3

Is it possible to create an encrypted ebs boot volume for a windows ec2 instance?

This AWS example shows how to copy an unencrypted boot volume, creating an encrypted boot volume: aws ec2 copy-image -r us-east-1 -s ami-60b6c60a --encrypted --kmsKeyID arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef

However, when I try this with the Microsoft Windows Server 2012 R2 Base - ami-c8a9baa2 as the source using aws ec2 copy-image --source-region us-east-1 --source-image-id ami-c8a9baa2 --name 'W12R2_Base_encrypted' --description 'Microsoft Windows Server 2012 R2 Base - ami-c8a9baa2 (encrypted)' --encrypted, I get the error: "A client error (InvalidRequest) occurred when calling the CopyImage operation: Images with EC2 BillingProduct codes cannot be copied to another AWS account."

Peter M
  • 973
  • 2
  • 15
  • 27

2 Answers2

3

You first need to create your own private AMI based on this Marketplace AMI. The "BillingProduct" part of the error is the main clue.

In more detail:

  1. Launch an instance with this marketplace AMI. [optionally, you can login and modify it.]
  2. Use this newly launched instance to create your own private AMI (Create Image)
  3. Copy this image and check the Encryption box. Using the CLI, you would use the copy-image mode with the --encrypted flag.

More info: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html

KJH
  • 402
  • 2
  • 14
1

It is now possible to do this (as of May 2019). You do not need to copy an AMI. Instead you can launch an instance with encrypted volumes (boot/ephemeral/ebs) directly from an unencrypted marketplace AMI.

I have not tried to do this with the CLI or programmatically, but it works from the EC2 console using the latest windows server image (Windows_Server-2019-English-Full-Base-2019.08.16)

The "extra steps" that detail creating/copying your own private AMI have been removed from their latest documentation. I could not find any more information on it other than this blog post.

Launch Encrypted EBS Bcked EC2 Instances from Unencrypted AMI's

kenlukas
  • 3,101
  • 2
  • 16
  • 26
fleetoiler
  • 26
  • 1