Amazon EC2 AMI Lifecycle (Part 7)

By Ashwin Venugopal -

 




Resource permissions

To duplicate an AMI that has been shared with you from a different account, the owner of the original AMI needs to provide you with read access to the storage that supports the AMI, not merely for the AMI itself. This storage could be the linked EBS snapshot (for an Amazon EBS-backed AMI) or an associated S3 bucket (for an instance store-backed AMI). If the AMI being shared includes encrypted snapshots, the owner must also share the encryption key or keys with you.

Time-based AMI copy operations

When you commence a time-based AMI copy process for an EBS-backed AMI that has one associated snapshot, it operates similarly to an individual time-based snapshot copy process, and the same constraints on throughput are enforced.

When you start a time-based AMI copy operation for an EBS-backed AMI that has multiple associated snapshots, it functions similarly to simultaneous time-based snapshot copy operations, and the same throughput restrictions are enforced. Each associated snapshot leads to an individual snapshot copy request, all of which add to your overall snapshot copy throughput limit. The specified completion duration is applicable to each associated snapshot.

Encryption and Copying

Although you can create an encrypted snapshot from an unencrypted one by copying it, you cannot create an unencrypted snapshot by copying an encrypted one.

When copying an AMI without indicating encryption parameters, the original encryption status of the backing snapshot is maintained by default. Consequently, if the original AMI is associated with an unencrypted snapshot, the resulting target snapshot will also be unencrypted. Likewise, if the original AMI's snapshot is encrypted, the resulting target snapshot will carry the same encryption using the original AWS KMS key. For AMIs that are linked to multiple snapshots, each target snapshot reflects the encryption status of its respective source snapshot.

To modify the encryption status of the target backing snapshots during an AMI copy, you can define encryption parameters. The following example illustrates a non-standard scenario where encryption parameters are included with the CopyImage action to alter the encryption status of the target AMI.

Copy an unencrypted source AMI to an encrypted target AMI

In this situation, an AMI supported by an unencrypted root snapshot is duplicated to create an AMI with an encrypted root snapshot. The CopyImage action is executed with two encryption parameters, including a customer-managed key. Consequently, the encryption status of the root snapshot is modified, resulting in the target AMI being backed by a root snapshot that contains identical data to the source snapshot but is encrypted with the chosen key. You will incur storage costs for the snapshots in both AMIs, in addition to charges for any instances you initiate from either AMI.

Enabling the Encrypted parameter secures the individual snapshot for this instance. If the KmsKeyId parameter is not provided, the snapshot copy will be encrypted using the default customer-managed key.

 Conclusion

Various methods of copying an AMI are discussed.



































































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more