All Products
Search

This Product

    Elastic Compute Service:Enable automatic snapshot policies for disks

    Document Center

    Elastic Compute Service:Enable automatic snapshot policies for disks

    Last Updated:Feb 04, 2026

    When you create an instance, enable an automatic snapshot policy for its disks to periodically back up important data.

    Security risks

    Business data stored on disks is exposed to multiple threats that can cause data corruption or permanent data loss:

    • Human error: Accidental file deletion, disk formatting, or incorrect configurations.

    • Malicious attacks: Ransomware that encrypts data, or hackers who delete or tamper with data after an intrusion.

    • Software and application faults: Application bugs or system crashes that can cause inconsistent data writes or data corruption.

    • Hardware failures: Any physical device can fail, although this is unlikely.

    Best practices

    An automatic snapshot policy periodically creates snapshots for specified disks. This practice helps prevent data loss and improves system reliability and stability.

    Console

    When you create an instance on the instance buy page, the Snapshot applies an automatic snapshot policy to the system disk and data disks.

    If the default policy does not meet your requirements, click Create Automatic Snapshot Policy. After the policy is created, you can select it.

    API

    1. Call the CreateAutoSnapshotPolicy operation to create an automatic snapshot policy. Use the timePoints parameter to specify the backup times, the repeatWeekdays parameter to specify the backup schedule, and the retentionDays parameter to specify the retention period for the automatic snapshots. A successful request returns the automatic snapshot policy ID, AutoSnapshotPolicyId.

    2. When you create an instance by calling the RunInstances or CreateInstance operation, use the SystemDisk.AutoSnapshotPolicyId parameter to specify the automatic snapshot policy for the system disk and the DataDisk.X.AutoSnapshotPolicyId parameter to specify the automatic snapshot policy for data disks.

    After the snapshot policy takes effect, the system automatically creates data backups. You can then recover historical data from these snapshots. For more information, see Roll back a disk using a snapshot.

    Compliance capabilities

    Check: Check whether automatic snapshot policies are enabled for disks

    ECS Insight

    1. Go to ECS Insight.

    2. Select the Reliability tab. Click the Snapshots Created Within Previous 7 Days check item to determine whether snapshots were created for your disks in the last 7 days.

    Security Center

    1. Go to the Security Center console.

    2. In the navigation pane on the left, choose Risk Governance > CSPM. Select the Cloud Service Configuration Risk tab. Find the Enable Automatic Snapshot Policy check and click Scan in the Actions column.

      If the status is Failed, it means that an automatic snapshot policy is not enabled for one or more instances. Click Details to view the instances.

    Intercept: Prohibit the creation of ECS instances without an automatic snapshot policy

    Important

    This policy is in invitational preview and is available only in the China (Chengdu), China (Ulanqab), and China (Hohhot) regions.

    To meet security and compliance requirements for data protection against threats such as ransomware, you can enforce periodic backups. ECS lets you configure a Resource Access Management (RAM) policy to require that all new instances have an automatic snapshot policy attached to their system and data disks. This restriction applies to specified RAM users and RAM roles. When a restricted user tries to create an instance or a disk, ECS checks whether an automatic snapshot policy is included in the request. The check result is sent to RAM for authentication. If the request does not meet the policy's conditions, RAM denies the request, and the disk is not created.

    • For enterprise users:

      1. Log on to the Resource Directory console using an Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Create a custom policy and paste the following JSON content.

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskAutoSnapshotPolicyEnabled": "*false*"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:IsSystemDiskAutoSnapshotPolicyEnabled": "false"
        }
      },
      "Effect": "Deny"
    }
  ]
}

      2. In Resource Directory, attach the policy to the appropriate folder or member. The policy then blocks non-compliant requests from all accounts in the folder or from the specified member.

    • For individual users:

      1. Log on to the RAM console using an Alibaba Cloud account. In the navigation pane on the left, click Policies. Create a custom policy that contains the same JSON content as shown in the preceding step.

      2. Attach the policy to the required RAM users, RAM user groups, or RAM roles. For more information, see Grant permissions to a RAM user.

    Fix: Set an automatic snapshot policy for a disk

    If a check finds that an automatic snapshot policy is not enabled for some instances, you can set an automatic snapshot policy for the disks.