A Guide for Secured Cross-Account Encrypted Amazon EC2 Migration

Overview

Migrating Amazon Elastic Compute Cloud (EC2) instances across AWS accounts while ensuring data security is a critical task for many organizations. Whether you’re consolidating multiple accounts, moving workloads to a different AWS environment, or transferring instances to a partner or subsidiary, proper planning and execution are essential. In this blog, we will explore how to perform a secure and successful cross-account encrypted Amazon EC2 migration.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Introduction

Cross-Account Encrypted EC2 Migration is a sophisticated and secure approach that allows organizations to seamlessly transfer EC2 instances from one AWS account to another while maintaining data confidentiality through encryption.

This process not only ensures the integrity of sensitive information but also upholds compliance standards and regulatory requirements, making it a vital tool for businesses seeking to migrate their workloads within the AWS ecosystem.

There are two types of AWS KMS keys.

AMK (Amazon Managed Key): It is created, managed, owned by AWS, and used by AWS service integrated with AWS KMS.
CMK (Customer Managed Key): It is created and managed by the user according to requirements and is owned by the user.

Pre-requisites

Before sharing your encrypted AMI and launch instances, you must set your AWS KMS key policy and AWS Identity and Access Management (IAM) policy.

This Demonstration requires two AWS accounts:
1. A source account to create a custom AMI and encrypt its Amazon EBS snapshots.
2. Target account launching instances with shared custom AMI with encrypted Snapshots.

Encryption Considerations

Decide whether to use the same AWS KMS key for encryption in both the source and destination accounts or create an AWS KMS key in the destination account and grant permissions for cross-account access.

Step-by-Step Migration Guide

Create a CMK key in the source account

Go to the AWS console -> Search for AWS KMS -> Create customer managed key (CMK) that will be used to encrypt the AMI.

step1

2. Share CMK key access to another account

Inside the CMK key, you will find the option to give access to other AWS accounts in the key policy tab.

step2

Note: If you have an encrypted disk via CMK, skip Step 3.

3. Create a new volume to change the encryption key

From the Snapshot of the encrypted Amazon EC2 instance, create a new volume for changing the encryption from AMK to CMK.

step3

While creating the volume from the snapshot you will find AWS KMS key option to select the KMS key. Select the CMK key that you have created in Step 1.

step3b

You will find that the encryption key has changed to the CMK key. So that you can now create a snapshot and share it with another account

step3c

4. Create a Snapshot of the new volume

Create a snapshot from the new volume created with the CMK key.

step4

5. Create AMI from a New snapshot

Create an image and note down the AMI-id to be required later on.

step5

6. Create the policy setting for the source account

In the below policy change, the AMI ID that has been noted from the previous step

Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1667894795023",
      "Action": [
        "ec2:ModifyImageAttribute"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:ec2:ap-south-1::image/<ami-id>"
    }
  ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1667894795023",

"Action": [

"ec2:ModifyImageAttribute"

"Effect": "Allow",

"Resource": "arn:aws:ec2:ap-south-1::image/<ami-id>"

}

]

}

7. Create the policy setting for the target account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:ReEncrypt*",
                "kms:CreateGrant",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:ap-south-1:<Account ID>:key/<KMS-Key-id>"
            ]                                                    
        }
    ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"kms:DescribeKey",

"kms:ReEncrypt*",

"kms:CreateGrant",

"kms:Decrypt"

"Resource": [

"arn:aws:kms:ap-south-1:<Account ID>:key/<KMS-Key-id>"

]

}

]

}

8. Give AMI permission to the Destination Account

step8

step8b

9. Find the shared AMI in the destination account, and now you can use that image to launch a new instance

step9

Conclusion

Cross-account encrypted Amazon EC2 migration is a complex but necessary process for organizations that need to restructure their AWS resources for various reasons, including compliance, security, and cost management. Following the steps outlined in this blog and carefully planning the migration, you can ensure a smooth and secure transition of your Amazon EC2 instances to a new AWS account while maintaining data integrity and security. Documentation and testing are essential throughout the migration process to mitigate potential issues and minimize downtime. With the right strategy and attention to detail, you can successfully navigate the challenges of cross-account Amazon EC2 migration and achieve your organization’s goals.

Drop a query if you have any questions regarding Cross-account encrypted Amazon EC2 Migration and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

FAQs

1. What is the difference between the AMK and CMK keys?

ANS: – AMK key is created, managed, owned by AWS, and used by AWS service integrated with AWS KMS. CMK key is created, managed by the user according to requirements, and owned by the user.

2. How can I ensure minimal downtime during migration?

ANS: – To minimize downtime, plan the migration during periods of lower traffic. Additionally, consider using AWS Elastic Load Balancers or other failover mechanisms to route traffic to the new instances seamlessly.

WRITTEN BY Kashyap Nitinbhai Shani

Kashyap Nitinbhai Shani is a Research Associate at CloudThat. He is interested to learn advanced technologies and gain insights into new and upcoming cloud services. He likes writing tech blogs and learning new languages.