Home Solution Forum Ticket Tips
Witamy
Zaloguj  Zarejestruj
  1. Cloud Z Support Portal
  2. Rozwiązania – strona główna
  3. Managed Service
  4. SK Enterprise Support for AWS
Open navigation

[EC2] Copying an Instance Encrypted with KMS to Another Account

Print
Z CARE Zmodyfikowano dnia: czw, Cze 12, 2025 o 5:17 PO POŁUDNIU

Issue

An EC2 and RDS instance encrypted with AWS KMS (Key Management Service) is running in Account A. How can these resources be moved to Account B? 

Description 

To transfer EC2 and RDS instances encrypted with an AWS-managed key to another account, the basic method is to create an AMI of the server you want to move in Account A, share it with another account, and then launch a server using that AMI in Account B.

However, encrypted AMIs can only be shared with another AWS account if the AMI is encrypted using a CMK (Customer Managed Key). For more details, please refer to the document attached in the reference link [1]. (In other words, sharing is not possible if the AMI is encrypted with an AWS-managed key.)

Solution 

You cannot directly change the KMS key on an encrypted snapshot. However, it is possible to copy the snapshot and assign a CMK when creating the new snapshot copy.

To perform this operation on an existing AMI, follow the steps below.
(The step descriptions are quoted from the original English to avoid confusion.)

Step 1: Create Customer Managed CMK [2]

  • On the AWS Console, Navigate to Key Management Service (KMS)

  • Select Customer managed keys and then select create key

  • Choose Symmetric and Under Advanced options select "KMS". Click Next. You can add an alias of your choice and proceed further.

  • Choose the IAM users and roles who can administer this key through the KMS API.

  • Select the IAM users and roles that can use the CMK in cryptographic operations.

  • Review the policy and click Finish.

Step 2: Create the snapshot and Copy the snapshot or copy if any existing snapshot, you may specify the Customer Managed Key created in step 1 to encrypt snapshot [3]. Then, you may create an image (AMI) encrypted with the CMK from that snapshot.

Step 3: Modify the CMK policy to allow access to cross account user [4].

Step 4: Add Cross Account to access the snapshot from step 6 -9 [5].

Step 5: Allow users in other accounts to gain access to CMK [6].

Additionally, please refer this blog [7] attached under references to share encrypted AMIs across accounts to launch encrypted EC2 instances.

Reference :
[1] Use encryption with EBS-backed AMIs -
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html 
[2] Creating CMK’s –
https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html 
[3]Copy EBS snapshot –
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html#ebs-snapshot-copy 
[4] Modifying CMK policy-
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html 
[5] Modifying snapshot permissions –
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-encrypted-snapshot 
[6] Modifying accounts to gain CMK access - https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html 
[7] How to share encrypted AMI’s across accounts –
https://aws.amazon.com/blogs/security/how-to-share-encrypted-amis-across-accounts-to-launch-encrypted-ec2-instances/

Czy ta odpowiedź była pomocna? Tak Nie

Wyślij opinię
Przykro nam, że nie mogliśmy Ci pomóc. Pomóż nam dopracować ten artykuł, pozostawiając informacje zwrotne.