Cost

Prune ancient EBS snapshots

Years of incremental snapshots silently outgrow their source volumes — find the long tail and decide what's still recoverable.

14 min·10 sections·AWS

Last reviewed 27 May 2026

Old EBS snapshots: the basics

Why does a 50 GB volume end up with 281 snapshots?

An EBS snapshot is a point-in-time backup of a volume, stored in S3 behind the scenes and billed at roughly $0.05 per GB-month. Snapshots are incremental — only the blocks that changed since the previous snapshot get stored — so the first one is full-size and every subsequent one is (usually) cheap. That's the design that makes daily snapshots affordable.

The trap is that nobody deletes them. A nightly Lambda or a hand-rolled cron job starts firing snapshots one day, the team rotates, the policy never gets written, and four years later there are 1,742 snapshots for a volume that's still 8 GB. The wastage check flags these as EC2-009 — "Old EBS Snapshots" — typically anything older than 90 days where no retention policy exists.

The per-snapshot cost looks small ($0.01–$11.54/mo in the inbox findings) but the long tail multiplies fast. A thousand stale snapshots averaging $2/mo each is $24k a year on backups nobody has restored from since the previous AWS console redesign. The fix isn't dramatic — it's just deciding what's worth keeping, with a policy that prevents the next four years of drift.

In this lesson you'll learn how EBS snapshot incrementality actually works (and why deleting a middle snapshot doesn't free what you'd expect), how to safely audit the long tail of old snapshots, when to use the Snapshot Archive tier vs. just deleting, and how to set a Data Lifecycle Manager or AWS Backup policy that prevents the problem from coming back.

Fun fact

The phantom storage bill

Deleting an old snapshot rarely frees as much storage as you'd expect. Because snapshots are incremental, the blocks "belonging" to snapshot N may still be referenced by snapshot N+1 — when you delete N, AWS just transfers ownership of those blocks to the next snapshot in the chain. The bill only drops meaningfully once you delete the snapshots that hold blocks no other snapshot still needs. AWS doesn't expose this dependency graph directly, which is why teams often delete 200 old snapshots and watch the line item barely move.

Snapshot pruning in action

Nina is the platform lead at a SaaS company that's been on AWS since 2019. The wastage report flags 281 snapshots older than 90 days against a single 50 GB volume — the oldest is 1,595 days old (4.4 years), the newest in the flagged set is 256 days.

She pulls the list. The pattern is depressingly familiar: a deprecated cron job from a previous platform team has been firing daily snapshots since 2021, nobody ever deleted them, and the team that owned the original workload is now disbanded. The volume itself is still attached to a running instance — so the recent snapshots have value, but the 1,500-day-old ones almost certainly don't.

Before she deletes anything, she checks two things: are any of these snapshots referenced by an AMI (deleting would break image registration), and what does compliance actually require? Their SOC 2 retention policy says 90 days for production data. Everything older is fair game.

First, list all self-owned snapshots older than 90 days, sorted by age. Filter to one volume to focus the audit.

$ aws ec2 describe-snapshots --owner-ids self --filters Name=volume-id,Values=vol-0abc123def456 --query 'Snapshots[?StartTime<=`2026-02-14`].[SnapshotId,StartTime,VolumeSize,Description]' --output table

---------------------------------------------------------------------------------

| DescribeSnapshots |

+----------------------+----------------------------+--------+-----------------+

| snap-0f9a1b2c3d4 | 2021-09-04T03:00:12.000Z | 50 | daily-backup |

| snap-1a8b7c6d5e3 | 2021-09-05T03:00:09.000Z | 50 | daily-backup |

| snap-2c4d6e8f0a1 | 2021-09-06T03:00:15.000Z | 50 | daily-backup |

| ... 275 rows elided ... |

| snap-9e8d7c6b5a4 | 2025-08-30T03:00:08.000Z | 50 | daily-backup |

| snap-8d7c6b5a4f3 | 2025-08-31T03:00:11.000Z | 50 | daily-backup |

+----------------------+----------------------------+--------+-----------------+

# 281 snapshots, oldest 1,595 days, all from the same orphaned cron.

The full long tail for one 50 GB volume — 4.4 years of untouched daily backups.

