# Copy an Amazon EC2 AMI
When you need a consistent Amazon EC2 instance configuration across multiple Regions, you can use a single Amazon Machine Image (AMI) as your template to launch all the instances. However, AMIs are Region-specific resources—to launch an instance in a specific AWS Region, the AMI must be located in that Region. Therefore, to use the same AMI in multiple Regions, you must copy it from the source Region to each target Region.
The method you use to copy an AMI depends on whether you're copying across Regions *within the same [partition](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html#partition)* or *across different partitions*:
+ **Cross-Region copying** – Copy AMIs across Regions *within the same partition*, for example, across the Regions within the commercial partition. This copy method is described in this topic.
+ **Cross-partition copying** – Copy AMIs *from one partition to another partition*, for example, from the commercial partition to the AWS GovCloud (US) partition. For information about this copy method, see [Store and restore an AMIAllowed AMIs](ami-store-restore.md).
+ **Cross-account copying** – Create a copy of an AMI that another AWS account has [shared with your AWS account](sharingamis-explicit.md). This copy method is described in this topic.
The time taken to complete the copy operation for cross-Region and cross-account AMI copying is on a best-effort basis. If you need control over the completion time, you can specify a completion window ranging from 15 minutes to 48 hours, ensuring your AMI is copied within your required timeframe. Additional charges apply for time-based AMI copy operations. For more information, see [Time-based copies](https://docs.aws.amazon.com/ebs/latest/userguide/time-based-copies.html) in the *Amazon EBS User Guide*.
**Topics**
+ [
## Considerations
](#copy-ami-considerations)
+ [
## Costs
](#copy-ami-costs)
+ [
# Grant permissions to copy Amazon EC2 AMIs
](copy-ami-permissions.md)
+ [
## Copy an AMI
](#ami-copy-steps)
+ [
## Stop a pending AMI copy operation
](#ami-copy-stop)
+ [
# How Amazon EC2 AMI copy works
](how-ami-copy-works.md)
## Considerations
+ **Permission to copy AMIs** – You can use IAM policies to grant or deny users permission to copy AMIs. Starting October 28, 2024, you can specify resource-level permissions for the `CopyImage` action on the source AMI. Resource-level permissions for the new AMI are available as before.
+ **Launch permissions and Amazon S3 bucket permissions** – AWS does not copy launch permissions or Amazon S3 bucket permissions from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions and Amazon S3 bucket permissions to the new AMI.
+ **Tags** – You can only copy user-defined AMI tags that you attached to the source AMI. System tags (prefixed with `aws:`) and user-defined tags that are attached by other AWS accounts will not be copied. When copying an AMI, you can attach new tags to the new AMI and its backing snapshots.
+ **Quotas for time-based AMI copies** – After you reach your *cumulative snapshot copy throughput quota*, subsequent time-based AMI copy requests fail. For more information, see [Quotas for time-based copies](https://docs.aws.amazon.com/ebs/latest/userguide/time-based-copies.html#time-based-copies-quota) in the *Amazon EBS User Guide*.
+ **Supported source-destination copies** – The location of the source AMI determines whether you can copy it and the allowed destinations for the new AMI:
+ If the source AMI is in a Region, you can copy it within that Region, to another Region, to an Outpost associated with that Region, or to a Local Zone in that Region.
+ If the source AMI is in a Local Zone, you can copy it within that Local Zone, to the parent Region of that Local Zone, or to certain other Local Zones with the same parent Region.
+ If the source AMI is on an Outpost, you can't copy it.
+ **CLI parameters for source and destination** – When using the CLI, the following parameters are supported for specifying the source location of the AMI to copy and the destination of the new AMI. Note that the copy operation must be initiated in the destination Region; if you omit the `--region` parameter, the destination assumes the default Region configured in your AWS CLI settings.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)
## Costs
There is no charge for copying an AMI when no completion time is specified. However, additional charges apply for time-based AMI copy operations. For more information, see [Time-based copies](https://docs.aws.amazon.com/ebs/latest/userguide/time-based-copies.html#time-based-copies-pricing) in the *Amazon EBS User Guide*.
Standard storage and data transfer rates apply. If you copy an EBS-backed AMI, you will incur charges for the storage of any additional EBS snapshots.
# Grant permissions to copy Amazon EC2 AMIs
To copy an EBS-backed or Amazon S3-backed AMI, you need the following IAM permissions:
+ `ec2:CopyImage` – To copy the AMI. For EBS-backed AMIs, it also grants permission to copy the AMI's backing snapshots.
+ `ec2:CreateTags` – To tag the target AMI. For EBS-backed AMIs, it also grants permission to tag the target AMI’s backing snapshots.
