AWS, Cloud Computing

4 Mins Read

A Guide for Secured Cross-Account Encrypted Amazon EC2 Migration

Voiced by Amazon Polly

Overview

Migrating Amazon Elastic Compute Cloud (EC2) instances across AWS accounts while ensuring data security is a critical task for many organizations. Whether you’re consolidating multiple accounts, moving workloads to a different AWS environment, or transferring instances to a partner or subsidiary, proper planning and execution are essential. In this blog, we will explore how to perform a secure and successful cross-account encrypted Amazon EC2 migration.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Introduction

Cross-Account Encrypted EC2 Migration is a sophisticated and secure approach that allows organizations to seamlessly transfer EC2 instances from one AWS account to another while maintaining data confidentiality through encryption.

This process not only ensures the integrity of sensitive information but also upholds compliance standards and regulatory requirements, making it a vital tool for businesses seeking to migrate their workloads within the AWS ecosystem.

There are two types of AWS KMS keys.

  1. AMK (Amazon Managed Key): It is created, managed, owned by AWS, and used by AWS service integrated with AWS KMS.
  2. CMK (Customer Managed Key): It is created and managed by the user according to requirements and is owned by the user.

Pre-requisites

Before sharing your encrypted AMI and launch instances, you must set your AWS KMS key policy and AWS Identity and Access Management (IAM) policy.

This Demonstration requires two AWS accounts:
1. A source account to create a custom AMI and encrypt its Amazon EBS snapshots.
2. Target account launching instances with shared custom AMI with encrypted Snapshots.

Encryption Considerations

Decide whether to use the same AWS KMS key for encryption in both the source and destination accounts or create an AWS KMS key in the destination account and grant permissions for cross-account access.

Step-by-Step Migration Guide

  1. Create a CMK key in the source account

Go to the AWS console -> Search for AWS KMS -> Create customer managed key (CMK) that will be used to encrypt the AMI.

step1

2. Share CMK key access to another account

Inside the CMK key, you will find the option to give access to other AWS accounts in the key policy tab.

step2

Note: If you have an encrypted disk via CMK, skip Step 3.

3. Create a new volume to change the encryption key

From the Snapshot of the encrypted Amazon EC2 instance, create a new volume for changing the encryption from AMK to CMK.

step3

While creating the volume from the snapshot you will find AWS KMS key option to select the KMS key. Select the CMK key that you have created in Step 1.

step3b

You will find that the encryption key has changed to the CMK key. So that you can now create a snapshot and share it with another account

step3c

4. Create a Snapshot of the new volume

Create a snapshot from the new volume created with the CMK key.

step4

5. Create AMI from a New snapshot

Create an image and note down the AMI-id to be required later on.

step5

6. Create the policy setting for the source account

In the below policy change, the AMI ID that has been noted from the previous step

Policy:

7. Create the policy setting for the target account

8. Give AMI permission to the Destination Account

step8

step8b

9. Find the shared AMI in the destination account, and now you can use that image to launch a new instance

step9

Conclusion

Cross-account encrypted Amazon EC2 migration is a complex but necessary process for organizations that need to restructure their AWS resources for various reasons, including compliance, security, and cost management. Following the steps outlined in this blog and carefully planning the migration, you can ensure a smooth and secure transition of your Amazon EC2 instances to a new AWS account while maintaining data integrity and security. Documentation and testing are essential throughout the migration process to mitigate potential issues and minimize downtime. With the right strategy and attention to detail, you can successfully navigate the challenges of cross-account Amazon EC2 migration and achieve your organization’s goals.

Drop a query if you have any questions regarding Cross-account encrypted Amazon EC2 Migration and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAWS GenAI Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery Partner AWS Microsoft Workload PartnersAmazon EC2 Service Delivery PartnerAmazon ECS Service Delivery PartnerAWS Glue Service Delivery PartnerAmazon Redshift Service Delivery PartnerAWS Control Tower Service Delivery PartnerAWS WAF Service Delivery PartnerAmazon CloudFront Service Delivery PartnerAmazon OpenSearch Service Delivery PartnerAWS DMS Service Delivery PartnerAWS Systems Manager Service Delivery PartnerAmazon RDS Service Delivery PartnerAWS CloudFormation Service Delivery PartnerAWS ConfigAmazon EMR and many more.

FAQs

1. What is the difference between the AMK and CMK keys?

ANS: – AMK key is created, managed, owned by AWS, and used by AWS service integrated with AWS KMS. CMK key is created, managed by the user according to requirements, and owned by the user.

2. How can I ensure minimal downtime during migration?

ANS: – To minimize downtime, plan the migration during periods of lower traffic. Additionally, consider using AWS Elastic Load Balancers or other failover mechanisms to route traffic to the new instances seamlessly.

WRITTEN BY Kashyap Nitinbhai Shani

Kashyap Nitinbhai Shani is a Research Associate at CloudThat. He is interested to learn advanced technologies and gain insights into new and upcoming cloud services. He likes writing tech blogs and learning new languages.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!