Amazon EC2 AMI Lifecycle (Part 7)

 




Resource permissions

To duplicate an AMI that has been shared with you from a different account, the owner of the original AMI needs to provide you with read access to the storage that supports the AMI, not merely for the AMI itself. This storage could be the linked EBS snapshot (for an Amazon EBS-backed AMI) or an associated S3 bucket (for an instance store-backed AMI). If the AMI being shared includes encrypted snapshots, the owner must also share the encryption key or keys with you.

Time-based AMI copy operations

When you commence a time-based AMI copy process for an EBS-backed AMI that has one associated snapshot, it operates similarly to an individual time-based snapshot copy process, and the same constraints on throughput are enforced.

When you start a time-based AMI copy operation for an EBS-backed AMI that has multiple associated snapshots, it functions similarly to simultaneous time-based snapshot copy operations, and the same throughput restrictions are enforced. Each associated snapshot leads to an individual snapshot copy request, all of which add to your overall snapshot copy throughput limit. The specified completion duration is applicable to each associated snapshot.

Encryption and Copying

Although you can create an encrypted snapshot from an unencrypted one by copying it, you cannot create an unencrypted snapshot by copying an encrypted one.

When copying an AMI without indicating encryption parameters, the original encryption status of the backing snapshot is maintained by default. Consequently, if the original AMI is associated with an unencrypted snapshot, the resulting target snapshot will also be unencrypted. Likewise, if the original AMI's snapshot is encrypted, the resulting target snapshot will carry the same encryption using the original AWS KMS key. For AMIs that are linked to multiple snapshots, each target snapshot reflects the encryption status of its respective source snapshot.

To modify the encryption status of the target backing snapshots during an AMI copy, you can define encryption parameters. The following example illustrates a non-standard scenario where encryption parameters are included with the CopyImage action to alter the encryption status of the target AMI.

Copy an unencrypted source AMI to an encrypted target AMI

In this situation, an AMI supported by an unencrypted root snapshot is duplicated to create an AMI with an encrypted root snapshot. The CopyImage action is executed with two encryption parameters, including a customer-managed key. Consequently, the encryption status of the root snapshot is modified, resulting in the target AMI being backed by a root snapshot that contains identical data to the source snapshot but is encrypted with the chosen key. You will incur storage costs for the snapshots in both AMIs, in addition to charges for any instances you initiate from either AMI.

Enabling the Encrypted parameter secures the individual snapshot for this instance. If the KmsKeyId parameter is not provided, the snapshot copy will be encrypted using the default customer-managed key.

 Conclusion

Various methods of copying an AMI are discussed.



































































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Deployment (Part 2)