I am trying to copy an AMI from one AWS account to another and encrypt it with a CMK in the target account.
The key policy on the CMK is:
{
"Version": "2012-10-17",
"Id": "key-default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::TARGET-ACCOUNT-NUMBER:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
I have created a role in the target account with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:Encrypt",
"ec2:CopyImage"
],
"Resource": "*"
}
]
}
Also attached to this role is the AmazonEC2ReadOnlyAccess policy.
If I log in to the root account and assume the role in the target account and then try to copy the AMI with my CMK, it fails with Snapshot snap-abc123xyz is in an unexpected state: error. There is no additional information on the snapshot to indicate the root cause.
If I attach the AdministratorAccess policy to the role the AMI copies OK, so it must be a permissions issue.
Can someone provide the list of permissions required to copy an AMI with encryption?
From this blog: https://aws.amazon.com/blogs/aws/new-cross-account-copying-of-encrypted-ebs-snapshots/
"Target Account – The IAM user or role in the target account needs to be able perform the DescribeKey, CreateGrant, and Decrypt operations on the key associated with the original snapshot. The user or role must also be able to perform the CreateGrant, Encrypt, Decrypt, DescribeKey, and GenerateDataKeyWithoutPlaintext operations on the key associated with the call to CopySnapshot."
Also, I beleive this is what you are looking for: https://aws.amazon.com/blogs/security/how-to-create-a-custom-ami-with-encrypted-amazon-ebs-snapshots-and-share-it-with-other-accounts-and-regions/