AWS announces preview of AWS Interconnect - multicloud

AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.

How do I share encrypted AMIs across accounts to launch encrypted EC2 instances?

3 minute read

I want to share encrypted Amazon Machine Images (AMIs) across AWS accounts to launch encrypted Amazon Elastic Compute Cloud (Amazon EC2) instances.

Resolution

Prerequisite: Make sure that you adhere to the requirements to share AMIs.

To share encrypted AMIs across accounts, complete the following steps:

Review the AMI encryption details.
Note: You can't share AWS managed keys across accounts. As a result, you can't share AMIs that you encrypted with the default AWS managed key. If you used an AWS managed key to encrypt the AMI, then copy the AMI and use a customer managed key to encrypt the new AMI.
Share the AMI with the target account.
Note: The target account is your account that launches the encrypted EC2 instances with shared custom AMIs.
Edit the key policy to allow users in the target account to access the AWS Key Management Service (AWS KMS) key.

Create an AWS Identity and Access Management (IAM) user or role in the target account. Then, attach a policy to the role that gives it DescribeKey, ReEncrypt*, Decrypt, GenerateDataKeyWithoutPlainText, and CreateGrant permissions for your AWS KMS key. Example policy:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:DescribeKey",
        "kms:ReEncrypt*",
        "kms:Decrypt",
        "kms:GenerateDataKeyWithoutPlainText",
        "kms:CreateGrant"
      ],
      "Resource": [
        "arn:aws:kms:us-east-1:111111111111:key/cmkSource"
      ]
    }
  ]
}

Note: Replace 111111111111 with the source account ID with the encrpyted AMI, us-east-1 with your AWS Region, and cmkSource with the ID of the customer managed key.

Open the Amazon EC2 console.
In the navigation pane, choose EC2 dashboard, and then choose Launch instance.
Under Names and tags, for Name, enter a name for your instance.
Under Application and OS Images (Amazon Machine Image), choose Browse more AMIs to find the shared encrypted AMI.
Choose My AMIs, and then choose Shared with me.
Under Instance type, select an instance type.
Under Key pair (login), for Key pair name, select a key pair. Or, create a new one.
(Optional) Under Network settings, choose Edit, and then select your virtual private cloud (VPC) or subnets.
Under Configure storage, choose Advanced.
Under EBS Volumes, expand Volume.
Under Encrypted, choose Encrypted.
Under KMS key, choose Specify a custom value, and then enter the full Amazon Resource Name (ARN) of your key. For example, arn:aws:kms:us-east-1:111111111111:key/key-id.
Note: If you don't choose an AWS KMS key, then Amazon EC2 uses the target account's default key for Amazon Elastic Block Store (Amazon EBS) encryption.
Under Summary, choose Launch instance.

For more information, see Launch an EC2 instance using the launch instance wizard in the console.

Related information

How do I share an Amazon Machine Image (AMI) privately with another AWS account?

Instance-launching scenarios

Launch an Amazon EC2 instance

How do I launch an EC2 instance from a custom AMI?

Topics: Compute
Tags: Linux Amazon EC2 Windows
Language: English

AWS OFFICIALUpdated 6 months ago

No comments

Relevant content

Share AMIs across accounts
rePost-User-6940404
asked 2 years ago
Issue with Creating Spot Fleet Using Encrypted AMI from Another Account
Pyae Phyoe Shein
asked 5 months ago
AWS EC2 Image Builder share the encrypted AMI with other accounts
Accepted Answer
myronix88
asked 2 years ago
Difference between "Region settings-Target accounts" and "AMI sharing-AWS accounts" in ImageBuilder
Sonic
asked 8 months ago
EC2 image builder creating AMIs with encrypted volumes
Accepted Answer
aditya_kothari
asked 3 years ago
How do I use an encrypted AMI in my Auto Scaling group that another account shared with me?
AWS OFFICIALUpdated a year ago
How do I troubleshoot Amazon EC2 instance launch failures caused by AMI issues?
AWS OFFICIALUpdated 4 months ago
How do I troubleshoot distribution errors for encrypted AMIs in Image Builder?
AWS OFFICIALUpdated 3 years ago
How do I create, launch an instance from, or troubleshoot a custom AMI?
AWS OFFICIALUpdated 2 years ago
How to Remove Encryption from EBS Volumes Using Amazon S3?
SUPPORT ENGINEER
Aakash_S
published 5 months ago