Before deleting, cross-check that no AMI depends on these snapshots. An AMI deregistration will fail if its backing snapshot is gone, but the snapshot delete itself won't warn you.

$ aws ec2 describe-images --owners self --filters Name=block-device-mapping.snapshot-id,Values=snap-0f9a1b2c3d4,snap-1a8b7c6d5e3 --query 'Images[].[ImageId,Name,CreationDate]' --output table

------------------------------------------

| DescribeImages |

+----------------------------------------+

|| ||

++--------------------------------------++

# Empty result — no AMI depends on either snapshot. Safe to delete.

Always run this check on any snapshot you're about to delete in bulk.

Snapshot incrementality under the hooddeep dive

EBS snapshots are billed per GB of unique data stored, not per snapshot. Snapshot 1 stores every used block on the volume. Snapshot 2 stores only the blocks that changed since snapshot 1, and it references the unchanged blocks from snapshot 1. Snapshot 3 references both. This chain is invisible to the API — there's no describe-snapshot-chain call — but it's what determines the actual storage bill.

When you delete a snapshot, AWS walks the chain and re-attributes any blocks that other snapshots still need to those snapshots. Blocks that no surviving snapshot references are actually freed and stop billing. The practical implication: deleting the middle snapshots in a long chain frees almost nothing; deleting the oldest and newest together typically frees the most, because that's where the unique deltas live.

The Snapshot Archive tier (launched late 2021) changes the math entirely. Archived snapshots are billed at $0.0125/GB-month — a quarter of standard — but with a 90-day minimum retention and a 24-72 hour restore time. They also bill as full snapshots, not incremental, so archiving doesn't help you if the snapshot is small because most of its blocks are shared. Archive is right for the snapshot you must keep for compliance but are never going to restore in a hurry; it's wrong for daily backups of a live workload.

# Move a single snapshot to the Archive tier — pays off if you'd keep it >90 days.
aws ec2 modify-snapshot-tier \
  --snapshot-id snap-0f9a1b2c3d4 \
  --storage-tier archive

# Restore an archived snapshot back to standard tier (24-72 hours).
aws ec2 restore-snapshot-tier \
  --snapshot-id snap-0f9a1b2c3d4 \
  --temporary-restore-days 7 \
  --permanent-restore

What is the impact of hoarding old snapshots?

The direct cost is unglamorous but real. A single 50 GB volume with 281 stale snapshots, assuming a typical 5-10% daily churn, can easily hold 200-400 GB of unique snapshot data — $10-20/mo per volume, every month, indefinitely. Multiply across an estate of a few hundred volumes and the snapshot line item quietly becomes one of the largest in EBS billing, second only to the volumes themselves.

The second-order cost is restore-time confidence. When you have 1,742 snapshots for one volume, recovery becomes a guessing game: which one was "before the bad deploy"? Teams default to the most recent and miss the point — old snapshots that nobody has documented are operationally useless even if they're technically still there.

Compliance teams care for the opposite reason. If your retention policy says 90 days for production data and you're holding 4-year-old snapshots, you've quietly become a data-retention risk. A regulator or customer auditor asking "show me you delete data per your stated schedule" will not be charmed by "we forgot." Pruning old snapshots is sometimes a compliance requirement, not an optimisation.

There's also a quota dimension. The default per-region soft limit is 100,000 snapshots per account. Most teams never hit it, but a few orphaned cron jobs across enough volumes will eventually start throwing SnapshotLimitExceeded errors on legitimate backup runs — a much more visible problem than the bill.

How do you prune old snapshots safely?

Snapshot hygiene is a four-step loop: inventory the long tail, validate dependencies, delete or archive what's stale, then automate retention so the problem stops re-creating itself.

