Copying an AMI
You can copy an Amazon Machine Image (AMI) within or across an AWS region using the AWS Management Console, the
command line, or the Amazon EC2 API, all of which support the
CopyImage action. Both
Amazon EBS-backed AMIs and instance store-backed AMIs can be copied.
Copying a source AMI results in an identical but distinct target AMI with its own unique identifier. In the case of an Amazon EBS-backed AMI, each of its backing snapshots is, by default, copied to an identical but distinct target snapshot. (The one exception is when you choose to encrypt the snapshot, as described below.) The source AMI can be changed or deregistered with no effect on the target AMI. The reverse is also true.
There are no charges for copying an AMI. However, standard storage and data transfer rates apply.
AWS does not copy launch permissions, user-defined tags, or Amazon S3 bucket permissions from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions, user-defined tags, and Amazon S3 bucket permissions to the new AMI.
Copying an AMI You Own
You can copy any AMI that belongs to your AWS account using the
This includes AMIs with encrypted snapshots and encrypted AMIs.
Copying an AMI Across AWS Accounts
You can copy an AMI across AWS accounts. This includes AMIs with encrypted snapshots, but does not include encrypted AMIs.
When an AMI is copied, the owner of the source AMI is charged standard Amazon EBS or Amazon S3 transfer fees, and the owner of the target AMI is charged for storage in the destination region.
The owner of the account must grant read permissions on the storage that backs the AMI, whether it is an associated EBS snapshot (for an Amazon EBS-backed AMI) or an associated Amazon S3 bucket (for an instance-store-backed AMI). To allow other accounts to copy your AMIs, you must grant read permissions on your associated snapshot or bucket using the Amazon EBS or Amazon S3 access management tools.
If you use an IAM user to copy an instance-store-backed AMI, the user must have the following Amazon S3 permissions: s3:CreateBucket, s3:GetBucketAcl, s3:ListBuckets, s3:CopyObject, s3:GetObject, and s3:PutObject.
You can't copy an encrypted AMI between accounts. Instead, if the underlying snapshot and encryption key have been shared with you, you can copy the snapshot to another account while re-encrypting it with a key of your own, and then register this privately owned snapshot as a new AMI.
You can't directly copy an AMI that has a
billingProductcode associated with it. This includes Windows AMIs and other AMIs from the AWS Marketplace that are owned and shared by another AWS account.
To create a private copy of an AMI that has a
billingProductcode associated with it, we recommend that you launch an EC2 instance in the target account using the shared AMI and then create an image from the instance. The result is a private AMI that you own and can customize. For example, if you create a private copy of an EBS-backed AMI, you can use
CopyImageto create an AMI with an encrypted root volume. For more information, see Creating an Amazon EBS-Backed Linux AMI.
Copying an AMI Across Regions
Copying an AMI across geographically diverse regions provides the following benefits:
Consistent global deployment: Copying an AMI from one region to another enables you to launch consistent instances based from the same AMI into different regions.
Scalability: You can more easily design and build world-scale applications that meet the needs of your users, regardless of their location.
Performance: You can increase performance by distributing your application, as well as locating critical components of your application in closer proximity to your users. You can also take advantage of region-specific features, such as instance types or other AWS services.
High availability: You can design and deploy applications across AWS regions, to increase availability.
The following diagram shows the relations among a source AMI and two copied AMIs in different regions, as well as the EC2 instances launched from each. When you launch an instance from an AMI, it resides in the same region where the AMI resides. If you make changes to the source AMI and want those changes to be reflected in the AMIs in the target regions, you must recopy the source AMI to the target regions.
When you first copy an instance store-backed AMI to a region, we create an Amazon S3
bucket for the AMIs copied to that region. All instance store-backed AMIs that you
copy to that region are stored in this bucket. The names of these buckets have the
Destination regions are limited to 50 concurrent AMI copies at a time, with no more than 25 of those coming from a single source region. To request an increase to this limit, see Amazon EC2 Service Limits.
Prior to copying an AMI, you must ensure that the contents of the source AMI are updated to support running in a different region. For example, you should update any database connection strings or similar application configuration data to point to the appropriate resources. Otherwise, instances launched from the new AMI in the destination region may still use the resources from the source region, which can impact performance and cost.
Copying to Encrypt
Encrypting during copying applies only to Amazon EBS-backed AMIs. Because an
instance-store-backed AMIs does not rely on snapshots, the
action cannot be used to change its encryption status.
CopyImage action can also be used to create a new AMI backed by
encrypted Amazon EBS snapshots. If you invoke encryption while copying an AMI, each
snapshot taken of its associated Amazon EBS volumes—including the root volume—will be
encrypted using a key that you specify. For more information about using AMIs with
encrypted snapshots, see AMIs with Encrypted Snapshots.
