I want to share encrypted Amazon Machine Images (AMIs) across AWS accounts to launch encrypted Amazon Elastic Compute Cloud (Amazon EC2) instances.
Resolution
Follow these prerequisites and steps to share encrypted AMIs and then launch encrypted instances.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Prerequisites
AWS accounts
To share an AMI, you need these two types of AWS accounts:
- Source account: An AWS account used to build a custom AMI and then encrypt the associated Amazon Elastic Block Store (Amazon EBS) snapshots.
- Target account: An AWS account used to launch encrypted EC2 instances with shared custom AMIs.
The example in this article uses account ID 111111111111 for the source account and account ID 999999999999 for the target account.
Customer managed AWS KMS key
Customer managed keys are AWS Key Management Service (AWS KMS) keys that you create. Create an AWS KMS key in the source account in the same AWS Region.
The example in this article uses an AWS KMS key with the alias cmkSource under the source account ID 111111111111 in the us-east-1 Region. The alias cmkSource encrypts AMI ID ami-1234578 and then shares it with the target account ID 999999999999.
Note: Make sure that you also review the limitations and best practices.
Create an IAM user or role policy for the source account
Follow these steps to use AWS Identity and Access Management (IAM) to create a user or role policy for the source account. Then, add the target account ID to the AWS KMS key policy.
-
Create an IAM user or role policy for the source account like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:ModifyImageAttribute"
],
"Resource": [
"arn:aws:ec2:us-east-1::image/12345678"
]
}
]
}
-
Open the AWS KMS console.
-
In the navigation pane, choose Customer managed keys, and then choose your AWS KMS key. For example, cmkSource.
-
In Other AWS accounts, choose Add other AWS accounts, and then choose Add another AWS account.
-
In the arn:aws:iam:: field, enter the ID of your target account. For example, 999999999999.
-
Choose Save changes.
Create an IAM user or role policy setting for the target account
Create an IAM user or role policy for the target account like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlainText"
],
"Resource": [
"arn:aws:kms:us-east-1:111111111111:key/key-id of cmkSource"
]
},
{
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": [
"arn:aws:kms:us-east-1:111111111111:key/key-id of cmkSource"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
This policy allows you to use the AWS KMS key from the source account to encrypt new instances launched from the target account.
Share the AMI with the target account
Follow these steps to share an AMI:
Note: You can't share an AMI from different AWS Regions. You can copy the AMI and then share it or launch it in a new Region. For more information, see How do I create an AMI in one AWS Region and then copy it to another?
Launch an instance from the shared encrypted AMI
Follow these steps to launch an instance from the shared encrypted AMI
- Open the EC2 console.
- In the navigation pane, choose EC2 Dashboard, and then choose Launch instance.
- Under Names and tags, for Name, enter a name for your instance.
- Under Application and OS Images (Amazon Machine Image), choose Browse more AMIs to find the shared encrypted AMI. Choose My AMIs, and then choose Shared with me.
- Under Instance type, choose an instance type.
- Under Key pair (login), for Key pair name, choose a key pair. Or, create a new one.
- (Optional) Under Network settings, choose Edit, and then choose your VPC and Subnet.
- Under Configure storage, choose Advanced.
- Under EBS Volumes, expand Volume.
- Under Encrypted, choose Encrypted.
- Under KMS key, choose Specify a custom value, and enter the full ARN. For example, 'arn:aws:kms:us-east-1:111111111111:key/key-id of cmkSource'.
Note: If you don't choose an AWS KMS key, then the default KMS key for EBS encryption from the target account is used.
- Under Summary, choose Launch instance.
For more information, see Use the new launch instance wizard to launch an instance.
Note: The steps to launch an instance from a shared encrypted AMI are the same as for an instance with a custom AMI. For more information, see How do I launch an EC2 instance from a custom AMI?
Related information
How do I share an Amazon Machine Image (AMI) privately with another AWS account?
Instance-launching scenarios
Launch your instance