All Products
Search
Document Center

Elastic Compute Service:Enable automatic snapshot policies

Last Updated:May 15, 2026

Enable automatic snapshot policies for disks to prevent data loss from human error, malware, or hardware failures.

Security risks

Disk data faces multiple threats that can cause corruption or permanent loss:

  • Human error: accidental file deletion, disk formatting, or incorrect configurations.

  • Malicious attacks: ransomware that encrypts data, or hackers who delete or tamper with data.

  • Software faults: application bugs or system crashes that cause inconsistent writes or data corruption.

  • Hardware failures: physical devices can fail, although this is unlikely.

Best practices

An automatic snapshot policy periodically creates snapshots for specified disks to prevent data loss and improve reliability.

Console

When you create an instance on the instance buy page, the Snapshot section applies an automatic snapshot policy to the system disk and data disks.

If the default policy does not meet your requirements, click Create Automatic Snapshot Policy to create and select a custom policy.

API

  1. Call CreateAutoSnapshotPolicy to create an automatic snapshot policy. Use timePoints to specify backup times, repeatWeekdays for the backup schedule, and retentionDays for the retention period. A successful request returns AutoSnapshotPolicyId.

  2. When you create an instance by calling RunInstances or CreateInstance, use SystemDisk.AutoSnapshotPolicyId for the system disk and DataDisk.X.AutoSnapshotPolicyId for data disks.

After the policy takes effect, the system automatically creates backups. You can then roll back a disk using a snapshot to recover historical data.

Compliance capabilities

Check whether automatic snapshot policies are enabled

ECS Insight

  1. Go to ECS Insight.

  2. On the Reliability tab, click Snapshots Created Within Previous 7 Days to check whether snapshots were created for your disks in the last 7 days.

Security Center

  1. Go to the Security Center console.

  2. In the left-side navigation pane, choose Risk Governance > CSPM. On the Cloud Service Configuration Risk tab, find Enable Automatic Snapshot Policy and click Scan in the Actions column.

    If the status is Failed, an automatic snapshot policy is not enabled for one or more instances. Click Details to view the affected instances.

Intercept: Block ECS instance creation without an automatic snapshot policy

Important

This policy is in invitational preview and is available only in the China (Chengdu), China (Ulanqab), and China (Hohhot) regions.

To enforce data protection against threats such as ransomware, you can require that all new instances have an automatic snapshot policy. ECS lets you configure a RAM policy that requires an automatic snapshot policy for system and data disks of new instances. This restriction applies to specified RAM users and RAM roles. When a restricted user creates an instance or a disk, ECS checks whether an automatic snapshot policy is included in the request. The check result is sent to RAM for authentication. If the request does not meet the policy conditions, RAM denies the request.

  • For enterprise users:

    1. Log on to the Resource Directory console with an Alibaba Cloud account. In the left-side navigation pane, click Control Policies. Create a custom policy and paste the following JSON content.

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "ecs:RunInstances",
              "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Condition": {
              "StringLike": {
                "ecs:IsDiskAutoSnapshotPolicyEnabled": "*false*"
              }
            },
            "Effect": "Deny"
          },
          {
            "Action": [
              "ecs:RunInstances",
              "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "ecs:IsSystemDiskAutoSnapshotPolicyEnabled": "false"
              }
            },
            "Effect": "Deny"
          }
        ]
      }
    2. In Resource Directory, attach the policy to the target folder or member. The policy blocks non-compliant requests from all accounts in the folder or from the specified member.

  • For individual users:

    1. Log on to the RAM console with an Alibaba Cloud account. In the left-side navigation pane, click Permission Policy. Create a custom policy with the same JSON content as above.

    2. Attach the policy to the required RAM users, RAM user groups, or RAM roles. See Grant permissions to a RAM user.

Fix: Enable an automatic snapshot policy for a disk

If a check finds that no automatic snapshot policy is enabled, set an automatic snapshot policy for the disks.