Copy an AMI
You can copy an Amazon Machine Image (AMI) within or across Amazon Regions. You can copy both Amazon EBS-backed AMIs and instance store-backed AMIs. You can copy EBS-backed AMIs with encrypted snapshots, and also change encryption status during the copy process. You can copy AMIs that are shared with you.
Copying a source AMI results in an identical but distinct new AMI that we also refer to as the target AMI. The target AMI has its own unique AMI ID. You can change or deregister the source AMI with no effect on the target AMI. The reverse is also true.
With an EBS-backed AMI, each of its backing snapshots is copied to an identical but distinct target snapshot. If you copy an AMI to a new Region, the snapshots are complete (non-incremental) copies. If you encrypt unencrypted backing snapshots or encrypt them to a new KMS key, the snapshots are complete (non-incremental) copies. Subsequent copy operations of an AMI result in incremental copies of the backing snapshots.
Contents
Considerations
-
Permission to copy AMIs – You can use IAM policies to grant or deny users permission to copy AMIs. Resource-level permissions specified for the
CopyImage
action apply only to the new AMI. You cannot specify resource-level permissions for the source AMI. -
Launch permissions and Amazon S3 bucket permissions – Amazon does not copy launch permissions or Amazon S3 bucket permissions from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions and Amazon S3 bucket permissions to the new AMI.
-
Tags – You can only copy user-defined AMI tags that you attached to the source AMI. System tags (prefixed with
aws:
) and user-defined tags that are attached by other Amazon Web Services accounts will not be copied. When copying an AMI, you can attach new tags to the target AMI and its backing snapshots.
Costs
There are no charges for copying an AMI. However, standard storage and data transfer rates apply. If you copy an EBS-backed AMI, you will incur charges for the storage of any additional EBS snapshots.
IAM permissions
To copy an EBS-backed or instance store-backed AMI, you need the following IAM permissions:
-
ec2:CopyImage
– To copy the AMI. For EBS-backed AMIs, it also grants permission to copy the AMI's backing snapshots. -
ec2:CreateTags
– To tag the target AMI. For EBS-backed AMIs, it also grants permission to tag the target AMI’s backing snapshots.
If you're copying an instance stored-backed AMI, you need the following additional IAM permissions:
-
s3:CreateBucket
– To create the S3 bucket in the target Region for the new AMI -
s3:GetBucketAcl
– To read the ACL permissions for the source bucket -
s3:ListAllMyBuckets
– To find an existing S3 bucket for AMIs in the target Region -
s3:GetObject
– To read the objects in the source bucket -
s3:PutObject
– To write the objects in the target bucket -
s3:PutObjectAcl
– To write the permissions for the new objects in the target bucket
Example IAM policy for copying an EBS-backed AMI and tagging the target AMI and snapshots
The following example policy grants you permission to copy any EBS-backed AMI and tag the target AMI and its backing snapshots.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "PermissionToCopyAllImages", "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*::image/*" }] }
Example IAM policy for copying an EBS-backed AMI but denying tagging the new snapshots
The ec2:CopySnapshot
permission is automatically granted when you get the
ec2:CopyImage
permission. This includes the permission to tag the
new backing snapshots of the target AMI. Permission to tag the new backing snapshots
can be explicitly denied.
The following example policy grants you permission to copy any EBS-backed AMI, but denies you from tagging the new backing snapshots of the target AMI.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Deny", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:::snapshot/*" } ] }
Example IAM policy for copying an instance store-backed AMI and tagging the target AMI
The following example policy grants you permission to copy any instance store-backed AMI in the specified source bucket to the specified Region, and tag the target AMI.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "PermissionToCopyAllImages", "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": [ "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::ami-source-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketAcl", "s3:PutObjectAcl", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amis-for-
account
-in-region
-hash
" ] } ] }
To find the Amazon Resource Name (ARN) of the AMI source bucket, open the Amazon EC2
console at https://console.amazonaws.cn/ec2/
Note
The s3:CreateBucket
permission is only needed the first time that
you copy an instance store-backed AMI to an individual Region. After that, the
Amazon S3 bucket that is already created in the Region is used to store all future
AMIs that you copy to that Region.
Copy an AMI
You can copy an AMI using the Amazon Web Services Management Console, the Amazon Command Line Interface or SDKs, or the Amazon EC2 API, all
of which support the CopyImage
action.
Prerequisite
Create or obtain an AMI to copy. Note that you can use the Amazon EC2 console to search a wide variety of AMIs provided by Amazon. For more information, see Create a custom Windows AMI and Finding an AMI.
Stop a pending AMI copy operation
You can stop a pending AMI copy using the Amazon Web Services Management Console or the command line.
Cross-Region copying
Copying an AMI across geographically diverse Regions provides the following benefits:
-
Consistent global deployment: Copying an AMI from one Region to another enables you to launch consistent instances in different Regions based on the same AMI.
