AWS EC2 Image Builder share the encrypted AMI with other accounts

0

Hi,

I have a problem with sharing the encrypted AMI with other accounts. I have this error:

 AMI Copy Reported Failure For 'ami-some_ami' when distributing the image from the source account (ID: 111) to the destination account (ID: 111) in Region eu-south-1.'

What I have:

  1. Account 111 is in AWS Organizations and have this KMS key and permissions:
"Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GetKeyPolicy"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-000"
                }
            }
        },
  1. Account 222 is in Organization so this account should be able to access the key.

  2. I read that

If you want to copy an image created with Image Builder to another account, you must create the EC2ImageBuilderDistributionCrossAccountRole role in all of the target accounts, and attach the Ec2ImageBuilderCrossAccountDistributionAccess policy managed policy to the role. For more information, see Share EC2 Image Builder resources.

So, I created this role in Account 222. Role looks this way:

Trusted ent:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::222:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

Policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": "arn:aws:ec2:*::image/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeImages",
                "ec2:CopyImage",
                "ec2:ModifyImageAttribute"
            ],
            "Resource": "*"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:ReEncryptFrom",
                "kms:ReEncryptTo"
            ],
            "Resource": "*"
        }
    ]
}

Maybe someone had a similar issue, thanks for the help.

2 Answers
1

So your source account is 111 and target 222

The Assume Role in Target 222 does not not look in correct. You need to allow 111 in the trust not 222 because your allowing account 111 to assume this role, so we "Trust" that account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

Also the role in account 222 needs to have the policy Ec2ImageBuilderCrossAccountDistributionAccess attached to the role.

profile picture
EXPERT
answered 7 months ago
profile picture
EXPERT
reviewed 22 days ago
  • Yes, I tried, but still I got the same error. I used those steps for account 222:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "imagebuilder.amazonaws.com", "AWS": "arn:aws:iam::111:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }

  • Did you attach the policy?

  • Yes, policy is attached. I think that the problem could be that I need multi region KMS key, as this second account is in different region.

  • I don’t think you can have a service and AWS principal in the same statement.

0
Accepted Answer

Fixed it by creating another KMS key in another region. Then by using Launch Configuration use this KMS key. Role is not needed.

profile picture
answered 7 months ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions