digitalspeed logo

How to migrate your AWS EC2 instance from one AWS account to another AWS account

migrate ec2 instance from one region to another

If you need to transfer the content of an EC2 instance to another AWS account, below I explained how to do that.

Create a role for KMS

By creating a KMS role, you can establish cross-account permissions that allow another AWS account to use your customer-managed KMS key. Without these permissions, the other account wouldn’t be able to access or use the key. 

  • Locate the AWS management console and select “IAM” (Identity and Access Management). 
  • Click on “Roles” in the left navigation pane. 
  • Click “Create role” to start the role creation process. 
  • Choose the AWS service or entity that will assume the role. For a cross-account role, choose “Another AWS account” and enter the account ID. 
  • Create a Custom Policy, To create a policy manually, click “Create policy” and define the policy statement. This gives you more control over the permissions granted to the role. 
  • Define the policy statement, specifying the allowed actions and resources, like so:
{ 
	"Version": "2012-10-17",
	"Statement": [ 
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"kms:DescribeCustomKeyStores",
				"kms:ListKeys",
				"kms:DeleteCustomKeyStore",
				"kms:GenerateRandom",
				"kms:ListRetirableGrants",
				"kms:UpdateCustomKeyStore",
				"kms:ListAliases",
				"kms:DisconnectCustomKeyStore",
				"kms:CreateKey",
				"kms:ConnectCustomKeyStore",
				"kms:CreateCustomKeyStore"
			],
			"Resource": "*"
		},
		{
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": "kms:*",
			"Resource": [
				"arn:aws:kms:<region>:<account-id>:key/*",
				"arn:aws:kms:<region>:<account-id>:alias/*"
			]
		}
	]
}

Replace <region>, <account-id> with the id of the account you want to share the AMI/snapshot with. 

  • Review the role’s configuration, then click “Create role” to finalize it.

Create a customer-managed key

You need to create a customer-managed key need a customer-managed key to encrypt the AMI image you will share with the second account, infact AWS will only allow you to share an AMI image or snapshot to another account that was encrypted with an AWS managed key. 

The main reason for requiring a customer managed key is because the AMI image will definitely be encrypted, If encrypted with AWS managed key, for the second account to create an EC2 instance from the machine it will need to decrypt the instance and the AWS managed key cannot be shared with another AWS account but you customer managed can be shared with whom you want you simply describe it in the key policy. 

  • Navigate to the KMS service by searching for “KMS” in the search bar or by finding it under the “Security, Identity & Compliance” section. 
  • In the KMS console, click on “Customer managed keys” in the left-hand navigation pane.
  • Click on the “Create key” button. 
  • Select the option “Symmetric” for a symmetric encryption key or “Asymmetric” for an asymmetric encryption key (e.g., RSA or ECC). symmetric simply means the image will be encrypted and decrypted with the same key compared to asymmetric. 
  • Choose the appropriate key material, “KMS” to have AWS KMS generate the key material (recommended for most use cases). 
  • Give your key a name and a good description. 
  • Give the key administrator permission to delete the key. 
  • Specify which AWS principals (users, roles, or services) should have administrative permission to use the key for cryptographic operations. Select the role you created earlier. 
  • Select key roles as the role you created earlier. 
  • For the option below, select Add another AWS account and put in the ID of the account you want to share the AMI with.
  • Review the key configuration details and ensure everything is correct. 
  • Click on the “Create key” button to create the customer-managed key. 

Create AMI Image or snapshot you want to share

Now you can create the image or AMI you want to share to the other AWS account, ensure it is encrypted using the customer-managed key you created.

If you want to create a snapshot or AMI from a running instance and this instance volume is encrypted using AWS managed keys then you should first make a snapshot or AMI using the AWS managed key then create a copy of the snapshot or AMI using your customer managed key.

Share AMI with another account 

  • Stop the Instance: Once the instance is set up, stop the instance to create an AMI from it. 
  • Create the AMI: In the EC2 console, navigate to the Instances section, right-click on the stopped instance, and select Image and Templates> Create image
  • Enable Encryption: In the Create image window, check the box to Encrypt EBS snapshot(s) used to create the AMI and select the customer-managed key you created earlier. 
  • Complete AMI Creation: Provide a name and description for the AMI, and click “Create image”. 
  • Share the AMI: In the EC2 console, navigate to the “AMIs” section, select the AMI you created, and click on “Modify image permissions”. 
  • Add Account ID: In the “Modify image permissions” window, enter the AWS account ID you want to share the AMI with and click Add permission.

Share snapshot with another account

From a running EC2 instance you can create a snapshot, follow the procedure below. 

  • Navigate to the EC2 details page. 
  • Select Snapshots from the options on the left 
  • You can see all the snapshots you have in that region, click on Create snapshot  
  • Select the volume to create a snapshot directly from a volume or select an instance to create a snapshot from a multi-volume EC2 instance. 
  • Select the instance or volume as intended in the instance ID or Volume ID  
  • Give your snapshot a detailed description so you can recall why you created it.  
  • Click Create Snapshot to complete the process. 

Ensure the snapshot is encrypted with your customer-managed key. 

Access the AMI or snapshot from your other AWS account 

Locate the EC2 dashboard using the Services button or the search bar 

Click on your AMI or snapshot from the left-side options 

As shown in the screenshot below, select the option for private or public snapshot or AMI, these allow you to see the snapshot that has been shared with you rather than just the one you created personally. 

I noticed that I couldn’t convert the snapshot directly to AMI so I copied the snapshot to another snapshot this time using my account KMS key, and I could create the AMI from the copy of the snapshot.

Conclusion

You have successfully created customer-managed key and encrypted your AMI, volume or snapshot with it, this enables you to share the AMI, snapshot, or volume easily with other AWS accounts. If you had difficulty making a snapshot or AMI encrypted with your customer-managed key directly from an EC2 instance then you might want to create the AMI or snapshot with AWS managed key then create a copy of the snapshot or AMI encrypted with your customer managed key.

Share your thoughts, questions in the comment section below, also read more articles below.

Wiley

Wiley

Wiley is a cloud and software engineer, knowledgeable in robotics and electronics engineering and have practical knowledge and experience in software development, cloud solutions architecture, and full stack development. He's also a blogger, writing on various blogs, and his content ranges from technology, science, AI, and gaining financial freedom at various levels.
All Posts

Share this article

Recent Post

Send Us A Message

Post by Same Author

Related Post

Join our newsletter to stay updated

digitalspeed-logo

At DIGITALSPEED, you can get updates, reviews and learn about new digital tools and features on existing tools. check us on social media.

Facebook-f Linkedin Twitter Instagram Pinterest
Quick Links
Get In Touch

Lagos, Nigeria

DIGITALSPEED © All Rights Reserved.

2024

Scroll to Top

Seach for Articles