-
Scalability: You can more easily design and build global applications that meet the needs of your users, regardless of their location.
-
Performance: You can increase performance by distributing your application, as well as locating critical components of your application in closer proximity to your users. You can also take advantage of Region-specific features, such as instance types or other Amazon services.
-
High availability: You can design and deploy applications across Amazon Regions, to increase availability.
The following diagram shows the relationship between a source AMI and two copied AMIs in different Regions, as well as the EC2 instances launched from each. When you launch an instance from an AMI, it resides in the same Region where the AMI resides. If you make changes to the source AMI and want those changes to be reflected in the AMIs in the target Regions, you must recopy the source AMI to the target Regions.
When you first copy an instance store-backed AMI to a Region, we create an Amazon S3
bucket for the AMIs copied to that Region. All instance store-backed AMIs that you
copy to that Region are stored in this bucket. The bucket names have the following
format:
amis-for-account
-in-region
-hash
.
For example:
amis-for-123456789012-in-us-west-2-yhjmxvp6
.
Prerequisite
Prior to copying an AMI, you must ensure that the contents of the source AMI are updated to support running in a different Region. For example, you should update any database connection strings or similar application configuration data to point to the appropriate resources. Otherwise, instances launched from the new AMI in the destination Region might still use the resources from the source Region, which can impact performance and cost.
Limitations
-
Destination Regions are limited to 100 concurrent AMI copies.
Cross-account copying
You can share an AMI with another Amazon account. Sharing an AMI does not affect the ownership of the AMI. The owning account is charged for the storage in the Region. For more information, see Share an AMI with specific Amazon accounts.
If you copy an AMI that has been shared with your account, you are the owner of the target AMI in your account. The owner of the source AMI is charged standard Amazon EBS or Amazon S3 transfer fees, and you are charged for the storage of the target AMI in the destination Region.
Resource permissions
To copy an AMI that was shared with you from another account, the owner of the source AMI must grant you read permissions for the storage that backs the AMI. The storage is either the associated EBS snapshot (for an Amazon EBS-backed AMI) or an associated S3 bucket (for an instance store-backed AMI). If the shared AMI has encrypted snapshots, the owner must share the key or keys with you as well. For more information about granting resource permissions, for EBS snapshots, see Share an Amazon EBS snapshot in the Amazon EBS User Guide, and for S3 buckets, see Identity and access management in Amazon S3 in the Amazon Simple Storage Service User Guide.
Note
To copy an AMI with its tags, you must have launch permissions for the source AMI.
Encryption and copying
The following table shows encryption support for various AMI-copying scenarios. While it is possible to copy an unencrypted snapshot to yield an encrypted snapshot, you cannot copy an encrypted snapshot to yield an unencrypted one.
Scenario | Description | Supported |
---|---|---|
1 | Unencrypted-to-unencrypted | Yes |
2 | Encrypted-to-encrypted | Yes |
3 | Unencrypted-to-encrypted | Yes |
4 | Encrypted-to-unencrypted | No |
Note
Encrypting during the CopyImage
action applies only to Amazon EBS-backed
AMIs. Because an instance store-backed AMI does not rely on snapshots, you
cannot use copying to change its encryption status.
By default (i.e., without specifying encryption parameters), the backing snapshot of an AMI is copied with its original encryption status. Copying an AMI backed by an unencrypted snapshot results in an identical target snapshot that is also unencrypted. If the source AMI is backed by an encrypted snapshot, copying it results in an identical target snapshot that is encrypted by the same Amazon KMS key. Copying an AMI backed by multiple snapshots preserves, by default, the source encryption status in each target snapshot.
If you specify encryption parameters while copying an AMI, you can encrypt or
re-encrypt its backing snapshots. The following example shows a non-default case that
supplies encryption parameters to the CopyImage
action in order to change
the target AMI's encryption state.
Copy an unencrypted source AMI to an encrypted target AMI
In this scenario, an AMI backed by an unencrypted root snapshot is copied to an AMI
with an encrypted root snapshot. The CopyImage
action is invoked with
two encryption parameters, including a customer managed key. As a result, the
encryption status of the root snapshot changes, so that the target AMI is backed
by a root snapshot containing the same data as the source snapshot, but encrypted
using the specified key. You incur storage costs for the snapshots in both
AMIs, as well as charges for any instances you launch from either AMI.
Note
Enabling encryption by default has the same effect as setting the Encrypted
parameter to true
for all snapshots in the AMI.
Setting the Encrypted
parameter encrypts the single snapshot for this
instance. If you do not specify the KmsKeyId
parameter, the default
customer managed key is used to encrypt the snapshot copy.
For more information about copying AMIs with encrypted snapshots, see Use encryption with EBS-backed AMIs.