How do I share encrypted AMIs across AWS accounts to launch encrypted EC2 instances?

5 minute read

I want to share encrypted Amazon Machine Images (AMIs) across AWS accounts to launch encrypted Amazon Elastic Compute Cloud (Amazon EC2) instances.

Resolution

Follow these prerequisites and steps to share encrypted AMIs and then launch encrypted instances.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Prerequisites

AWS accounts

To share an AMI, you need these two types of AWS accounts:

Source account: An AWS account used to build a custom AMI and then encrypt the associated Amazon Elastic Block Store (Amazon EBS) snapshots.
Target account: An AWS account used to launch encrypted EC2 instances with shared custom AMIs.

The example in this article uses account ID 111111111111 for the source account and account ID 999999999999 for the target account.

Customer managed AWS KMS key

Customer managed keys are AWS Key Management Service (AWS KMS) keys that you create. Create an AWS KMS key in the source account in the same AWS Region.

The example in this article uses an AWS KMS key with the alias cmkSource under the source account ID 111111111111 in the us-east-1 Region. The alias cmkSource encrypts AMI ID ami-1234578 and then shares it with the target account ID 999999999999.
Note: Make sure that you also review the limitations and best practices.

Create an IAM user or role policy for the source account

Follow these steps to use AWS Identity and Access Management (IAM) to create a user or role policy for the source account. Then, add the target account ID to the AWS KMS key policy.

Create an IAM user or role policy for the source account like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:ModifyImageAttribute"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1::image/12345678"
      ]
    }
  ]
}

Open the AWS KMS console.
In the navigation pane, choose Customer managed keys, and then choose your AWS KMS key. For example, cmkSource.
In Other AWS accounts, choose Add other AWS accounts, and then choose Add another AWS account.
In the arn:aws:iam:: field, enter the ID of your target account. For example, 999999999999.
Choose Save changes.

Create an IAM user or role policy setting for the target account

Create an IAM user or role policy for the target account like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:DescribeKey",
        "kms:ReEncrypt*",
        "kms:Decrypt",
        "kms:GenerateDataKeyWithoutPlainText"
      ],
      "Resource": [
        "arn:aws:kms:us-east-1:111111111111:key/key-id of cmkSource"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "kms:CreateGrant",
      "Resource": [
        "arn:aws:kms:us-east-1:111111111111:key/key-id of cmkSource"
      ],
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

This policy allows you to use the AWS KMS key from the source account to encrypt new instances launched from the target account.

Share the AMI with the target account

Follow these steps to share an AMI:

Note: You can't share an AMI from different AWS Regions. You can copy the AMI and then share it or launch it in a new Region. For more information, see How do I create an AMI in one AWS Region and then copy it to another?

Launch an instance from the shared encrypted AMI

Follow these steps to launch an instance from the shared encrypted AMI

Open the EC2 console.
In the navigation pane, choose EC2 Dashboard, and then choose Launch instance.
Under Names and tags, for Name, enter a name for your instance.
Under Application and OS Images (Amazon Machine Image), choose Browse more AMIs to find the shared encrypted AMI. Choose My AMIs, and then choose Shared with me.
Under Instance type, choose an instance type.
Under Key pair (login), for Key pair name, choose a key pair. Or, create a new one.
(Optional) Under Network settings, choose Edit, and then choose your VPC and Subnet.
Under Configure storage, choose Advanced.
Under EBS Volumes, expand Volume.
Under Encrypted, choose Encrypted.
Under KMS key, choose Specify a custom value, and enter the full ARN. For example, 'arn:aws:kms:us-east-1:111111111111:key/key-id of cmkSource'.
Note: If you don't choose an AWS KMS key, then the default KMS key for EBS encryption from the target account is used.
Under Summary, choose Launch instance.

For more information, see Use the new launch instance wizard to launch an instance.

Note: The steps to launch an instance from a shared encrypted AMI are the same as for an instance with a custom AMI. For more information, see How do I launch an EC2 instance from a custom AMI?

Related information

How do I share an Amazon Machine Image (AMI) privately with another AWS account?

Instance-launching scenarios

Launch your instance

Topics

Compute

Relevant content

How To Transfer an encrypted AMI to Another User Account
tonyj
asked a year ago
ELB encryption and attaching to EC2
Kazman
asked 8 months ago
Share AMIs across accounts
Arjun Goel
asked 4 months ago
AWS S3 object encryption and share
rePost-User-olmec
asked 7 months ago
AWS EC2 Image Builder share the encrypted AMI with other accounts
Accepted Answer
myronix88
asked 7 months ago
How do I create an encrypted AMI for AWS Batch?
AWS OFFICIALUpdated 3 years ago
I can't use Amazon EC2 Auto Scaling to launch EC2 instances with encrypted AMIs or encrypted volumes
AWS OFFICIALUpdated 8 months ago
How do I troubleshoot distribution errors for encrypted AMIs in Image Builder?
AWS OFFICIALUpdated 2 years ago
How can I view encryption information about my AMI or snapshot?
AWS OFFICIALUpdated 9 months ago
AWS Transfer Family supports self-signed TLS certificates and 3DES encryption for sending AS2 messages
EXPERT
AWS
published 14 days ago