Menu
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Copying an AMI

You can copy an Amazon Machine Image (AMI) within or across an AWS region using the AWS Management Console, the command line, or the Amazon EC2 API, all of which support the CopyImage action. Both Amazon EBS-backed AMIs and instance store-backed AMIs can be copied.

Copying a source AMI results in an identical but distinct target AMI with its own unique identifier. In the case of an Amazon EBS-backed AMI, each of its backing snapshots is, by default, copied to an identical but distinct target snapshot. (The one exception is when you choose to encrypt the snapshot, as described below.) The source AMI can be changed or deregistered with no effect on the target AMI. The reverse is also true.

There are no charges for copying an AMI. However, standard storage and data transfer rates apply.

AWS does not copy launch permissions, user-defined tags, or Amazon S3 bucket permissions from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions, user-defined tags, and Amazon S3 bucket permissions to the new AMI.

Copying an AMI You Own

You can copy any AMI that belongs to your AWS account using the CopyImage action. This includes AMIs with encrypted snapshots and encrypted AMIs.

Copying an AMI Across AWS Accounts

You can copy an AMI across AWS accounts. This includes AMIs with encrypted snapshots, but does not include encrypted AMIs.

The owner of the account must grant read permissions on the storage that backs the AMI, whether it is an associated EBS snapshot (for an Amazon EBS-backed AMI) or an associated Amazon S3 bucket ( for an instance-store-backed AMI). To allow other accounts to copy your AMIs, you must grant read permissions on your associated snapshot or bucket using the Amazon EBS or Amazon S3 access management tools.

When an AMI is copied, the owner of the source AMI is charged standard Amazon EBS or Amazon S3 transfer fees, and the owner of the target AMI is charged for storage in the destination region.

Limits

  • You can't copy an encrypted AMI between accounts. Instead, you can copy the underlying encrypted snapshot to another account, and then register it as a new AMI.

  • You can't directly copy an AMI that has a billingProduct code associated with it. This includes Windows AMIs and other AMIs from the AWS Marketplace that are owned and shared by another AWS account. To create a private copy of an AMI that has a billingProduct code associated with it, we recommend the following procedure:

    1. Launch an EC2 instance in the target account using the shared AMI.

    2. Create an image from the new instance.

    The result will be a private AMI that you own and can customize like any other AMI you own. For example, if you have created a private copy of an EBS-backed AMI, you can use CopyImage to create an AMI with an encrypted root volume. For more information, see Creating an Amazon EBS-Backed Linux AMI.

Copying an AMI Across Regions

Copying an AMI across geographically diverse regions provides the following benefits:

  • Consistent global deployment: Copying an AMI from one region to another enables you to launch consistent instances based from the same AMI into different regions.

  • Scalability: You can more easily design and build world-scale applications that meet the needs of your users, regardless of their location.

  • Performance: You can increase performance by distributing your application, as well as locating critical components of your application in closer proximity to your users. You can also take advantage of region-specific features, such as instance types or other AWS services.

  • High availability: You can design and deploy applications across AWS regions, to increase availability.

The following diagram shows the relations among a source AMI and two copied AMIs in different regions, as well as the EC2 instances launched from each. When you launch an instance from an AMI, it resides in the same region where the AMI resides. If you make changes to the source AMI and want those changes to be reflected in the AMIs in the target regions, you must recopy the source AMI to the target regions.

AMIs copied in different regions

When you first copy an instance store-backed AMI to a region, we create an Amazon S3 bucket for the AMIs copied to that region. All instance store-backed AMIs that you copy to that region are stored in this bucket. The names of these buckets have the following format: amis-for-account-in-region-hash. For example: amis-for-123456789012-in-us-west-2-yhjmxvp6.

Note

Destination regions are limited to 50 concurrent AMI copies at a time, with no more than 25 of those coming from a single source region. To request an increase to this limit, see Amazon EC2 Service Limits.

Prior to copying an AMI, you must ensure that the contents of the source AMI are updated to support running in a different region. For example, you should update any database connection strings or similar application configuration data to point to the appropriate resources. Otherwise, instances launched from the new AMI in the destination region may still use the resources from the source region, which can impact performance and cost.

Copying to Encrypt

Encrypting during copying applies only to Amazon EBS-backed AMIs. Because an instance-store-backed AMIs does not rely on snapshots, the CopyImage action cannot be used to change its encryption status.

The CopyImage action can also be used to create a new AMI backed by encrypted Amazon EBS snapshots. If you invoke encryption while copying an AMI, each snapshot taken of its associated Amazon EBS volumes—including the root volume—will be encrypted using a key that you specify. For more information about using AMIs with encrypted snapshots, see AMIs with Encrypted Snapshots.

