Default policy for EBS-backed AMIs - Amazon EBS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Default policy for EBS-backed AMIs

The following procedure shows you how to create a default policy for EBS-backed AMIs.

Console
To create a default policy for EBS-backed AMIs

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation panel, choose Lifecycle Manager and then choose Create lifecycle policy.

  3. For Policy type, choose Default policy and then choose EBS-backed AMI policy.

  4. For Description, enter a brief description for the policy.

  5. For IAM role, choose the IAM role that has permissions to manage AMIs.

    We recommend that you choose Default to use the default IAM role provided by Amazon Data Lifecycle Manager. However, you can also use a custom IAM role that you previously created.

    Show moreShow less

  6. For Creation frequency, specify how often you want the policy to run and create AMIs from your instances.

    The frequency that you specify also determines which instances are backed up. The policy will only back up instances that have not been backed up by any other means within the specified frequency. For example, if you specify a creation frequency of 3 days, the policy will only create AMIs from instances that have not been backed up within the last 3 days.

    Show moreShow less

  7. For Retention period, specify how long you want the policy to retain the AMIs that it creates. When an AMI reaches the retention threshold, it is automatically deregistered and its associated snapshots are deleted. The retention period must be greater than or equal to the creation frequency.

  8. (Optional) Configure the Exclusion parameters to exclude specific instances from the scheduled backups. Excluded instances will not be backed up when the policy runs.

    1. To exclude instances that have specific tags, choose Add tag, and then specify the tag keys and values. The policy will not create AMIs from instances that have any of the specified tags.

    Show moreShow less

  9. (Optional) In the Advanced settings, specify additional actions that the policy should perform.

    1. To copy assigned tags from the source instances to their AMIs, select Copy tags from instances.

    2. With Extend deletion disabled:

      • If a source instance is terminated, Amazon Data Lifecycle Manager continues to deregister previously created AMIs up to, but not including, the last one based on the retention period. If you want Amazon Data Lifecycle Manager to deregister all AMIs, including the last one, select Extend deletion.

      • If a policy is deleted or enters the error or disabled state, Amazon Data Lifecycle Manager stops deregistering AMIs. If you want Amazon Data Lifecycle Manager to continue deregistering AMIs, including the last one, select Extend deletion.

      Note

      If you enable extended deletion, you override both behaviors described above simultaneously.

    3. To copy AMIs created by the policy to other Regions, select Create cross-Region copy and then select up to 3 destination Regions.

      • If the source AMI is encrypted, or if encryption by default is enabled for the destination Region, the copied AMIs are encrypted using the default KMS key for EBS encryption in the destination Region.

      • If the source AMI is unencrypted and encryption by default is disabled for the destination Region, the copied AMIs are unencrypted.

    Show moreShow less

  10. (Optional) To add a tag to the policy, choose Add tag and then specify the tag key and value pair.

  11. Choose Create default policy.

    Note

    If you get the Role with name AWSDataLifecycleManagerDefaultRoleForAMIManagement already exists error, see Troubleshooting for more information.

Amazon CLI
To create a default policy for EBS-backed AMIs

Use the create-lifecycle-policy command. You can specify the request parameters in one of two methods, depending on your use case or preferences:

  • Method 1

    $ aws dlm create-lifecycle-policy \
--state ENABLED | DISABLED \
--description "policy_description" \
--execution-role-arn role_arn \
--default-policy INSTANCE \
--create-interval creation_frequency_in_days (1-7) \
--retain-interval retention_period_in_days (2-14) \
--copy-tags | --no-copy-tags \
--extend-deletion | --no-extend-deletion \
--cross-region-copy-targets TargetRegion=destination_region_code \
--exclusions ExcludeTags=[{Key=tag_key,Value=tag_value}]

    For example, to create a default policy for EBS-backed AMIs that targets all instances in the Region, uses the default IAM role, runs daily (default), and retains AMIs for 7 days (default), you need to specify the following parameters:

    $ aws dlm create-lifecycle-policy \
--state ENABLED \
--description "Daily default AMI policy" \
--execution-role-arn arn:aws:iam::account_id:role/AWSDataLifecycleManagerDefaultRoleForAMIManagement \
--default-policy INSTANCE

  • Method 2

    $ aws dlm create-lifecycle-policy \
--state ENABLED | DISABLED \
--description "policy_description" \
--execution-role-arn role_arn \
--default-policy INSTANCE \
--policy-details file://policyDetails.json

    Where policyDetails.json includes the following:

    {
    "PolicyLanguage": "SIMPLIFIED",
    "PolicyType": "IMAGE_MANAGEMENT",
    "ResourceType": "INSTANCE",
    "CopyTags": true | false,
    "CreateInterval": creation_frequency_in_days (1-7),
    "RetainInterval": retention_period_in_days (2-14),
    "ExtendDeletion": true | false, 
	"CrossRegionCopyTargets": [{"TargetRegion":"destination_region_code"}],
    "Exclusions": {
        "ExcludeTags": [{ 
            "Key": "exclusion_tag_key",
            "Value": "exclusion_tag_value"
        }]
    }
}