Firstly, this is amazing, I use it on all my EC2s, so a huge thank you for making this open to everyone.

I've had it running for a while, but on my AWS there are about 20 EC2s running it, so as you can imagine, lots of snaps! Would it be easy/possible to make the Description and/or Tag overwritable, the default is ok, but not always easy to tie to a specific client (each client has their own EC2 in my set up).

If in the config there was a setting that you could put in a string, so my snaps could all be named by client (then the date is obviously visible on AWS Console anyway)

If I had any experience with shell scripts I'd happily add this in... but I don't at all (filthy PHP developer unfortunately haha).

Thanks again for this wonderful tool!

I'm reading how to backup mongo from an ebs volume and it suggests locking the db before doing a snapshot. It also suggests locking the filesystem if there's anything else on the volume. https://docs.mongodb.org/ecosystem/tutorial/backup-and-restore-mongodb-on-amazon-ec2/

I was wondering if there could be a way to trigger a lock and unlock before this cronjob runs. Has anyone run into issues where the snapshots aren't able to be used because there is data corrupted during the snapshot?

Hello
I got following error while executing the script
1.ebs-snapshot.sh.1: 7: set: Illegal option -o pipefail
I tried to comment the above line and try to execute it and I got below error
2.ebs-snapshot.sh.1: 51: ebs-snapshot.sh.1: Syntax error: redirection unexpected

Thanks
Mahesh

I was wondering how to get this script to run whilst in a docker container. This is currently what I have:
Dockerfile:

FROM    phusion/baseimage:0.9.16

# Installation:
RUN apt-get update
... install app

COPY ebs-snapshot.sh /other/ebs-snapshot.sh
ADD docker-start.sh /other/

RUN chmod +x /other/docker-start.sh

CMD ./other/docker-start.sh

docker-start.sh:

if [ "$EBS" = "backup" ]; then
  echo "Setting up ebs backup";
  chmod +x ebs-snapshot.sh
  # setup cron
  ( crontab -l 2>/dev/null | grep -Fv ebs-snapshot ; printf -- "55 22 * * *  AWS_CONFIG_FILE=\"/root/.aws/config\" /other/ebs-snapshot.sh\n" ) | crontab
fi

Yet it does not fire nightly. I can, however, create a snapshot if I bash into the docker container and manually call ebs-snapshot.sh

Have you considered the use of LVM snapshots or if LVM is not being used fsfreeze to make for a crash consistent volume?

Let's image we have two different types of servers: frontends and backends.

Your iam policy would allow an attack to delete all backend snapshots from the frontend?

Separating out the permission to create snapshots from deleting snapshots would improve security.

Currently, if this is running in a host and the host is compromised, the attacker would have permissions to delete all the snapshot backups of the host as well as the host itself. Not good.

With the broad recommended IAM permissions, an attacker with access to a single host running this tool could delete snapshots for any host in the AWS cluster.

On the other hand, the ability to for an atttacker to create new snapshots of the machines gains them little.

It's valuable for the "create" function to run within the host, so it can also do things like freeze the filesystem or a database. However, there's no requirement that the "delete" statement be run within the host.

For additional security, all the "snapshot expiration" for your cluster could be run externally. One approach someone used was to combine "Lamda functions" and "Cloudwatch alarms" to run tasks like "cron jobs" that were not tied to a particular host:

https://forums.aws.amazon.com/thread.jspa?messageID=674123#674123

Hi,

I have tested the script with command (sudo /opt/aws/ebs-snapshot.sh) and it works. But when I setup a crontab look like below in an AWS EC2 (AMI Linux)

*/1 * * * root AWS_CONFIG_FILE="/root/.aws/config" /opt/aws/ebs-snapshot.sh

No snapshot was created each minute.

Would you please help me fix the issue with this crontab?

When I follow the steps which you explained here is not working in ubuntu machine.
Here is the error I am getting while running it.

ebs-snapshot.sh: 5: set: Illegal option -o pipefail

Please Help me to solve this issue.

Thanks
Emkay

Hi
I am trying to use your script but i am facing issue with credentials.
It is not able to find credentials. Attached screenshot.

AWS CLI is installed. Attached screenshot.
How can I overcome this issue.?

I must have accidentally added a newline to the file. This was entirely on my end, please disregard. Thanks for this script - very helpful.

That's what I've been doing with your script for a while. Pull request forthcoming.