AWS: Copy AMI from Commercial Cloud to GovCloud or AWS China/ AWS Inter Partition

In large and complex projects there’s always involvement of the multiple AWS accounts. It is quite easy for users to share Base AMI across multiple AWS accounts and use it. But this becomes quite tricky when the AWS partition change and difficult to share AMI. To help you to get out of this by using the concept of copy images to S3 Bucket and vice-versa

Thinkable? What is AWS Partition?

AWS Partition is the logical grouping of AWS Regions and Services.

To proceed further and make you understand things properly, we have split up topics into steps:-

1. Prerequisites

2. Store AMI into Source Account S3 Bucket

3. Upload AMI into Destination Account S3 Bucket

4. Restore AMI from S3 Bucket in Destination Account

1. Prerequisites:-

1. For this, require two AWS Accounts at source and destination respectively.

2. Create two AWS IAM users with programmatic access in the source and destination partition AWS accounts respectively and having the below privilege.

S3 Bucket:- ListBucket, PutObject, DeleteObject, GetObject, AbortMultipartUpload

EBS:- CompleteSnapshot, GetSnapshotBlock, ListChangedBlocks, ListSnapshotBlocks, PutSnapshotBlock, StartSnapshot

EC2:- CreateStoreImageTask, DescribeStoreImageTasks, CreateRestoreImageTask, GetEbsEncryptionByDefault, DescribeTags, CreateTags

3. Install and Configure AWS CLI locally.

4. Authenticate AWS on your local AWS CLI either by exporting your Access Key and Secret Key or creating a profile.

5. AMI ID of AMI which needs to be transferred.

6. Create two S3 Buckets in the source and destination partition AWS account respectively.

2. Store AMI into Source Account S3 Bucket:-

1. Collect the AMI ID and bucket name which need to be used at the source account

2. Use the collected information in the below command to copy AMI into the source S3 Bucket and then the object will be uploaded in the S3 bucket in bin format.

Command

aws ec2 create-store-image-task — image-id <ami-id> — bucket <bucket-name> — profile <profile-name>

Example:-

aws ec2 create-store-image-task — image-id ami-0170ba75ff0680d41 — bucket nmsvmdk — profile rahul

3. To check the status of copy by the below command and once completed then move to the next step.

Command

aws ec2 describe-store-image-tasks — profile <profile-name>

Example:-

aws ec2 describe-store-image-tasks — profile rahul

3. Upload AMI into Destination Account Bucket:-

1. Once the AMI upload successfully completed in the source s3 bucket.

2. Either generate a pre-signed URL or public access URL to download the object.

3. After downloading the object, manually upload it into the destination bucket

4. Restore AMI from S3 Bucket in Destination Account:-

1. Now use the object name, destination bucket name in which the object was uploaded, and the name required for the new AMI ( which will be created from the object) in the below command to restore the object back to AMI

Command:-

aws ec2 create-restore-image-task — object-key <object-name> — bucket <bucket-name> — name “<new-ami-name>” — profile <profile-name>

Example:-

aws ec2 create-restore-image-task — object-key ami-0170ba75ff0680d41.bin — bucket infrause — name “NMS_AMI_V7.6.900-do-not-delete” — profile rahul

In this way, you can easily use the AMI from different partitions.