A Lambda function to manage Amazon EBS snapshots, reducing storage costs while maintaining safeguards against accidental deletion of important data.
- Cost Optimization: Automatically deletes old snapshots based on configurable retention periods
- Safety First: Multiple protection mechanisms to prevent deletion of critical snapshots
- Flexible Configuration: Customize retention policies through environment variables
- Comprehensive Logging: Detailed logging of all operations for auditability
- Dry Run Mode: Test configuration without actually deleting any snapshots
- Minimum Snapshot Retention: Always keeps a minimum number of snapshots per volume
- Tagged Protection: Snapshots with a protection tag are never deleted
- Critical Volume Protection: All snapshots from critical volumes are preserved
- In-use Snapshot Protection: Snapshots currently in use (e.g., by AMIs) are skipped
- AWS account with permissions to manage EBS snapshots
- Basic understanding of AWS Lambda and IAM roles
Create an IAM role for your Lambda function with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
- Navigate to the AWS Lambda console
- Click "Create function"
- Select "Author from scratch"
- Configure basic settings:
- Name:
ebs-snapshot-manager
- Runtime: Python 3.9 (or newer)
- Architecture: x86_64
- Permissions: Use the IAM role created in step 1
- Name:
- Click "Create function"
- Copy the Python code from this repository into the code editor
- Configure environment variables (see Configuration section below)
- Set timeout to 5 minutes (300 seconds)
- Click "Deploy"
- Go to the "Configuration" tab in your Lambda function
- Click on "Triggers" in the left sidebar
- Click "Add trigger"
- Select "EventBridge (CloudWatch Events)"
- Create a new rule:
- Rule name:
daily-snapshot-cleanup
- Rule type: Schedule expression
- Schedule expression:
cron(0 3 * * ? *)
(runs daily at 3:00 AM UTC)
- Rule name:
- Click "Add"
Configure the function using the following environment variables:
Variable | Description | Default |
---|---|---|
RETENTION_DAYS |
Number of days to keep snapshots | 30 |
MIN_SNAPSHOTS_TO_KEEP |
Minimum snapshots to retain per volume | 3 |
DRY_RUN |
Run in simulation mode without deletions | True |
PROTECTED_TAG_KEY |
Tag key used to mark protected snapshots | ProtectSnapshot |
PROTECTED_TAG_VALUE |
Tag value for protected snapshots | true |
CRITICAL_VOLUME_TAG_KEY |
Tag key for critical volumes | CriticalVolume |
CRITICAL_VOLUME_TAG_VALUE |
Tag value for critical volumes | true |
Add the following tag to any snapshot you want to protect:
Key: ProtectSnapshot
Value: true
Add the following tag to any volume whose snapshots should never be deleted:
Key: CriticalVolume
Value: true
- Deploy the Lambda function using the steps above
- First run with
DRY_RUN
set toTrue
to validate behavior - Review CloudWatch logs to see which snapshots would be deleted
- Once satisfied, set
DRY_RUN
toFalse
to enable actual deletion
The function logs detailed information about its operations. To view logs:
- Go to the AWS CloudWatch console
- Navigate to "Log groups"
- Find the log group named
/aws/lambda/ebs-snapshot-manager
- Click on the latest log stream to view execution details
- Start Conservatively: Begin with longer retention periods and more minimum snapshots
- Tag Critical Resources: Proactively tag important volumes and snapshots
- Monitor Regularly: Check logs after each execution
- Audit Periodically: Review protected resources quarterly
No snapshots are being deleted
- Check if
DRY_RUN
is set toTrue
- Verify retention period isn't too long
- Look for tag-based protections that might be preventing deletion
Lambda timing out
- Increase the Lambda timeout setting
- Consider adding pagination if you have thousands of snapshots
Permission errors
- Verify IAM role has proper permissions
- Check for resource-based policies restricting access
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.