Amazon EC2 AMI Lifecycle (Part 7)
Resource permissions
To duplicate an AMI that
has been shared with you from a different account, the owner of the original
AMI needs to provide you with read access to the storage that supports the AMI,
not merely for the AMI itself. This storage could be the linked EBS snapshot
(for an Amazon EBS-backed AMI) or an associated S3 bucket (for an instance
store-backed AMI). If the AMI being shared includes encrypted snapshots, the
owner must also share the encryption key or keys with you.
Time-based AMI copy
operations
When you commence a
time-based AMI copy process for an EBS-backed AMI that has one associated
snapshot, it operates similarly to an individual time-based snapshot copy
process, and the same constraints on throughput are enforced.
When you start a
time-based AMI copy operation for an EBS-backed AMI that has multiple
associated snapshots, it functions similarly to simultaneous time-based
snapshot copy operations, and the same throughput restrictions are enforced.
Each associated snapshot leads to an individual snapshot copy request, all of
which add to your overall snapshot copy throughput limit. The specified
completion duration is applicable to each associated snapshot.
Encryption and Copying
Although you can create
an encrypted snapshot from an unencrypted one by copying it, you cannot create
an unencrypted snapshot by copying an encrypted one.
When copying an AMI
without indicating encryption parameters, the original encryption status of the
backing snapshot is maintained by default. Consequently, if the original AMI is
associated with an unencrypted snapshot, the resulting target snapshot will
also be unencrypted. Likewise, if the original AMI's snapshot is encrypted, the
resulting target snapshot will carry the same encryption using the original AWS
KMS key. For AMIs that are linked to multiple snapshots, each target snapshot
reflects the encryption status of its respective source snapshot.
To modify the encryption
status of the target backing snapshots during an AMI copy, you can define
encryption parameters. The following example illustrates a non-standard
scenario where encryption parameters are included with the CopyImage action to
alter the encryption status of the target AMI.
Copy an unencrypted
source AMI to an encrypted target AMI
In this situation, an AMI
supported by an unencrypted root snapshot is duplicated to create an AMI with
an encrypted root snapshot. The CopyImage action is executed with two
encryption parameters, including a customer-managed key. Consequently, the
encryption status of the root snapshot is modified, resulting in the target AMI
being backed by a root snapshot that contains identical data to the source
snapshot but is encrypted with the chosen key. You will incur storage costs for
the snapshots in both AMIs, in addition to charges for any instances you
initiate from either AMI.
Enabling the Encrypted
parameter secures the individual snapshot for this instance. If the KmsKeyId
parameter is not provided, the snapshot copy will be encrypted using the
default customer-managed key.
Comments
Post a Comment