Migrate encrypted Amazon EC2 instances across AWS Regions without sharing AWS KMS keys
Compute Blog
The article provides a comprehensive guide for migrating encrypted Amazon EC2 instances across AWS Regions without sharing AWS KMS keys, particularly when moving between different accounts.
- The solution involves creating an Amazon Machine Image (AMI) of the source server
- Uses AWS CloudShell to store the AMI in an S3 bucket in the source account
- Copies the AMI .bin file to a target S3 bucket in the destination account
- Restores the AMI in the target account and launches a new EC2 instance
- Ensures security by avoiding direct KMS key sharing between Regions
Key limitations include support only for Amazon EBS-backed AMIs, storage size restrictions, and the requirement to use AWS CLI or SDKs for the migration process.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
May 17
2024
2024
Transfer customer managed SSE-KMS encrypted objects across AWS accounts and Regions using AWS DataSync
Sep 23
2025
2025
AWS IAM Identity Center organization instances now support customer-managed KMS keys for encryption at rest
May 4
2026
2026
Managing SQL Server Encryption Keys Across AWS Regions for Disaster Recovery
Feb 6
2024
2024
How to migrate asymmetric keys from CloudHSM to AWS KMS
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.