By default, the backing snapshot of an AMI will be copied with its original encryption status. Copying an AMI backed by an unencrypted snapshot will result in an identical target snapshot that is also unencrypted. If the source AMI is backed by an encrypted snapshot, copying it will result in a target snapshot encrypted to the specified key. Copying an AMI backed by multiple snaphots preserves the source encryption status in each target snapshot. For more information about copying AMIs with multiple snapshots, see AMIs with Encrypted Snapshots.
The following table shows encryption support for various scenarios. Note that while it is possible to copy an unencrypted snapshot to yield an encrypted snapshot, you cannot copy an encrypted snapshot to yield an unencrypted one.
AMI Copying Scenarios
This section describes basic scenarios for copying AMIs and provides copy procedures using the Amazon EC2 console and the command line.
Copy an unencrypted source AMI to an unencrypted target AMI
In the simplest case, a copy of an AMI with an unencrypted single backing snapshot is created in the specified geographical region (not shown).
Although the diagram above shows an AMI with a single backing snapshot,
CopyImage action also works for AMIs with multiple
snapshots. The encryption status of each snapshot is preserved. This means
that an unencrypted snapshot in the source AMI will cause an unencrypted
snapshot to be created in the target AMI, and an encrypted snapshot in the
source AMI will cause an encrypted snapshot to be created in the target
Copy an encrypted source AMI to an encrypted target AMI
Although this scenario involves encrypted snapshots, it is functionally equivalent to the previous scenario.
If you apply encryption while copying a multi-snapshot AMI, all of the target snapshots are encrypted using the specified key or the default key if none is specified. For information about creating an AMI with multiple snapshots encrypted to multiple keys, see AMIs with Encrypted Snapshots.
Copy an unencrypted source AMI to an encrypted target AMI
In this last scenario, the
CopyImage action changes the encryption
status of the destination image, for instance, by encrypting an unencrypted
snapshot, or re-encrypting an encrypted snapshot with a different key. To apply
encryption during the copy, you must supply encryption parameters: an encryption
flag and a key. Volumes created from the target snapshot are accessible only if you
supply this key. For more information about supported encryption scenarios for
AMIs, see AMIs with Encrypted Snapshots.
Copying an AMI Using the Console or Command Line
The steps in the following procedure correspond to the three steps in each scenario
diagram. Apart from the configuration of encryption options, the procedure for
CopyImage action is identical in all cases.
To copy an AMI using the console
Create or obtain an AMI backed by an Amazon EBS snapshot. For more information, see Creating an Amazon EBS-Backed Linux AMI. A wide variety of AWS-supplied AMIs are available through the Amazon EC2 console.
From the console navigation bar, select the region that contains the AMI you wish to copy. In the navigation pane, expand Images and select AMIs to display the list of AMIs available to you in the selected region.
Select the AMI to copy and choose Actions and Copy AMI.
In the AMI Copy page, set the following fields and choose Copy AMI:
Destination region: Choose the region into which to copy the AMI.
Name: Provide a name for the new AMI. You may want to include operating system information in the name, as we do not provide this information when displaying details about the AMI.
Description: By default, the description includes information about the source AMI so that you can distinguish a copy from its original. You can change this description as needed.
Encryption: Select this field to encrypt the target Amazon EBS snapshots, or to re-encrypt them using a different key.
Master Key: The KMS key that will be used to encrypt the target Amazon EBS snapshots if Encryption has been chosen.
We display a confirmation page to let you know that the copy operation has been initiated and to provide you with the ID of the new AMI.
To check on the progress of the copy operation immediately, follow the provided link. To check on the progress later, choose Done, and then when you are ready, use the navigation bar to switch to the target region (if applicable) and locate your AMI in the list of AMIs.
The initial status of the target AMI is
pendingand the operation is complete when the status is
To copy an AMI using the command line
Copying an AMI using the command line requires that you specify both the source
and destination regions. You specify the source region using the
--source-region parameter. For the destination region, you have
Set an environmental variable. For more information, see Configuring the AWS Command Line Interface.
When you encrypt a target snapshot during copying, you will need to supply two additional parameters:
--kms-key-id, providing the master encryption key ID
You can copy an AMI using one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.
Stopping a Pending AMI Copy Operation
You can stop a pending AMI copy using the AWS Management Console or the command line.
To stop an AMI copy operation using the console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
From the navigation bar, select the destination region from the region selector.
In the navigation pane, choose AMIs.
Select the AMI to stop copying and choose Actions and Deregister.
When asked for confirmation, choose Continue.