DEV Community

Cover image for Securely Share KMS‑Encrypted EC2 AMIs Between AWS Accounts [2025]
SUDO Consultants profile image maryam mairaj
maryam mairaj for SUDO Consultants

Posted on

Securely Share KMS‑Encrypted EC2 AMIs Between AWS Accounts [2025]

In this blog post, we'll walk you through the critical process of securely sharing AWS Key Management Service (KMS)-encrypted Amazon Machine Images (AMIs) across AWS accounts, what it is, why it's important, and how to implement it effectively using AWS best practices.

Table of Contents

  • What Is an Amazon Machine Image (AMI)?
  • Why Share AMIs Across AWS Accounts?
  • Understanding the Complexity of Sharing Encrypted AMIs
  • Key Concepts: KMS, CMK, and AMI Encryption
  • Step-by-Step Guide to Share KMS-Encrypted AMIs
  • Best Practices for Secure Cross-Account Sharing
  • Common Issues & Troubleshooting
  • AWS AMI Sharing Limitations
  • Frequently Asked Questions (FAQs)
  • Conclusion

What Is an Amazon Machine Image (AMI)?

An Amazon Machine Image, or AMI, is a fundamental building block within AWS that contains all the necessary information required to launch an EC2 instance. It includes a template for the root volume, launch permissions, and block device mappings. These components define the software configuration, operating system, application server, and other settings needed to spin up a virtual server. AMIs are critical in standardizing cloud environments across teams and business units, promoting consistency, repeatability, and control in infrastructure deployments.

Why Share AMIs Across AWS Accounts?

In many organizations using a multi-account strategy, often structured through AWS Organizations, there is a common need to share AMIs across accounts. As more teams adopt a multi-account strategy, whether for separation of environments (dev, staging, prod) for organizational isolation (by business unit or project), sharing these prebuilt AMIs becomes essential. Rather than manually recreating configurations in each account, it is more secure and efficient to share AMIs across AWS accounts. This cross-account strategy enhances productivity, maintains control, and aligns with security and governance practices.

Understanding the Complexity of Sharing Encrypted AMIs

Sharing unencrypted AMIs is relatively straightforward, requiring only a change in launch permissions to the target AWS account. However, sharing KMS-encrypted AMIs adds several layers of complexity. Each AMI snapshot is encrypted using a Customer Managed Key (CMK), which is tightly bound to the AWS account that created it. To share a KMS-encrypted AMI successfully, not only must the AMI be shared, but the underlying encrypted EBS snapshots and the CMK must also be explicitly shared with the destination account. Additionally, the involved IAM roles must have carefully scoped permissions to avoid access issues.

Key Concepts: KMS, CMK, and AMI Encryption

To better understand this process, it's important to grasp a few key concepts.

  • AWS Key Management Service (KMS) is the service responsible for managing encryption keys across AWS.
  • A Customer Managed Key (CMK) is a KMS key created and managed by the user, allowing for custom permissions and control.
  • When an EC2 instance is created using EBS volumes encrypted with a CMK, any AMI created from that instance retains those encrypted snapshots.
  • Sharing such an AMI requires ensuring that the AMI, snapshots, and CMK are all properly accessible to the destination account.

Step-by-Step Guide to Share KMS-Encrypted AMIs
Step 1: Create a KMS-Encrypted AMI
In the source account:

1. Create a Customer Managed Key (CMK)

  • Sign in to the source AWS account.

  • Navigate to the KMS (Key Management Service) console:

  • Go to Customer-managed keys

  • Click "Create key".

  • Select Symmetric key, choose Key usage: Encrypt and decrypt, and click Next.

  • Give the key an alias, e.g., "my-cms-key". You can add a description as well, but it's optional, and click Next.

  • Under Key administrators, choose your IAM user or role who will manage the key.

  • Under Key usage permissions, select IAM users/roles who will use this key to encrypt EBS volumes. Add the destination account ID in the other AWS accounts section.

  • Complete the creation process and note the Key ID (you'll need it later).

2. Launch an EC2 Instance with an Encrypted EBS Volume
Go to the EC2 console:

  • Click "Launch instance".

  • Name your server and choose an AMI (e.g., Amazon Linux 2 or Ubuntu).
  • Select the configurations as per your requirement for your server.
  • Under Storage, click Advanced for the root volume.

  • Under the Encrypted section, select "Encrypted" and choose your CMK (alias/my-secure-ami-key) from the dropdown.

  • Complete the launch wizard and start the instance.
  • Create an AMI from the Instance
  • In the EC2 console, right-click the instance → Image and templates → Create image.

  • Give the image a name (e.g., my-EC2-server-AMI). Make sure to uncheck Reboot instance.

  • Ensure the root volume and additional volumes are encrypted with the same CMK.
  • Click Create image.
  • Wait for the AMI to be available (check under AMIs).

Step 2: Modify the KMS Key Policy to Allow Access to the Destination Account

  • You now need to allow the destination AWS account to use your CMK to decrypt the AMI snapshots.

  • Go to KMS Console → Customer-managed keys -> Select your key → Key Policy → Switch to policy view.

