Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I troubleshoot errors when I copy AMIs between different Regions or Accounts?

4 minute read
1

I want to copy an Amazon Machine Image (AMI) from one AWS Region or AWS account to another Region or account. However, I receive errors in my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Resolution

To copy an AMI between Regions, configure the permissions for the AMI and its components, such as snapshots and AWS Key Management Service (AWS KMS) encryption keys.

Troubleshoot permissions errors

Missing IAM permissions

If your AWS Identity and Access Management (IAM) user or role doesn't have the required AMI copy permissions, then you receive the following error message:

"You are not authorized to perform this operation"

To troubleshoot this issue, make sure that your IAM entity has the required permissions.

Missing permissions for AMI storage access

If you copy a shared AMI and the destination account doesn't have access to the associated snapshots, then you receive the following error message:

"You do not have permission to access the storage of this AMI"

To resolve this issue for an AMI that's not from the AWS Marketplace, complete the following steps:

  1. To share the source AMI, choose Edit AMI permissions.
  2. Select Add 'Create volume' permission to associated snapshots when creating account permissions.
  3. Share the source AMI with the destination account.
    Note: If you already shared the AMI, then delete and re-share the AMI from the source account to the destination with the Create volume permission selected.

To resolve this issue for an AWS Marketplace AMI, you must use the AMI to launch an instance. Then, create a new AMI from the instance. You can't directly copy AWS Marketplace AMIs across accounts.

Troubleshoot encrypted AMI and AWS KMS key issues

For encrypted AMIs, the destination account must access the source AWS KMS key for decryption during the copy process. The destination account must also use the same key or have a matching key in the destination Region.

To configure permissions for encrypted AMIs, give the destination account access to the AWS KMS key, and then create an IAM policy for key access.

Give the destination account access to the key

To manage encrypted AMIs, complete the following steps in the source account:

  1. Open the AWS KMS console.
  2. In the navigation pane, choose Customer managed keys.
  3. Select the AWS KMS key that you used to encrypt the AMI.
  4. Under Key policy, for Default view, choose Add other AWS accounts.
  5. Enter the destination account ID.
  6. Choose Save changes.
  7. For Policy view, choose Edit.
  8. Enter the following access policy: 
            {
          "Sid": "Allow use of the key", 
          "Effect": "Allow",
          "Principal": {"AWS": [
            "arn:aws:iam::[SOURCE_ACCOUNT_ID]:user/KeyUser",
            "arn:aws:iam::[TARGET_ACCOUNT_ID]:root"
          ]},
          "Action": [
            "kms:Encrypt",
            "kms:Decrypt", 
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey"
          ],
         "Resource": "*"
        },
        {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {"AWS": [
            "arn:aws:iam::SOURCE_ACCOUNT_ID:user/KeyUser",
            "arn:aws:iam::DESTINATION_ACCOUNT_ID:root"  
          ]},
          "Action": [
            "kms:CreateGrant",
            "kms:ListGrants",
            "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
        }
    Note: Replace SOURCE_ACCOUNT_ID with your source account ID and DESTINATION_ACCOUNT_ID with your destination account ID.

Create an IAM policy for the destination account to have key access

Create an IAM policy in the destination account.

Example policy:

      {
          "Version": "2012-10-17",
          "Statement": [{
           "Sid": "AllowUseOfTheKey",
           "Effect": "Allow", 
           "Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"],
           "Resource": ["KEY_ARN"]
      }, {
           "Sid": "AllowAttachmentOfPersistentResources",
           "Effect": "Allow",
           "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
           "Resource": ["KEY_ARN"],
           "Condition": {
               "Bool": {
                   "kms:GrantIsForAWSResource": true
              }
           }
       }]
   }

Note: Replace KEY_ARN with the Amazon Resource Name (ARN) of your AWS KMS key.

Then, attach the policy to the IAM users or roles who need to work with the encrypted AMI.

Related information

Share the AWS KMS key used to encrypt a shared Amazon EBS snapshot

Why can't I launch EC2 instances from my copied AMI?

Topics
Compute
Tags
Amazon EC2
Language
English
AWS OFFICIALUpdated 11 days ago
No comments

Relevant content