EC2 Recycle Bin doesn’t actually "recover" deleted EBS snapshots; it intercepts the delete operation and holds them for a configurable retention period, allowing you to restore them before they’re permanently purged.
Let’s see this in action. Imagine you’ve accidentally deleted a critical EBS snapshot, snap-0123456789abcdef0. Without the Recycle Bin configured, this snapshot is gone forever, and your only recourse is to restore from an older snapshot or a volume backup, potentially losing hours of recent data.
With Recycle Bin, when you initiate a delete for a snapshot that’s being protected, the system doesn’t immediately obliterate it. Instead, it moves the snapshot into a "restorable" state within the Recycle Bin. You can then see this snapshot listed in the Recycle Bin console or via the AWS CLI, with its original ID and a new "Recycle Bin ID." From here, you can initiate a "restore" operation, which essentially moves the snapshot back into your regular EBS snapshot storage, making it available for creating new volumes just as if it had never been deleted.
The Recycle Bin works by hooking into the EBS DeleteSnapshot API call. When a snapshot is tagged for protection or is part of a Recycle Bin policy, the API call is intercepted. Instead of proceeding with deletion, the snapshot’s metadata is updated to indicate it’s in the Recycle Bin, and its data is preserved. A retention rule, defined either globally or per policy, dictates how long the snapshot remains in this protected state. After this period expires, the snapshot is then permanently deleted.
To set this up, you first need to enable the Recycle Bin for EBS snapshots. This is a one-time global enablement.
aws recyclebin enable-ebs-snapshot-protection --region us-east-1
Once enabled, you can create a Recycle Bin policy to define retention rules. Policies can be applied to specific snapshots using tags.
{
"Name": "daily-backup-retention",
"Description": "Retain daily snapshots for 7 days",
"Tags": [
{
"Key": "BackupType",
"Value": "Daily"
}
],
"RetentionRule": {
"RetentionType": "Days",
"RetentionInterval": 7
}
}
You’d then create this policy:
aws recyclebin create-recycle-bin-policy --policy-data file://policy.json --region us-east-1
Now, any snapshot you create with the tag BackupType: Daily will be protected by this policy. If you (or an automated process) try to delete it:
aws ec2 delete-snapshot --snapshot-id snap-0123456789abcdef0 --region us-east-1
You’ll receive a confirmation that the snapshot is being moved to the Recycle Bin. You can then view it:
aws recyclebin list-tags-for-resource --resource-arn arn:aws:ec2:us-east-1:123456789012:snapshot/snap-0123456789abcdef0 --region us-east-1
If you need to restore it before the 7 days are up:
aws recyclebin restore-ebs-snapshot --snapshot-id snap-0123456789abcdef0 --region us-east-1
This command will return a RestoreJobId which you can track. Once restored, the snapshot will reappear in your ec2 describe-snapshots output with its original ID.
The most common pitfall is not enabling the Recycle Bin globally for EBS snapshots before creating policies. If you create a policy without global enablement, it won’t intercept delete requests. Another common mistake is assuming Recycle Bin automatically protects all snapshots; it only protects those matching the tags defined in your active policies. If a snapshot lacks the required tags, it will be permanently deleted upon request. Finally, remember that Recycle Bin protection is specific to the region where the snapshot resides. You need to enable and configure it independently for each region you use.
The next thing you’ll need to figure out is how to automate the tagging of your snapshots to ensure they are properly protected by your Recycle Bin policies.