1. Inventory the long tail

Pull every self-owned snapshot in every region, joined with its source volume's existence and tags. Group by source volume and age. The findings worth acting on are usually obvious: a single volume with hundreds of snapshots, source volume tiny, oldest snapshot measured in years. Don't try to boil the ocean — sort by total stored GB and start with the top 5%.

2. Cross-check AMI and Recycle Bin dependencies

Before deleting, run describe-images --filters block-device-mapping.snapshot-id=... against every snapshot in the batch. If any AMI still references the snapshot, deregister the AMI first (or skip the snapshot). Also enable the Recoverable Snapshots / Recycle Bin (introduced 2021) with a 7-30 day retention rule — soft-delete gives you a rollback window if a colleague yells about the snapshot two days later.

3. Archive what compliance requires, delete the rest

Anything you're keeping purely for "just in case" beyond 90 days belongs in the Snapshot Archive tier — 4× cheaper, same durability, slow restore. Anything genuinely orphaned (no AMI, no compliance requirement, no documented owner) can be deleted outright. Don't sit in the middle: indefinite standard-tier retention is the most expensive choice for snapshots you'll never touch.

4. Replace cron with a lifecycle policy

The reason you have 1,742 snapshots is that a script created them without ever deleting any. Replace it with Data Lifecycle Manager (free, simple, retention by count or age) or AWS Backup (more powerful, supports cross-account/cross-region, plays nicely with Backup Audit Manager). Set retention once — "keep 30 daily, 12 monthly, 7 yearly" — and never touch this again.

# Create a DLM policy: daily snapshots, retain 30, applied to volumes tagged Backup=true.
aws dlm create-lifecycle-policy \
  --execution-role-arn arn:aws:iam::123456789012:role/AWSDataLifecycleManagerDefaultRole \
  --description 'Daily EBS snapshots, 30-day retention' \
  --state ENABLED \
  --policy-details '{
    "PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
    "TargetTags": [{"Key":"Backup","Value":"true"}],
    "Schedules": [{
      "Name": "daily",
      "CreateRule": {"Interval": 24, "IntervalUnit": "HOURS", "Times": ["03:00"]},
      "RetainRule": {"Count": 30}
    }]
  }'

# Enable Recycle Bin for accidental-delete recovery (30-day soft-delete window).
aws rbin create-rule \
  --resource-type EBS_SNAPSHOT \
  --retention-period RetentionPeriodValue=30,RetentionPeriodUnit=DAYS \
  --description 'Soft-delete snapshots for 30 days'

Quick quiz

Question 1 of 5

You find 281 snapshots on a 50 GB volume, oldest 1,595 days, no documented retention policy. Compliance says 90 days for production data. What's the right next move?

Keep learning

Dig deeper into snapshot lifecycle management and the tooling AWS provides for it.

You've completed Prune ancient EBS snapshots. You now know how snapshot incrementality actually bills, when archive beats delete, how to validate AMI dependencies before pruning, and how to set a DLM policy so the next four years don't repeat the last four. Inventory, validate, archive-or-delete, automate — that's the loop.

Back to the library

Old EBS snapshots: the unit economics of forgotten backups

A predictable, stoppable leak hiding in the storage line item

EBS snapshots are billed at roughly $0.05 per GB-month of unique data stored. Because they're incremental, a single snapshot is cheap — but a four-year unmanaged nightly run against one volume can silently accumulate hundreds of gigabytes of unique data. The per-snapshot cost in the inbox looks small ($0.01–$11.54/mo each), but the tail of a few hundred stale snapshots easily compounds to $24k or more per year on backups that nobody has ever restored from.

The core issue is the absence of a retention policy. Where spending on compute or databases tends to be intentional and reviewed, snapshot storage accretes invisibly — each individual charge is below the attention threshold, but the aggregate is material. This is a classic unit-economics problem: the marginal cost of snapshot N looks trivial, but the cumulative cost of 1,742 snapshot Ns is a real budget line nobody approved.

