: ENABLED
      ExecutionRoleArn: !GetAtt DLMServiceRole.Arn
      PolicyDetails:
        PolicyType: EBS_SNAPSHOT_MANAGEMENT
        ResourceTypes:
          - VOLUME
        TargetTags:
          - Key: !Ref TargetTagKey
            Value: !Ref TargetTagValue
        Schedules:
          - Name: DailySnapshots
            CopyTags: true
            TagsToAdd:
              - Key: CreatedBy
                Value: DLM
            CreateRule:
              Interval: 24
              IntervalUnit: HOURS
              Times:
                - '03:00'
            RetainRule:
              Count: !Ref RetentionCount

Outputs:
  PolicyId:
    Description: DLM Policy ID
    Value: !Ref EBSSnapshotLifecyclePolicy

Deploy with:

aws cloudformation deploy \
    --region us-east-1 \
    --template-file dlm-policy.yaml \
    --stack-name ebs-snapshot-lifecycle-policy \
    --capabilities CAPABILITY_NAMED_IAM
Terraform (optional)
# IAM role for DLM
resource "aws_iam_role" "dlm_lifecycle_role" {
  name = "AWSDataLifecycleManagerDefaultRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "dlm.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "dlm_lifecycle" {
  role       = aws_iam_role.dlm_lifecycle_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSDataLifecycleManagerServiceRole"
}

# DLM Lifecycle Policy
resource "aws_dlm_lifecycle_policy" "ebs_snapshot_policy" {
  description        = "Daily EBS Snapshot Policy"
  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
  state              = "ENABLED"

  policy_details {
    resource_types = ["VOLUME"]

    target_tags = {
      Backup = "true"
    }

    schedule {
      name = "DailySnapshots"

      create_rule {
        interval      = 24
        interval_unit = "HOURS"
        times         = ["03:00"]
      }

      retain_rule {
        count = 7
      }

      tags_to_add = {
        CreatedBy = "DLM"
      }

      copy_tags = true
    }
  }

  tags = {
    Name = "ebs-snapshot-lifecycle-policy"
  }
}

output "policy_id" {
  description = "DLM Policy ID"
  value       = aws_dlm_lifecycle_policy.ebs_snapshot_policy.id
}

Deploy with:

terraform init
terraform plan
terraform apply

Verification

After creating your policy:

  1. In the EC2 console, go to Lifecycle Manager
  2. Confirm your policy shows State: Enabled
  3. Check that the target tags match volumes you want to back up

To verify volumes are tagged correctly:

  1. Go to EC2 > Volumes
  2. Select a volume and check its tags
  3. Ensure the tag key/value matches your policy (e.g., Backup = true)
CLI verification commands

List all lifecycle policies:

aws dlm get-lifecycle-policies --region us-east-1

Check policy details:

aws dlm get-lifecycle-policy \
    --region us-east-1 \
    --policy-id <policy-id>

Find volumes matching your policy's target tags:

aws ec2 describe-volumes \
    --region us-east-1 \
    --filters "Name=tag:Backup,Values=true" \
    --query 'Volumes[*].[VolumeId,Tags]' \
    --output table

View recent snapshots created by DLM:

aws ec2 describe-snapshots \
    --region us-east-1 \
    --owner-ids self \
    --filters "Name=tag:CreatedBy,Values=DLM" \
    --query 'Snapshots[*].[SnapshotId,StartTime,VolumeId]' \
    --output table

Additional Resources

Notes

  • Tag your volumes: DLM policies target volumes by tags. Make sure your important volumes have the correct tags, or use a default policy to cover all volumes automatically.
  • Cross-region copies: For disaster recovery, consider adding cross-region copy rules to your policy schedules.
  • Cost awareness: Each snapshot incurs storage costs. Balance retention needs against cost by choosing appropriate retention counts or ages.
  • Multiple policies: You can create multiple policies with different schedules (e.g., hourly for databases, daily for general workloads).
  • Fast snapshot restore: For critical workloads needing fast recovery, consider enabling Fast Snapshot Restore (FSR) in your policy, though this adds cost.