  • Add the following JSON statement within the Statement array: 
{ 
 "Sid": "AllowUseByTargetAccount", 
 "Effect": "Allow", 
 "Principal": { "AWS": "arn:aws:iam::DESTINATION_ACCOUNT_ID:root" }, "Action": [ 
 "kms:Decrypt", 
 "kms:ReEncrypt*", 
 "kms:DescribeKey", 
 "kms:GenerateDataKey*", 
 "kms:CreateGrant" ], 
 "Resource": "*" 
 }
Enter fullscreen mode Exit fullscreen mode
  • Replace DESTINATION_ACCOUNT_ID with the actual 12-digit AWS account ID (e.g., 123456789012). 
  • Note: Ensure your KMS key policy still allows your source account's users to use the key as well.

Step 3: Add IAM Permissions in the Destination Account
In the destination AWS account, you need to give users or roles permissions to interact with the CMK from the source account.

  • Go to the IAM Console → Policies → Create policy.
  • Use the JSON editor and paste: 
{ 
 "Version": "2012–10–17", 
 "Statement": [ 
 { 
 "Effect": "Allow", 
 "Action": [ 
 "kms:Decrypt", 
 "kms:DescribeKey", 
 "kms:GenerateDataKey*" 
 ], 
 "Resource":"arn:aws:kms:REGION:SOURCE_ACCOUNT_ID:key/CMK_ID" 
 } 
 ] 
}
Enter fullscreen mode Exit fullscreen mode

Replace REGION, SOURCE_ACCOUNT_ID, and CMK_ID with actual values (you can get the CMK ARN from the KMS console in the source account).

Attach this policy to the IAM user or role in the destination account that will launch the instance.

Step 4: Share the Encrypted Snapshots
Each AMI consists of one or more EBS snapshots, and these also need to be shared. From the source account, identify the snapshot ID(s) linked to your AMI:

  • Go to EC2 Console → Snapshots.

  • Filter by AMI ID or creation date to find the right ones.
  • Select the snapshot by checking the box next to it.
  • Click the "Actions" dropdown button, select Snapshot settings, and choose "Modify permissions"

In the "Add account ID" field:
a. Enter the Destination AWS Account ID (12-digit number).

  • Click "Save changes" to apply

Step 5: Share the AMI with the Destination Account
In the source account, follow these steps:

  • Navigate to EC2 Console → AMIs → Find your encrypted AMI.

  • Click Actions → Edit Image Permissions.

  • Set visibility to Private. Make sure to check the Grant permissions checkbox. It allows the destination account to launch instances from this AMI with EBS volumes.

  • Add the destination AWS account ID.

  • Click Save changes.

Step 6: Launch the Shared AMI in the Destination Account

  1. In the destination account, follow these steps:
  2. Go to EC2 Console → AMIs → Filter by Private images.
  3. Select the AMI shared by the source account.
  4. Click Launch.
  5. During instance configuration, select your own CMK or AWS default EBS encryption key (optional) to re-encrypt the volumes.
  6. Complete the instance launch.

Congratulations! You have successfully shared the AMI across AWS accounts and have launched the server.

Best Practices for Secure Cross-Account Sharing
Adopting best practices is key to successful and secure AMI sharing.

  • Always use least-privilege policies
  • Use unique CMKs per environment
  • Re-encrypt volumes during instance launch in the destination account
  • Rotate CMKs periodically
  • Log and monitor all KMS usage via CloudTrail

Common Issues & Troubleshooting
Common problems include:
Access denied errors often stem from missing IAM permissions or incorrect key policies.

  1. If a shared AMI doesn't appear in the destination account, check whether the AMI has been properly shared and whether the filters are set to show private images.
  2. Snapshot inaccessibility may occur if snapshot permissions were not granted manually.
  3. If an instance launch fails, it's usually due to missing CMK permissions. Double-check the trust relationships and policy configurations to resolve such issues.

AWS AMI Sharing Limitations
Despite its benefits, AMI sharing has a few limitations.

  • AMIs that use instance-store volumes cannot be shared across accounts.
  • Only Customer Managed Keys (CMKs) are supported for sharing; AWS-managed keys like aws/ebs cannot be shared.
  • Additionally, sharing an AMI does not automatically share billing metadata or resource tags, which must be managed separately.

Frequently Asked Questions (FAQs)

  1. Can I share encrypted AMIs with AWS Organizations?   Yes, using organization IDs in launch permissions.
  2. Is it secure to share CMKs?   Yes, if done with strict key policies and IAM boundaries.
  3. Can the destination account copy the shared AMI?   Yes. Copying re-encrypts with a new CMK.
  4. Do I need to share snapshots manually?   Not if the AMI is shared correctly; it includes snapshot access.
  5. Can I revoke access?   Yes. Remove launch permissions and update the key policy.
  6. Is this approach compliant with AWS security best practices?   Yes, when implemented with least-privilege, tagging, and monitoring.

Conclusion: Security, Flexibility, and Reusability
Sharing KMS-encrypted AMIs between AWS accounts enables secure, repeatable infrastructure. When done correctly, this process balances control, compliance, and automation across your cloud estate. By using dedicated CMKs, adjusting launch permissions, and maintaining strong tagging and audit practices, your organization can scale securely in 2025 and beyond. In 2025, as cloud environments continue to grow in complexity, mastering cross-account resource sharing will remain a foundational skill for secure and agile cloud operations.

Top comments (0)