For finance, the right frame is a one-time cleanup to eliminate the backlog followed by a standing retention policy that enforces a fixed cost ceiling per volume going forward. A well-set DLM policy converts snapshot cost from open-ended accumulation into a predictable, capped line item — so the next four years don't reproduce the last four.

This lesson is for the finance partner who spots a growing EBS snapshot line on the cloud bill and wants to understand what's driving it and what a defensible fix looks like. It explains how incremental billing actually works (why deleting 200 snapshots can barely move the needle), how to model the cleanup saving versus the ongoing cost of a properly governed retention policy, the Archive tier's 4× cost reduction as an alternative to outright deletion for compliance-required data, and how a DLM policy converts snapshot cost from open-ended accumulation into a capped, predictable budget item.

Fun fact

The phantom storage bill

How a finance partner sizes the snapshot cleanup opportunity

Marcus is the FinOps lead for a mid-size SaaS company. At the quarterly cost review he notices EBS snapshot spend has been climbing by roughly $800/mo for the last six quarters — now $14,200/mo — with no corresponding growth in active volumes. He pulls the snapshot inventory: 47 volumes have more than 100 snapshots each, and the oldest snapshots per volume average 1,100 days.

Rather than approve a blanket delete, Marcus frames it as a tiering exercise. He asks engineering to classify each volume against the data retention schedule in their SOC 2 agreement: 90 days for production customer data. Everything beyond 90 days that isn't archived for a documented compliance reason is waste. The volumes without a production tag — dev, test, build artifacts — have no retention requirement at all; he marks those for full cleanup.

He models the saving: 47 volumes, estimated 600 GB of stale unique data beyond 90 days, at $0.05/GB-month is $360/mo in direct savings from deletion. A further 180 GB of compliance-hold data moved to the Archive tier saves another $4.50/GB-month × 180 ≈ $810/mo versus keeping it in standard. Combined cleanup: ~$1,170/mo ongoing, plus elimination of the $800/mo drift if DLM is set with a 90-day ceiling. Total annual impact: roughly $24k — a real budget line to close against.

Why snapshot sprawl shows up on the risk register and the budget

The direct cost impact of unmanaged snapshot growth is both real and forecastable: at $0.05/GB-month, 600 GB of stale unique snapshot data above your retention requirement costs $360/mo — $4,320/yr — before any Archive optimization. More importantly, if the pattern is consistent, that cost compounds year-on-year because each new undeleted snapshot adds to the base. Snapshot spend that grows 10% a month doubles in under a year. That's the cost side of this finding, and it's easy to model.

The compliance cost is harder to quantify but potentially more expensive. If your stated data retention schedule says 90 days and your snapshots go back four years, you have a documented discrepancy between policy and practice. A customer security review, a SOC 2 audit, or a GDPR Subject Access Request that surfaces this is not a bill line — it's a finding against your governance posture. Correcting it reactively is costlier than building it into your operating model proactively.

For budget owners, the right ask is: put a retention ceiling per volume type on the roadmap and fund the one-time cleanup. Once DLM enforces a fixed retention count, the snapshot line stops compounding and becomes a predictable, defensible cost. The difference between 'snapshot cost grows indefinitely' and 'snapshot cost is capped per volume' is the value of this control expressed in budget certainty.

The finance partner's four levers on snapshot hygiene

Finance can't run the CLI commands, but it can set the framing that turns a one-time cleanup into a standing, budget-safe practice. Four levers, applied at the regular cadence.

1. Establish retention as a budgeting input

Work with engineering to agree a maximum snapshot age per environment tier — for example, 90 days for production, 30 days for dev/test — before the next budget cycle. Once the ceiling is set, the snapshot cost per volume becomes forecastable: retention count × average changed-data size × $0.05. That converts an open-ended accumulation into a capped line item you can plan against.

2. Model the one-time cleanup saving before approving it

Estimate total unique GB above the retention ceiling and multiply by $0.05/GB-month to size the monthly saving. Add the Archive-tier delta for any compliance-hold snapshots that move from standard ($0.05) to archive ($0.0125): each GB moved saves $0.0375/mo. A one-page cleanup model — current spend, post-cleanup spend, Archive savings, one-time labour cost — makes approval a 10-minute conversation rather than a standing debate.

