How to Remove Encryption from EBS Volumes Using Amazon S3?

Introduction

While the traditional method involves creating a secondary unencrypted EBS volume and copying data using OS-level tools, our approach utilizes AWS services exclusively.

We can use AWS CLI to call the ‘CreateStoreImageTask’ API. Usually this API is used to for copying AMI's across AWS partitions (example from commercial partition to the AWS GovCloud (US) partition). However, we can extend this logic to use it within the same AWS partition instead of using the recommended Copy Image API. This approach offers a streamlined, service-based solution.

Prerequisites

1. An AMI of the target EC2 instance or encrypted snapshots
2. Appropriate IAM permissions including:

• Access to the KMS key used for encryption. Change the key ARN in the policy below.
• Permissions for S3, EBS, and EC2 services

Required IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectTagging",
                "s3:AbortMultipartUpload",
                "ebs:CompleteSnapshot",
                "ebs:GetSnapshotBlock",
                "ebs:ListChangedBlocks",
                "ebs:ListSnapshotBlocks",
                "ebs:PutSnapshotBlock",
                "ebs:StartSnapshot",
                "ec2:CreateStoreImageTask",
                "ec2:DescribeStoreImageTasks",
                "ec2:CreateRestoreImageTask",
                "ec2:GetEbsEncryptionByDefault",
                "ec2:DescribeTags",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:ReEncrypt*"
            ],
            "Resource": "arn:aws:kms:region:account-id:key/key-id"
        }
    ]
}

Implementation Steps

1. Store the AMI (CreateStoreImageTask)

aws ec2 create-store-image-task --image-id ami-1234567890abcdef0 --bucket amzn-s3-demo-bucket

Note: Replace ami-1234567890abcdef0 with your AMI ID and amzn-s3-demo-bucket with your S3 bucket name.

Key Points:

• The bucket must be in the Region in which the request is being made.
• Decrypts snapshots during storage process
• Stores AMI as a single compressed object in S3 with a .bin extension.
• Preserves Metadata: AMI name, AMI description, AMI registration date, AMI owner account, and a timestamp for the store operation.
• The sum of the sizes of all the AMIs in progress is limited to 1,200 GB of EBS snapshot data per account. Further task creation will be rejected until the tasks in progress are less than the limit. For example, if an AMI with 200 GB of snapshot data and another AMI with 400 GB of snapshot data are currently being stored, another request will be accepted, because the total in progress is 600 GB, which is less than the limit. But if a single AMI with 1,200 GB of snapshot data is currently being stored, further tasks are rejected until the task is completed.

2. Monitor Progress (DescribeStoreImageTasks)

aws ec2 describe-store-image-tasks

Features:

• Shows task status (InProgress/Completed/Failed)
• Displays progress percentage for ongoing tasks
• Lists tasks in reverse chronological order
• Viewable for the previous month only

3. Restore the AMI (CreateRestoreImageTask)

First, disable encryption by default:

aws ec2 disable-ebs-encryption-by-default --region region

Note: Replace region with your AWS region (e.g., us-east-1, eu-west-1).

Then, restore the AMI:

aws ec2 create-restore-image-task --object-key ami-1234567890abcdef0.bin --bucket amzn-s3-demo-bucket --name "New AMI Name"

Note: Replace ami-1234567890abcdef0.bin with your stored AMI object name, amzn-s3-demo-bucket with your S3 bucket name, and "New AMI Name" with your desired AMI name.

Features:

• The restore task can be performed in the same or a different Region in which the store task was performed.
• The S3 bucket from which the AMI object will be restored must be in the same Region in which the restore task is requested. The AMI will be restored in this Region.
• The AMI is restored with its metadata, such as the name, description, and block device mappings corresponding to the values of the stored AMI. The name must be unique for AMIs in the Region for this account. If you do not provide a name, the new AMI gets the same name as the original AMI. The AMI gets a new AMI ID that is generated at the time of the restore process.
• Restoration time depends on the size of the AMI, other InProgress queued tasks.

Security Considerations

• Configure S3 bucket with appropriate security controls
• Disable public access to the S3 bucket
• Consider enabling Server-Side Encryption for S3 buckets, although not required
• Store and Restore happens over TLS connections, therefore, data in transit and rest is secured as long as the bucket access is kept secured

References

• Store and restore an AMI using S3
• How AMI store and restore works
• Limitations and Costs