Clone an EC2 AMI to Another AWS Account

If you manage more than one AWS account, you most likely have pre-built AMIs that you frequently use when provisioning new instances.

You may be building AMIs on a per account basis, and some of these may be nearly identical to those found on the other accounts you manage. Effectively, you are duplicating effort when, with a bit of magic, you can easily clone/copy any AMI to another account.

AWS currently supports AMI sharing, which gives one account the ability to share AMIs with another account. The caveat to this is that the sharing account maintains control over the AMI and any instances that are provisioned from that AMI will have a product code linked to the sharing account’s AMI.

The following assumptions are being made:

  • IAMA/Master account with proper privileges
  • Two or more AWS accounts
  • You already have an AMI built that you want to copy
  • ext4 filesystem
  • You are comfortable working in a shell/command line

For ease of explanation, I will be referencing two accounts, we’ll call them:

  • Primary – Contains the original AMI
  • Secondary – Will be cloning/creating the new AMI

Secondary Account Credentials

Begin by logging into the AWS Console of Secondary.

We’ll need to get the account number for Secondary, so navigate to Security Credentials and look under the Account Identifiers dropdown.

Copy the AWS Account ID. For the sake of this write up, we’ll say the ID is 1234-1234-1234.

Share AMI from Primary

Continue by logging into the AWS Console of Primary.

Locate the AMI you want to clone. At the time of this entry, it was located in the left-hand sidebar menu under Images > AMIs.

Right click on the AMI and select Image Permissions.

In the field titled AWS Account Number, paste Account ID for Secondary. In our case, 1234-1234-1234.

Click Add Permission and then Save.

Launch an Instance

Next log back into the AWS Console of Secondary.

Locate the newly shared AMI. If you can’t find the AMI, ensure that the filter is not set to Owned by Me.

Right-click the AMI and click Launch. Launch a new instance (it can be any instance type, this is temporary instance to do the cloning). Take note of the volume size of the new instance.

Create a Volume

While the instance is starting up, we need to create a new volume.

Navigate to the Volumes module and click the Create Volume button.

Make sure that the new volume you create is of the same type (paravirtual vs. hardware assisted) and same size (the size you noted in the previous step).

Attach the Volume

At this point your instance should have started. Right-click on the new volume you created and select Attach Volume.

In the Instance input, find the new instance you created in the previous step. For Device, you can most likely accept the default value, it may be /dev/sdf or similar.

Verify

SSH into the instance you created above.

Once connected, verify that the instance can see both volumes by entering

$ ls -la /dev | grep 'xvd'

Which should return a list similar to the following

xvda
xvda1
xvdf

Depending on the attachment points you set, these could be different, but the important thing to note is that xvda/xvda1 represents the boot volume and xvdf represents our clone drive.

Clone

With the two drives verified, create the new filesystem on the clone drive

$ mkfs -t ext4 /dev/xvdf

Once complete, you will clone the contents of the original volume (which represents the original AMI currently associated to Primary).

To clone the data, enter

$ dd bs=65536 if=/dev/xvda of=/dev/xvdf

In the above line, if represents the input file, or in this case the original volume, and of represents the output file, the clone drive. Ensure these are entered correctly.

Once complete, exit the SSH session and return to the AWS Console of Secondary.

Verify

At this point, you would probably be okay with creating the new AMI, but it is good practice to verify that the new volume works correctly.

Shut down the cloning instance you created in the earlier step.

Navigate to the Volumes module and left-click on the originally provisioned volume. Take a look at the inspection panel (found below the Volumes list) and make a note of Attachment Info. It should show an attachment point, something like /dev/xvda.

Now right click on the volume and select Detach. Do the same with the clone volume.

Right-click, again, on the clone volume and select Attach. Select the clone instance for the Instance input field and for the Attachment input field, enter the information you observed in the step directly above.

Click Attach.

When the volume is attached, start the instance and verify it boot without issue and operates as you expect.

Create Snapshot and AMI

Once you’ve verified the volume functions properly, shut down the instance.

Navigate to the Volumes module and right-click on the clone volume. Select Create Snapshot.

A snapshot will begin, the time needed will vary depending on the volume size.

Navigate to the Snapshots module to check the process of the snapshot.

Once the snapshot has been created successfully, right click on the new snapshot and select Create Image. Fill in a name, description and AMI settings, (these will vary depending on your desired AMI properties), and click Create.

A new AMI is being created.

Locate the newly created AMI in your list of available images.

Ensure that your new AMI is being created. If you cannot find your new AMI, double check the filter options at the top of the images list. Try filtering by Owned by Me.

Cleaning Up

At this point, your AMI has been created, it is associated to Secondary and no product codes should be attached to it.

Now you can terminate the clone instance we created. You can also delete both volumes (original and clone).

Finally, login to the AWS Console of Primary.

Locate the AMI you shared earlier.

Right click on the AMI and select Image Permissions.

Remove the sharing permission you added in the earlier steps and click Save.