Desired Result: After hearing many horror stories of malicious users gaining access to AWS accounts and wiping out resources, I'm interested in creating a system that can copy RDS Snapshots and EC2 AMIs/Volumes to a completely separate AWS account for use as a 'time-capsule' or 'ice-cold-recovery' site.
Security Basics: I use IAM with MFA for all existing accounts, and I restrict who-can-do-what based on need-to-access. Most users have read-only access to everything, and a select few are power users. We never use the root account.
Initial discoveries: Since there isn't a native way to copy AMIs or Snapshots to another account, my current understanding is that I would need to use our current account to allow the 'vault' account access to the AMIs/Snapshots, then use the vault account to launch an instance/DB from the AMI/SS, then make another AMI/SS of the instance/DB in order to make a complete copy in another account.
Questions:
- Is this stupid?
- Is there a better way?
- Is anyone aware of a service or scripting solution that could accomplish this is a simple manner?
I'm sure with enough time I could use the SDK and make something that does this, but I'm very open to NOT coding it myself.
You are correct that an Amazon Machine Image (AMI) cannot be copied to another AWS Account.
The method of sharing an AMI and then launching an instance from another account is one method of making a copy of the AMI (although not a perfect copy, since it will be used while launching the new instance).
Another idea is to:
Then, in the other account, either:
All options will make a copy of the data in the other account, either as a snapshot, volume or AMI.
See: HowTo: Copy EC2 EBS AMIs Between Accounts