itsecureadmin.com

Delete Orphaned AMI-Related Snapshots

by

Josh
in

I recently worked with a client where there were a number of Amazon EC2 AMIs where not all of the disk volumes were set to delete on termination. This caused quite a few snapshots to become orphaned when the associated AMI was deleted. This was discovered when there were hundreds of snapshots and no active snapshot plan.

To fix this issue, I wrote a script that will loop through all snapshots that have been created as part of a AMI and deleting them if that AMI no longer exists.

Note that this process should be used with a process to set all volumes to delete on termination to prevent future orphans.

This script requires the EC2 command line tools.

Note that you should be 100% comfortable with this script before running it as it will delete snapshots. On the other hand, they are only snapshots, it will not delete EC2 instances.

#!/bin/bash

images=$(ec2-describe-images  | awk '/IMAGE/ {print $2}')
invalid_count=0
valid_count=0

IFS='
'

for snapshot in $(ec2-describe-snapshots)
do
  snapshotid=$(echo ${snapshot} | sed -n 's/.*\(snap-[a-z0-9]\{4,8\}\).*/\1/p')
  amiid=$(echo ${snapshot} | sed -n 's/.*\(ami-[a-z0-9]\{4,8\}\).*/\1/p')

  if [ -z ${amiid} ]
  then
    # not related to AMI
    continue;
  fi  

  valid=$(echo ${images} | egrep -c ${amiid})
  if [ "${valid}" -gt 0 ] 
  then
    valid_count=$((valid_count+1))
  else
    echo "Deleting orphaned snapshot ${snapshotid} which belongs to non-existent AMI ${amiid}"
    invalid_count=$((invalid_count+1))
    ec2-delete-snapshot ${snapshotid}
  fi  

done

unset IFS

echo "Valid snapshots:  ${valid_count}"
echo "Invalid snapshots:  ${invalid_count}"

exit 0;

Let me know if you find any issues.

– josh

Comments

12 responses to “Delete Orphaned AMI-Related Snapshots”

  1. RB Avatar
    RB

    Hi, very useful script– thank you. Note that snapshot ideas are now longer I think than when you wrote this script. To get this to work, I needed to modify the sed command to look for a longer numeric. Some of our latest snapshot ids are now up to 17 numerical characters now e.g. “snap-04340bca1d41104db”

  2. Paul Avatar
    Paul

    Hi Josh,

    I saw this script. My requirement is to delete the snapshots which does not show the AMI. I want to delete the snapshots which dont have AMI exists on AWS. Will this script work?.

  3. Josh Avatar
    Josh

    Hi Paul,

    Yes, that is what this script does. Based on RB’s comment, I need to update the script to work with the longer snapshot IDs that have recently become standard in AWS. I will get the script updated shortly.

    Thanks,
    Josh

  4. Josh Avatar
    Josh

    I’ve posted an updated script to delete orphan snapshots here:

    https://github.com/itsecureadmin/cloud-utilities/blob/master/bin/aws-snapshot-audit.sh

    Let me know how it works for you. All IDs should support very long IDs.

    Thanks,
    Josh

  5. sumit Avatar
    sumit

    Hi,
    How can i delete the orphan Snapshot from the AWS dashboard not using the command line?

    Thanks for your help
    Thanks

  6. Josh Avatar
    Josh

    Hi Sumit,

    Using the AWS Dashboard, I would go through this process:
    1. for each snapshot that exists
    2. check the snapshot description to see which AMI it is associated with (if any)
    3. if it is associated with an AMI, check to see if that AMI exists
    4. if the AMI that the snapshot was associated with does not exist
    5. this is an orphan snapshot that you may want to delete

    Using the command line is so much faster and more accurate than using the dashboard so I recommend using the command line whenever possible.

    Any time you have a manual process, you introduce increased potential for error.

    Thanks,
    Josh

  7. Pooja Avatar
    Pooja

    The git address you mentioned is wrong. This is the correct address I guess:
    https://github.com/itsecureadmin/cloud-utilities/blob/master/bin/aws-snapshot-audit.sh

  8. Josh Avatar
    Josh

    Thanks for the assist, Pooja.

  9. Db Avatar
    Db

    Hello josh,
    I have orphaned snapshots which were created from AMI of instances. I have deregister the AMI and snapshots were still in my account. I tried to run you script but it dint delete those snapshots whose AMIs were not existing.
    I even tried to terminate the instance and then run script. it dint work for me and give valid and invalid snapshots as 0.
    ——–
    ++ echo ‘SNAPSHOTS Created by CreateImage(i-0a07bxxxxxc58a7) for ami-047xxxxeb2f50 from vol-078xxxxxb5da61 False 734xxxx822 100% snap-04eb3xxxxx4bd5e21 2018-09-19T02:35:10.000Z completed vol-078dxxxxx8b5da61 8’
    ++ sed -n ‘s/.*\(ami-[a-z0-9]\+\).*/\1/p’
    + amiid=
    + ‘[‘ -z ‘]’
    —————–

    can you please guide me?

  10. Josh Avatar
    Josh

    Hi DB,

    I have sent you an email with a request for more information.

    Thanks,
    Josh

  11. AMOL Avatar
    AMOL

    Hello Josh,

    I am creating daily backups of AMI and deleting de-register the 3 days older backup’s using scripts. The older AMI gets de-registered but the snapshots attached to them don’t get deleted.

    Can you help me in this.

  12. Josh Avatar
    Josh

    Hi Amol,

    This problem is usually due to the EC2 instance(s) that you are taking the AMI image from not having the EBS volumes set to terminate on delete, which causes the snapshots to remain when you delete the AMI.

    The solution that I use is to run a script to ensure that all volumes are set to terminate on delete, and then run another script to delete orphan snapshots that have been previously been associated with an AMI.

    I have a set of scripts here that I use:
    https://github.com/itsecureadmin/cloud-utilities

Leave a Reply

Your email address will not be published. Required fields are marked *