3. Require evidence of a lifecycle policy, not just a count

Track whether each active volume has a DLM or AWS Backup policy applied, not how many snapshots exist. A volume with a DLM policy enforcing 30-day retention is governed; a volume with 30 snapshots and no policy is one year away from being the next problem. The hygiene KPI for finance is 'percentage of volumes with a lifecycle policy', not 'number of old snapshots deleted'.

4. Price Archive vs. delete for compliance-hold data

Compliance-mandated snapshots that must be kept longer than the operational window belong in the Archive tier. At 4× cheaper than standard, archiving a 100 GB snapshot saves $3.75/mo versus standard indefinite retention. For large estates with genuine long-hold requirements — financial records, regulated data — the Archive tier is a real budget lever, but it requires a 90-day minimum and 24-72 hour restore time, so it's only right for the data you'd never need to restore quickly.

Quick quiz

Question 1 of 5

A cost review shows EBS snapshot spend has grown from $3,200/mo to $11,400/mo over two years with no change in active volume count. Engineering proposes a one-time delete of all snapshots older than 90 days. What should finance confirm before approving the saving estimate?

Keep learning

Dig deeper into snapshot lifecycle management and the tooling AWS provides for it.

You've finished the finance partner's view of EBS snapshot pruning. You know how to model the cleanup saving correctly (accounting for incremental storage attribution), why the Archive tier at $0.0125/GB-month is the right home for compliance-hold data rather than indefinite standard retention, and the four budget levers — retention as a budget input, a one-page cleanup model, lifecycle-policy coverage as the hygiene KPI, and Archive vs. delete math — that convert snapshot cost from an open-ended accumulation into a capped, defensible line item.

Back to the library

Old EBS snapshots: the headline for leadership

Unmanaged backups are a cost, a compliance, and an operational risk

Cloud backup costs are easy to ignore because they accumulate slowly and no individual charge triggers an alert. Years of undeleted daily snapshots can quietly become one of the largest line items in EBS billing — spending on backups no one has ever used and no one has approved to keep. Security findings flag this as a cost risk, but it's also a compliance risk: holding data beyond the retention schedule you've committed to in your data governance policy is a liability, not an asset.

The leadership question is whether the organization manages backup data the same way it manages other data: with a defined retention period, a clear owner, and evidence that the policy is followed. Right now the answer for most accounts is no — data is kept indefinitely because deletion was never automated. The fix isn't technical complexity; it's a standing policy decision — how long do we need this, and who decides — enforced by automation rather than left to chance.

A short read for the executive who wants to understand what the snapshot line item actually represents and why it keeps growing without anyone approving it. You'll get the plain-English version of why unmanaged backups are a cost, compliance, and operational risk — and what the one org-level decision is that fixes all three: a defined retention policy enforced by automation, applied consistently across accounts, with every exception on the record.

Fun fact

The phantom storage bill

What good snapshot governance looks like for a leader

At a financial services company, the CISO, Ravi, got a question from a customer audit team: "Show us that you delete data according to your stated 90-day backup retention schedule." The honest answer was that they couldn't — nobody had ever automated deletions, and the evidence would have shown data going back four years. That's when snapshot hygiene became a leadership priority rather than an engineering to-do.

Ravi didn't need to understand incremental storage mechanics. He needed to answer two questions: which snapshots exist beyond our stated policy period, and what's the process that ensures they get deleted on time going forward? The engineering team showed him a DLM policy enforcing 90-day retention across all production volumes, and a Recycle Bin configured for a 30-day recovery window. Those two controls, applied and evidenced, were what closed the audit finding.

His takeaway for the leadership report: backup data governance is not a hygiene detail — it's a compliance commitment. Every quarter the organization should be able to show that backup data is retained for exactly as long as the policy says, no longer. A growing snapshot bill with no retention policy is evidence to the contrary.

