Snapshot locking provides a Write Once, Read Many (WORM) capability that prevents data from being deleted or modified. When a snapshot is locked, no user can delete it. To delete the snapshot, you must unlock it or wait for the lock to expire. This feature helps protect data against accidental deletion and malicious activity. You can use a locked snapshot in the same way as an unlocked snapshot.
Core concepts
Lock duration
You can set the lock duration from 1 to 36,500 days. The lock must expire on or before the snapshot’s retention period expires. If needed, you can first extend the snapshot retention period and then lock the snapshot. The snapshot is automatically unlocked when the lock duration ends.
Cooling-off period
The cooling-off period is an optional buffer before a snapshot lock becomes active. You can set its duration from 0 to 72 hours. This period is included in the total lock duration and cannot exceed it. During the cooling-off period, users with specific permissions can unlock the snapshot or modify the lock settings, including the cooling-off period and lock duration. After the cooling-off period ends, the snapshot becomes locked. At that point, you can only extend the lock duration. No user can delete or unlock the snapshot until the lock expires.
Lock state
compliance-cooloff: The snapshot is in the cooling-off period. Users with specific permissions can unlock the snapshot.
compliance: The lock is active. The snapshot cannot be unlocked or deleted. Only users with specific permissions can extend the lock duration.
expired: The previous lock on the snapshot has expired. The snapshot is not currently locked and can be deleted.
Usage notes
After the cooling-off period ends, the lock becomes active. No user can delete or unlock the snapshot. This includes the following scenarios:
Manual deletion: No user, regardless of their permissions, can manually delete or unlock a locked snapshot.
Disk release (if you select to release automatic snapshots with the disk): Locked snapshots are not deleted when the disk is released.
Custom image deletion: Associated locked snapshots are not deleted when the custom image is deleted.
Automatic snapshot limit reached: When new automatic snapshots are created, locked snapshots are skipped. The system deletes the oldest unlocked snapshot. If all automatic snapshots are locked, new automatic snapshots cannot be created.
If your account has an overdue payment, the standard ECS process for overdue payments applies. A locked snapshot can still be deleted if your account has an overdue payment for an extended period.
You can copy a locked snapshot, but the new snapshot does not inherit the lock attribute.
You can archive a locked snapshot, but the retention period for the archive layer must be greater than or equal to the lock expiration time.
Scope
Snapshot source: You cannot lock Cloud Backup snapshots or snapshots shared from other accounts.
Snapshot status: You can only lock snapshots that are in the Available state.
Access control
Only users with specific permissions can modify, view, and unlock snapshots.
Log on to the Resource Access Management (RAM) console using an Alibaba Cloud account or a RAM user that has administrative permissions (
AliyunRAMFullAccess).In the navigation pane, choose . Click Create Policy. On the Script Editor tab, add the policy content.
Create custom policies for different operations and grant the permissions to users. Replace
<regionId>,<accountId>, and<snapshotId>in the policies with your actual values.Lock a snapshot or modify a lock during the cooling-off period
{ "Statement": [ { "Effect": "Allow", "Action": "ecs:LockSnapshot", "Resource": "acs:ecs:<regionId>:<accountId>:snapshot/<snapshotId>" } ], "Version": "1" }Unlock a snapshot during the cooling-off period
{ "Statement": [ { "Effect": "Allow", "Action": "ecs:UnlockSnapshot", "Resource": "acs:ecs:<regionId>:<accountId>:snapshot/<snapshotId>" } ], "Version": "1" }View snapshot lock configurations
{ "Statement": [ { "Effect": "Allow", "Action": "ecs:DescribeLockedSnapshots", "Resource": "acs:ecs:<regionId>:<accountId>:snapshot/<snapshotId>" } ], "Version": "1" }
In the navigation pane on the left, choose . Click the logon name of the target user to go to the user details page. On the . Select the policy that you created and click Confirm.
Lock a snapshot
Go to the ECS console - Snapshots page. In the upper-left corner, select the resource group and region of the target resource.
On the Disk Snapshots tab, find the target snapshot. In the Actions column, choose
> Lock Snapshot.In the Lock Snapshot dialog box, set the parameters. Then, select the checkbox to confirm the lock information and click OK.
Parameter
Description
Lock Duration
The value can be from 1 to 36,500 days. This includes the cooling-off period. After the cooling-off period, the lock becomes active, and no user can delete the snapshot.
Cooling-off Period
The value can be from 0 to 72 hours. During the cooling-off period, users with specific permissions can unlock or modify the lock.
ImportantIf you set this to 0, the snapshot lock takes effect immediately. No user can delete or unlock the snapshot until the lock expires.
Return to the Disk Snapshots tab. In the Attributes column for the target snapshot, view the current lock status.
Lock Cooling-off Period: The snapshot is in the lock cooling-off period. Hover over this status to view the lock effective time and expiration time.
Locked: The lock is active. Hover over this status to view the lock expiration time.
Unlock a snapshot
You can unlock a snapshot only during the cooling-off period. You cannot unlock a snapshot after it enters the Locked state.
Go to the ECS console - Snapshots page. In the top-left corner, select the resource group and region for the target resource.
On the Disk Snapshots tab, find the target snapshot. In the Actions column, choose
> Unlock Snapshot.In the Unlock Snapshot dialog box, verify the snapshot information and click OK.
ImportantAfter a snapshot is unlocked, it is no longer protected by the lock and can be accidentally deleted. Evaluate the risks before you proceed.
Modification lock
During the cooling-off period
You can modify the lock by resetting the lock configuration.
Go to the ECS console - Snapshots page. In the top-left corner, select the resource group and region for the target resource.
On the Disk Snapshots tab, find the target snapshot. In the Actions column, choose
> Modify Lock.In the Modify Lock dialog box, set the parameters. Then, select the checkbox to confirm the lock information and click OK.
The lock expiration time and cooling-off period are recalculated based on the new settings and the current time.
During the lock period
During the lock period, you can only extend the lock duration.
Go to the ECS console - Snapshots page. In the top-left corner, select the resource group and region for the target resource.
On the Disk Snapshots tab, find the target snapshot. In the Actions column, choose
> Modify Lock.In the Modify Lock dialog box, reconfigure the lock. Then, select the checkbox to confirm the lock information and click OK.
The lock expiration time is recalculated based on the specified lock duration and the current time.
References
Call the LockSnapshot API operation to lock a snapshot or modify a lock during the cooling-off period.
Call the UnlockSnapshot API operation to unlock a snapshot during the cooling-off period.
Call the DescribeLockedSnapshots API operation to view snapshot lock configurations.