Leave a Comment / AWS Amazon Machine Image (AMI) / By

How to encrypt AMI

Encrypting an AMI means its EBS snapshots are encrypted using AWS KMS keys, protecting data at rest and in transit.

You can’t encrypt an existing AMI directly — you must copy it and enable encryption.

Benefits:

  • Data security by protecting AMI data from unauthorized access
  • Meets compliance and security regulations like GDPR and HIPAA
  • Use custom KMS keys for detailed access control

Keeps AMI data secure even during cross-region transfers

Disadvantages:

  • Requires copying the AMI, so it is not instant encryption
  • Encrypted snapshots still incur storage charges
  • Shared encrypted AMIs require the recipient to have permission for the KMS key

Quick Tip to Remember:

Unencrypted AMI → Copy and Encrypt → Secure Image

Document link : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html

1. Log in to your account.

2. Go to the AMI section and select the AMI you want to encrypt.

3. Click the Actions button, then choose Copy AMI to either the same region or a different region.

4. When copying the AMI, enable encryption, complete the required information, and select the KMS key as per your requirements.

5. Check whether the AMI has been created successfully.

6. Next, verify if the associated volumes and snapshots are encrypted, and check the Key ARN. To do this, select the created copy, open it, and review the volumes.

END

Leave a Comment

Your email address will not be published. Required fields are marked *