By default, the backing snapshot of an AMI will be copied with its original encryption status. Copying an AMI backed by an unencrypted snapshot will result in an identical target snapshot that is also unencrypted. If the source AMI is backed by an encrypted snapshot, copying it will result in a target snapshot encrypted to the specified key. Copying an AMI backed by multiple snaphots preserves the source encryption status in each target snapshot. For more information about copying AMIs with multiple snapshots, see AMIs with Encrypted Snapshots.

The following table shows encryption support for various scenarios. Note that while it is possible to copy an unencrypted snapshot to yield an encrypted snapshot, you cannot copy an encrypted snapshot to yield an unencrypted one.

ScenarioDescriptionSupported
1Unencrypted-to-unencryptedYes
2Encrypted-to-encryptedYes
3Unencrypted-to-encryptedYes
4Encrypted-to-unencryptedNo

AMI Copying Scenarios

This section describes basic scenarios for copying AMIs and provides copy procedures using the Amazon EC2 console and the command line.

Copy an unencrypted source AMI to an unencrypted target AMI

In the simplest case, a copy of an AMI with an unencrypted single backing snapshot is created in the specified geographical region (not shown).

Copy an unencrypted source AMI

Note

Although the diagram above shows an AMI with a single backing snapshot, the CopyImage action also works for AMIs with multiple snapshots. The encryption status of each snapshot is preserved. This means that an unencrypted snapshot in the source AMI will cause an unencrypted snapshot to be created in the target AMI, and an encrypted snapshot in the source AMI will cause an encrypted snapshot to be created in the target AMI.

Copy an encrypted source AMI to an encrypted target AMI

Although this scenario involves encrypted snapshots, it is functionally equivalent to the previous scenario.

Copy an encrypted source AMI

Note

If you apply encryption while copying a multi-snapshot AMI, all of the target snapshots are encrypted using the specified key or the default key if none is specified. For information about creating an AMI with multiple snapshots encrypted to multiple keys, see AMIs with Encrypted Snapshots.

Copy an unencrypted source AMI to an encrypted target AMI

In this last scenario, the CopyImage action changes the encryption status of the destination image, for instance, by encrypting an unencrypted snapshot, or re-encrypting an encrypted snapshot with a different key. To apply encryption during the copy, you must supply encryption parameters: an encryption flag and a key. Volumes created from the target snapshot are accessible only if you supply this key. For more information about supported encryption scenarios for AMIs, see AMIs with Encrypted Snapshots.

Copy an unencrypted source AMI to encrypted target AMI

Copying an AMI Using the Console or Command Line

The steps in the following procedure correspond to the three steps in each scenario diagram. Apart from the configuration of encryption options, the procedure for implementing the CopyImage action is identical in all cases.

To copy an AMI using the console

  1. Create or obtain an AMI backed by an Amazon EBS snapshot. For more information, see Creating an Amazon EBS-Backed Linux AMI. A wide variety of AWS-supplied AMIs are available through the Amazon EC2 console.

    From the console navigation bar, select the region that contains the AMI you wish to copy. In the navigation pane, expand Images and select AMIs to display the list of AMIs available to you in the selected region.

  2. Select the AMI to copy and choose Actions and Copy AMI.

    In the AMI Copy page, set the following fields and choose Copy AMI:

    • Destination region: Choose the region into which to copy the AMI.

    • Name: Provide a name for the new AMI.

    • Description: By default, the description includes information about the source AMI so that you can distinguish a copy from its original. You can change this description as needed.

    • Encryption: Select this field to encrypt the target Amazon EBS snapshots, or to re-encrypt them using a different key.

    • Master Key: The KMS key that will be used to encrypt the target Amazon EBS snapshots if Encryption has been chosen.

  3. We display a confirmation page to let you know that the copy operation has been initiated and to provide you with the ID of the new AMI.

    To check on the progress of the copy operation immediately, follow the provided link. To check on the progress later, choose Done, and then when you are ready, use the navigation bar to switch to the target region (if applicable) and locate your AMI in the list of AMIs.

    The initial status of the target AMI is pending and the operation is complete when the status is available.

To copy an AMI using the command line

Copying an AMI using the command line requires that you specify both the source and destination regions. You specify the source region using the --source-region parameter. For the destination region, you have two options:

When you encrypt a target snapshot during copying, you will need to supply two additional parameters:

  • A Boolean, --encrypted

  • A string, --kms-key-id, providing the master encryption key ID

You can copy an AMI using one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Stopping a Pending AMI Copy Operation

You can stop a pending AMI copy using the AWS Management Console or the command line.

To stop an AMI copy operation using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select the destination region from the region selector.

  3. In the navigation pane, choose AMIs.

  4. Select the AMI to stop copying and choose Actions and Deregister.

  5. When asked for confirmation, choose Continue.

To stop an AMI copy operation using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.