4.9 Create An AMI - Lab

Where the "first" AMI comes from?

When you launch an instance, the root device volume contains the image used to boot the instance. When AWS introduced Amazon EC2, all AMIs were backed by Amazon EC2 instance store, which means the root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3. After AWS introduced Amazon EBS, AWS introduced AMIs that are backed by Amazon EBS. This means that the root device for an instance launched from the AMI is an Amazon EBS volume created from an Amazon EBS snapshot stored in Amazon S3.

Steps:

Stop your instance and create a snapshot for the root device volume under this instance. Stopping firstly can help you to keep data consistency (you don't have to but this a best practice). Later, you will create Image (AMI) using this snapshot of this root volume of this instance.
You can copy the snapshot to different Regions. When you do this, at the same time, you can click encryption to encrypt which snapshot. Then you can change your console to the new region and you can see an encrypted snapshot is there.
Then you can Create an Image (Amazon Machine Image) from this EBS snapshot. Then you can go to AMI to see the new created AMI.
Then you can launch this AMI, just like you create a new EC2 instance using other AMIs provided by AWS. When add storage, you can see that your root volume is encrypted, because you encrypted the copying process when you copied the snapshot.
For now, you have created same instances across different Regions.
One thing you have to understand about AMI is that they are not going to be encrypted at rest, the reason for this is that the encryption key is actually held within your own AWS account. So when we create encrypted AMI, they are always going to be private.
Finally, if you don't want to use your AMI and the snapshot at this Region anymore, you can deregister your AMI, and delete your snapshot.

Summary

To create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot.
Snapshots of encrypted volumes are encrypted automatically.
Volumes restored from encrypted snapshots are encrypted automatically.
When you create an encrypted EBS volume and attach it to a supported instance type, all data moving between the EBS volume and the instance are encrypted.
You can share snapshots, but only if they are unencrypted, because encryption key is tied to your AWS account. These snapshots can be shared with other AWS accounts or made public, or even sell them on the store.
Why I need to create an AMI? If you create a web server, you might go in and install Apache, and you may have web code in your www directory, you can then create a snapshot of that base image and then you can actually promote that snapshot to be an Amazon Machine Image and then you can boot similar web server from there. So next time when you provision an EC2 instance, you don't need to go in and install Apache all over again, and you don't need to copy the website code.

Copy an AMI across Region directly

If you need an AMI across multiple Regions, then you have to copy the AMI across Regions. By default, AMI that you have created will not be available across all Regions. So in this way, you can get a same AMI in another Region. In addition, you also can create AMI across Regions for Disaster Recovery of your web application.
Steps:
- Stop your instance (you don't have to, but this is a best practice), select your instance and click Actions -> Image -> Create Image.
- Once the Image has been created, go to AMI section of the side-bar of EC2 dashboard and find the Image.
- Select the Image and click Actions -> Copy AMI. In this way, you can copy it to other Regions. You can select the checkbox "encrypt target EBS snapshot" when you copy it.
AWS does not copy launch permissions, user-defined tags, or Amazon S3 bucket permissions from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions, user-defined tags, and Amazon S3 bucket permissions to the new AMI.
You can share an AMI with other users, but they will not be available across Regions. You have to copy the AMI across Regions.

Two approaches:

You should know that EBS volume snapshot can be used to create AMI. So encrypted EBS snapshot can create encrypted root volume (AMI).

Create a snapshot of the root volume of an instance -> Copy this snapshot across Regions -> Create a Image (AMI) based on the new snapshot -> Launch an instance based on the Image. You can encrypt the snapshot during the copy.
Create an Image of an instance -> Copy this Image (AMI) across Regions -> Launch an instance based on the new Image. Encrypting during AMI copy applies only to Amazon EBS-backed AMIs. Because an instance store-backed AMI does not rely on snapshots, you cannot use AMI copy to change its encryption status.

VM Import/Export

VM Import/Export enables you to easily import virtual machine images from your existing environment to Amazon EC2 instances and export them back to your on-premises environment. VM Import/Export is available at no additional charge beyond standard usage charges for Amazon EC2 and Amazon S3.

Previous4.8 RAID, Volumes & Snapshots Next4.10 AMI's EBS Root Volumes vs. Instance Store

Last updated 5 years ago

Was this helpful?

Where the "first" AMI comes from?

Steps:

Stop your instance and create a snapshot for the root device volume under this instance. Stopping firstly can help you to keep data consistency (you don't have to but this a best practice). Later, you will create Image (AMI) using this snapshot of this root volume of this instance.

You can copy the snapshot to different Regions. When you do this, at the same time, you can click encryption to encrypt which snapshot. Then you can change your console to the new region and you can see an encrypted snapshot is there.

Then you can Create an Image (Amazon Machine Image) from this EBS snapshot. Then you can go to AMI to see the new created AMI.

Then you can launch this AMI, just like you create a new EC2 instance using other AMIs provided by AWS. When add storage, you can see that your root volume is encrypted, because you encrypted the copying process when you copied the snapshot.

For now, you have created same instances across different Regions.

One thing you have to understand about AMI is that they are not going to be encrypted at rest, the reason for this is that the encryption key is actually held within your own AWS account. So when we create encrypted AMI, they are always going to be private.

Finally, if you don't want to use your AMI and the snapshot at this Region anymore, you can deregister your AMI, and delete your snapshot.

Summary

To create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot.

Snapshots of encrypted volumes are encrypted automatically.

Volumes restored from encrypted snapshots are encrypted automatically.

When you create an encrypted EBS volume and attach it to a supported instance type, all data moving between the EBS volume and the instance are encrypted.

You can share snapshots, but only if they are unencrypted, because encryption key is tied to your AWS account. These snapshots can be shared with other AWS accounts or made public, or even sell them on the store.

Why I need to create an AMI? If you create a web server, you might go in and install Apache, and you may have web code in your www directory, you can then create a snapshot of that base image and then you can actually promote that snapshot to be an Amazon Machine Image and then you can boot similar web server from there. So next time when you provision an EC2 instance, you don't need to go in and install Apache all over again, and you don't need to copy the website code.

Copy an AMI across Region directly

If you need an AMI across multiple Regions, then you have to copy the AMI across Regions. By default, AMI that you have created will not be available across all Regions. So in this way, you can get a same AMI in another Region. In addition, you also can create AMI across Regions for Disaster Recovery of your web application.

Steps:

Stop your instance (you don't have to, but this is a best practice), select your instance and click Actions -> Image -> Create Image.
Once the Image has been created, go to AMI section of the side-bar of EC2 dashboard and find the Image.
Select the Image and click Actions -> Copy AMI. In this way, you can copy it to other Regions. You can select the checkbox "encrypt target EBS snapshot" when you copy it.

AWS does not copy launch permissions, user-defined tags, or Amazon S3 bucket permissions from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions, user-defined tags, and Amazon S3 bucket permissions to the new AMI.

You can share an AMI with other users, but they will not be available across Regions. You have to copy the AMI across Regions.

Two approaches:

You should know that EBS volume snapshot can be used to create AMI. So encrypted EBS snapshot can create encrypted root volume (AMI).

Create a snapshot of the root volume of an instance -> Copy this snapshot across Regions -> Create a Image (AMI) based on the new snapshot -> Launch an instance based on the Image. You can encrypt the snapshot during the copy.

Create an Image of an instance -> Copy this Image (AMI) across Regions -> Launch an instance based on the new Image. Encrypting during AMI copy applies only to Amazon EBS-backed AMIs. Because an instance store-backed AMI does not rely on snapshots, you cannot use AMI copy to change its encryption status.