3

Desired Result: After hearing many horror stories of malicious users gaining access to AWS accounts and wiping out resources, I'm interested in creating a system that can copy RDS Snapshots and EC2 AMIs/Volumes to a completely separate AWS account for use as a 'time-capsule' or 'ice-cold-recovery' site.

Security Basics: I use IAM with MFA for all existing accounts, and I restrict who-can-do-what based on need-to-access. Most users have read-only access to everything, and a select few are power users. We never use the root account.

Initial discoveries: Since there isn't a native way to copy AMIs or Snapshots to another account, my current understanding is that I would need to use our current account to allow the 'vault' account access to the AMIs/Snapshots, then use the vault account to launch an instance/DB from the AMI/SS, then make another AMI/SS of the instance/DB in order to make a complete copy in another account.

Questions:

  1. Is this stupid?
  2. Is there a better way?
  3. Is anyone aware of a service or scripting solution that could accomplish this is a simple manner?

I'm sure with enough time I could use the SDK and make something that does this, but I'm very open to NOT coding it myself.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
HeavyObjectLifter
  • 87
  • 5
  • 1
    Related, for RDS: http://stackoverflow.com/questions/18192609/can-rds-snapshots-be-transferred-across-aws-accounts. You can [share an AMI](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html) with another account, but not an RDS snapshot. You may be better off to do a conventional dump and transfer that to a target database on your other account. – Anthony Neace Dec 17 '14 at 21:37

1 Answers1

1

You are correct that an Amazon Machine Image (AMI) cannot be copied to another AWS Account.

The method of sharing an AMI and then launching an instance from another account is one method of making a copy of the AMI (although not a perfect copy, since it will be used while launching the new instance).

Another idea is to:

  • Share the snapshot underlying the AMI with the other account (AMIs are actually persisted in snapshots)

Then, in the other account, either:

  • Copy the snapshot to the other account, OR
  • Create a new volume from the snapshot, OR
  • Register an AMI from the snapshot

All options will make a copy of the data in the other account, either as a snapshot, volume or AMI.

See: HowTo: Copy EC2 EBS AMIs Between Accounts

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470