Sharing Encrypted AMIs Across Accounts

Step 1: Create one shared KMS key

First, we need to create one KMS key.

  1. In the Key Management Console, choose Customer managed keys
  2. Choose the create key.

3. Choose key type Symmetric and key usage Encrypt and decrypt.

4. Then, expand Advanced options. Choose Key material origin as KMS and Regionality as Multi-Region key. Click on Next.

5. Give alias name

6. Click on Next.

7. Choose any Key administrators and select Next.

8. Select any Key users and click on Add another AWS account. Give Target AWS account ID.

9. Select Next. Then, Review and Finish.

Step 2: Create one snapshot from the encrypted EBS volume using the AWS managed key(aws/ebs)

  1. Go to the EC2 console. Then, on the left side pane, select Volumes. Select the check box of exact volume. Click on Actions and select Create Snapshot.
  2. Give an appropriate description and select Create Snapshot.

Snapshot:

Step 3: Create another snapshot from the previous snapshot using the Share KMS key

  1. Now, we need to create another snapshot from the previous snapshot.
  2. on the left side pane, select Snapshots.
  3. Choose the exact Snapshot. Click on Actions and select Copy Snapshot.

4. Give an appropriate description and choose the share KMS key. Select Copy Snapshot.

Step 4: Create one AMI using a snapshot, which one created using the share KMS key

Now, we will create one AMI using this snapshot, which is created using the shared KMS key.

  1. In the Snapshots section, choose the exact snapshot and select Actions. Choose to Create image from snapshot.

2. Give an Image name. Select Create image.

Step 5: Migrate encrypted AMI

  1. In the EC2 console, on the life side pane, go to the AMIs section.
  2. Choose the exact AMI. Click on Actions and select Edit AMI permissions.

3. Click on the checkbox (Add ‘Create volume’ permission to associated snapshots when creating account permissions.)

4. In the Shared accounts section, Click on Add account ID. Give the account ID of the destination/target account. Click on Save Changes.

Now, go to the destination/target account and in the EC2 console, go to the AMIs section, we can see the shared AMI. Using this shared AMI, we can launch EC2 Instance in the destination account.

  • Sharing, Encrypted, AMIs, Sharing Encrypted AMIs Across Accounts, Encrypted AMIs
  • 0 Users Found This Useful
Was this answer helpful?