Using Coldsnap to Access an EBS Volume

AWS
1

Using Coldsnap to Access an EBS Volume

Coldsnap is a lightweight, open-source utility that uses the AWS EBS Direct APIs to read the contents of an EBS snapshot without creating or attaching an EBS volume. Instead of restoring a snapshot into a live block device, Coldsnap downloads the snapshot data directly and exposes it as a raw disk image that can be inspected or mounted offline.

This approach is useful when you need fast, low-impact access to snapshot data for recovery, forensics, or analysis, especially when creating volumes would be slow, expensive, or operationally risky. Coldsnap avoids volume provisioning, does not modify the original snapshot, and works even for old snapshots whose data may be stored in colder tiers.

Create Snapshot

  1. Go to the EC2 console.
  2. Select Instances.
  3. Click your stopped instance.
  4. In the Storage tab, note the Volume ID (e.g., vol-xxxxxxxx).
  5. Click the Volume ID link.
  6. In the Volumes page:
    • Select the volume.
    • Click Actions → Create snapshot.
  7. Provide:
    • Description
    • Optional tags
  8. Click Create snapshot

Create Instance and Add Role

Create new instance using the AWS AMI. Since the EBS volumes attached to the three dl1.24xlarge are 20GB, I suggest selecting a 100GB disk root volume and t3.xlarge instance type (the coldsnap software needs to be compiled ~10 mins).

ec2-full-access-role:

Trusted entity type: AWS service
Use case: EC2
Add Policies:

  1. AmazonEC2FullAccess (AWS’s preconfigured Access)
  2. EBS-direct-API-access:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EbsDirectFull",
            "Effect": "Allow",
            "Action": "ebs:*",
            "Resource": "*"
        }
    ]
}

Attach the ec2-full-access-role to the new instance: from the EC2 instance list, select the instance, Actions->Security->Modify IAM Role, select ec2-full-access-role from the drop down list.

Install Coldsnap

ssh to the new EC2 instance

  1. Install the software using the following 4 commands, it should take about 10 minutes.
sudo dnf install -y gcc openssl-devel cmake
curl --proto '=https' --tlsv1.2 -sSf [https://sh.rustup.rs](https://sh.rustup.rs/) | sh -s -- -y
source "$HOME/.cargo/env"
cargo install coldsnap

Download the Snapshot

coldsnap download <snapshot_id> <filename>.raw

View the Snapshot Partition Info

View the snapshot partition information (could be used for troubleshooting future steps):

sudo fdisk -l <filename>.raw
lsblk

Create the Loop Device for the Snapshot

Create the loop device for the snapshot (if you are mounting multiple volumes then /dev/loop0 will be different for each volume, see View the Snapshot Partition Info (above)

sudo losetup --partscan /dev/loop0 i-007a49f017b11cccb.raw
lsblk /dev/loop0

Create Mount the Disk

Mount the volume (if you are mounting multiple volumes then /mn/recovery will need to be unique for each volume and the /dev/loop0p1 might be different, see View the Snapshot Partition Info (above)

sudo mkdir -p /mnt/recovery
sudo mount -o ro /dev/loop0p1 /mnt/recovery

View the Files

The whole file system should be avaiable now.

cd /mnt/recovery/