The three-sentence executive read on snapshot sprawl

Unmanaged EBS snapshots are a cost, a compliance, and an operational risk bundled together. On cost: backup storage grows without bound when nobody automates deletion, and the aggregate line item becomes material before any individual charge triggers a review. On compliance: keeping data beyond the retention period your own policy specifies is an audit finding waiting to happen, not a benefit.

On operations: a volume with 1,742 snapshots is not better protected than one with 30 — it's harder to recover from, because no one knows which point in time to restore. More is worse once you've exceeded the window you'd actually use. The fix is a standing retention policy enforced by automation — not a one-time cleanup, but a standing answer to the question: how long do we keep backup data, and how do we prove it?

The leadership signal to ask for is not the number of snapshots deleted but the presence of a lifecycle policy on every active volume. That's evidence of governed backup practice rather than inherited snapshot debt.

The leadership ask on snapshot governance

The executive handle is not to drive the snapshot count to zero — it's to require that backup data is governed by policy rather than accumulated by default. Three questions that settle whether the practice is mature.

1. Does every active volume have a lifecycle policy?

A volume without a DLM or AWS Backup policy is a volume whose snapshot cost compounds forever. The answer 'yes, 100% of production volumes have an enforced retention policy' is the outcome that matters. 'We deleted 5,000 old snapshots' is a one-time fix; 'we have lifecycle policies on all production volumes' is evidence of governance.

2. Does the retention setting match the compliance schedule?

If your data governance policy says 90 days and your lifecycle policy enforces 90 days, the two are aligned and defensible under audit. If they differ in either direction — keeping data longer than stated, or deleting it sooner — that's a governance gap. This is the one question an executive can ask engineering or the security team to get a meaningful answer without needing technical depth.

3. Are exceptions documented and owned?

Any volume exempt from the standard retention policy — because of regulatory hold, legal preservation, or a specific business reason — should have a named owner and a review date. 'We keep 7-year snapshots of the financial database because of SOX, owned by the Finance team, reviewed annually' is a defensible exception. A volume with 4-year snapshots and no owner is not.

Quick quiz

Question 1 of 5

The board's security committee asks: 'How do we know we're deleting backup data according to our stated 90-day retention policy?' What's the right evidence to show?

Keep learning

Dig deeper into snapshot lifecycle management and the tooling AWS provides for it.

That's the lesson. The two takeaways: unmanaged snapshot accumulation is a cost, a compliance gap, and an operational liability — and none of those problems are fixed by a one-time cleanup alone. The lasting fix is a standing retention policy enforced by automation, aligned to your stated data governance schedule, with every exception documented and owned. That's the difference between a growing bill and a governed practice.

Back to the library

Part of the learning path Cut your storage bill

Prune ancient EBS snapshots

Old EBS snapshots: the basics

The phantom storage bill

Snapshot pruning in action

Snapshot incrementality under the hooddeep dive

What is the impact of hoarding old snapshots?

How do you prune old snapshots safely?

1. Inventory the long tail

2. Cross-check AMI and Recycle Bin dependencies

3. Archive what compliance requires, delete the rest

4. Replace cron with a lifecycle policy

Quick quiz

Keep learning

Old EBS snapshots: the unit economics of forgotten backups

The phantom storage bill

How a finance partner sizes the snapshot cleanup opportunity

Why snapshot sprawl shows up on the risk register and the budget

The finance partner's four levers on snapshot hygiene

1. Establish retention as a budgeting input

2. Model the one-time cleanup saving before approving it

3. Require evidence of a lifecycle policy, not just a count

4. Price Archive vs. delete for compliance-hold data

Quick quiz

Keep learning

Old EBS snapshots: the headline for leadership

The phantom storage bill

What good snapshot governance looks like for a leader

The three-sentence executive read on snapshot sprawl

The leadership ask on snapshot governance

1. Does every active volume have a lifecycle policy?

2. Does the retention setting match the compliance schedule?

3. Are exceptions documented and owned?

Quick quiz

Keep learning

Related cost lessons