Lock a snapshot

Key concepts

Lock duration

Valid values: 1 to 36,500 days. The lock must expire on or before the snapshot retention period. If needed, extend the snapshot retention period before locking. The snapshot is automatically unlocked when the lock duration ends.

Cooling-off period

An optional buffer (0 to 72 hours) before the lock becomes active, included in the total lock duration. During this period, users with specific permissions can unlock the snapshot or modify the lock settings. After the cooling-off period ends, only lock duration extension is allowed. No user can delete or unlock the snapshot until the lock expires.

Lock state

• compliance-cooloff: The snapshot is in the cooling-off period. Authorized users can unlock the snapshot.

• compliance: The lock is active. The snapshot cannot be unlocked or deleted. Only authorized users can extend the lock duration.

• expired: The lock has expired. The snapshot is unlocked and can be deleted.

Usage notes

• After the cooling-off period ends, the lock becomes active. No user can delete or unlock the snapshot, including in the following scenarios:

  • Manual deletion: No user can manually delete or unlock a locked snapshot, regardless of permissions.

  • Disk release (if you select to release automatic snapshots with the disk): Locked snapshots are not deleted when the disk is released.

  • Custom image deletion: Associated locked snapshots are not deleted when the custom image is deleted.

  • Automatic snapshot limit reached: The system skips locked snapshots and deletes the oldest unlocked snapshot. If all automatic snapshots are locked, new automatic snapshots cannot be created.

• If your account has an overdue payment, the standard ECS process for overdue payments applies. A locked snapshot can still be deleted if your account has an overdue payment for an extended period.

• Copying a locked snapshot does not carry over the lock attribute to the new snapshot.

• Archiving a locked snapshot requires the archive-layer retention period to be greater than or equal to the lock expiration time.

Scope

• Snapshot source: Cloud Backup snapshots and snapshots shared from other accounts cannot be locked.

• Snapshot status: You can only lock snapshots that are in the Available state.

Access control

Only users with specific permissions can modify, view, or unlock snapshot locks.

1. Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account or a RAM user that has AliyunRAMFullAccess permissions.

2. In the navigation pane, choose Permission Management > Permission Policy. Click Create Policy. On the Script Editor tab, enter the policy content.

   Create custom policies for each operation and grant them to users. Replace <regionId>, <primary accountID>, and <snapshotId> with your actual values.

   • Lock a snapshot or modify a lock during the cooling-off period

     {
       "Statement": [
         {
           "Effect": "Allow",
           "Action": "ecs:LockSnapshot",
            "Resource": "acs:ecs:<regionId>:<primary accountID>:snapshot/<snapshotId>"
         }
       ],
       "Version": "1"
     }

   • Unlock a snapshot during the cooling-off period

     {
       "Statement": [
         {
           "Effect": "Allow",
           "Action": "ecs:UnlockSnapshot",
           "Resource": "acs:ecs:<regionId>:<primary accountID>:snapshot/<snapshotId>"
         }
       ],
       "Version": "1"
     }

   • View snapshot lock configurations

     {
       "Statement": [
         {
           "Effect": "Allow",
           "Action": "ecs:DescribeLockedSnapshots",
           "Resource": "acs:ecs:<regionId>:<primary accountID>:snapshot/<snapshotId>"
         }
       ],
       "Version": "1"
     }

3. In the navigation pane, choose Identity Management > User. Click the target user's logon name. On the Permissions > Grant Permission. Select the policy you created and click Confirm.

Lock a snapshot

1. Go to the ECS console - Snapshots page. Select the resource group and region.

2. On the Disk Snapshots tab, find the target snapshot. In the Actions column, choose > Lock Snapshot.

3. In the Lock Snapshot dialog box, configure the parameters, select the confirmation checkbox, and click Confirm.

   Parameter	Description
   Lock Duration	Customizable. Valid values: 1 to 36,500 days. Includes the cooling-off period. After the cooling-off period, the lock becomes active and no user can delete the snapshot.
   Cooling-off Period	Customizable.Valid values: 0 to 72 hours. During this period, authorized users can unlock or modify the lock. Important If set to 0, the lock takes effect immediately. No user can delete or unlock the snapshot until the lock expires.

4. If the lock duration exceeds 3 years, read and confirm the lock notice in the dialog.

5. On the Disk Snapshots tab, check the Attribute column for the lock status.

   • Lock Cooling-off Period: The snapshot is in the cooling-off period. Hover to view the lock effective time and expiration time.

   • Locked: The lock is active. Hover to view the expiration time.

Unlock a snapshot

Unlocking is only available during the cooling-off period. After the snapshot enters the Locked state, it cannot be unlocked.

1. Go to the ECS console - Snapshots page. Select the resource group and region.

2. On the Disk Snapshots tab, find the target snapshot. In the Actions column, choose > Unlock Snapshot.

3. In the Unlock Snapshot dialog box, verify the snapshot information and click Confirm.

   Important

   An unlocked snapshot is no longer protected and can be deleted. Evaluate the risks before proceeding.

Modify a lock

References

• Call LockSnapshot to lock a snapshot or modify a lock during the cooling-off period.

• Call UnlockSnapshot to unlock a snapshot during the cooling-off period.

• Call DescribeLockedSnapshots to view snapshot lock configurations.