If you're copying an instance stored-backed AMI, you need the following *additional* IAM permissions:
+ `s3:CreateBucket` – To create the S3 bucket in the target Region for the new AMI
+ `s3:PutBucketOwnershipControls` – To enable ACLs for the newly created S3 bucket so that objects can be written with the `aws-exec-read` [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl)
+ `s3:GetBucketAcl` – To read the ACLs for the source bucket
+ `s3:ListAllMyBuckets` – To find an existing S3 bucket for AMIs in the target Region
+ `s3:GetObject` – To read the objects in the source bucket
+ `s3:PutObject` – To write the objects in the target bucket
+ `s3:PutObjectAcl` – To write the permissions for the new objects in the target bucket
**Note**
Starting October 28, 2024, you can specify resource-level permissions for the `CopyImage` action on the source AMI. Resource-level permissions for the target AMI are available as before. For more information, see **CopyImage** in the table under [Actions defined by Amazon EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions) in the *Service Authorization Reference*.
## Example IAM policy for copying an EBS-backed AMI and tagging the target AMI and snapshots
The following example policy grants you permission to copy any EBS-backed AMI and tag the target AMI and its backing snapshots.
**Note**
Starting October 28, 2024, you can specify snapshots in the `Resource` element. For more information, see **CopyImage** in the table under [Actions defined by Amazon EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions) in the *Service Authorization Reference*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "PermissionToCopyAllImages",
"Effect": "Allow",
"Action": [
"ec2:CopyImage",
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*"
]
}]
}
```
------
## Example IAM policy for copying an EBS-backed AMI but denying tagging the new snapshots
The `ec2:CopySnapshot` permission is automatically granted when you get the `ec2:CopyImage` permission. Permission to tag the new backing snapshots can be explicitly denied, overriding the `Allow` effect for the `ec2:CreateTags` action.
The following example policy grants you permission to copy any EBS-backed AMI, but denies you from tagging the new backing snapshots of the target AMI.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:CopyImage",
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*"
]
},
{
"Effect": "Deny",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:::snapshot/*"
}
]
}
```
------
## Example IAM policy for copying an Amazon S3-backed AMI and tagging the target AMI
The following example policy grants you permission to copy any Amazon S3-backed AMI in the specified source bucket to the specified Region, and tag the target AMI.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "PermissionToCopyAllImages",
"Effect": "Allow",
"Action": [
"ec2:CopyImage",
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*::image/*"
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-source-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketAcl",
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amis-for-111122223333-in-us-east-2-hash"
]
}
]
}
```
------
To find the Amazon Resource Name (ARN) of the AMI source bucket, open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/), in the navigation pane choose **AMIs**, and locate the bucket name in the **Source** column.
**Note**
The `s3:CreateBucket` permission is only needed the first time that you copy an Amazon S3-backed AMI to an individual Region. After that, the Amazon S3 bucket that is already created in the Region is used to store all future AMIs that you copy to that Region.
## Copy an AMI
You can copy an AMI that you own or an AMI that was shared with you from another account. For the supported source and destination combinations, see [Considerations](#copy-ami-considerations).
------
#### [ Console ]
**To copy an AMI**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. From the console navigation bar, select the Region that contains the AMI.
1. In the navigation pane, choose **AMIs** to display the list of AMIs available to you in the Region.
1. If you don't see the AMI you want to copy, choose a different filter. You can filter by AMIs **Owned by me**, **Private images**, **Public images**, and **Disabled images**.
1. Select the AMI to copy, and then choose **Actions**, **Copy AMI**.
1. On the **Copy Amazon Machine Image (AMI)** page, specify the following information:
1. **AMI copy name**: A name for the new AMI. You can include the operating system information in the name because Amazon EC2 does not provide this information when displaying details about the AMI.
1. **AMI copy description**: By default, the description includes information about the source AMI so that you can distinguish a copy from its original. You can change this description as needed.
1. **Destination Region**: The Region in which to copy the AMI. For more information, see [Cross-Region copying](how-ami-copy-works.md#copy-amis-across-regions) and [Cross-account copying](how-ami-copy-works.md#copy-ami-across-accounts).
1. **Copy tags**: Select this checkbox to include your user-defined AMI tags when copying the AMI. System tags (prefixed with `aws:`) and user-defined tags that are attached by other AWS accounts will not be copied.
1. **Time-based copy**: You can specify whether the copy operation completes within a specific timeframe or on a best-effort basis, as follows:
+ To complete the copy within a specific timeframe:
+ Select **Enable time-based copy**.
+ For **Completion duration**, enter the number of minutes (in 15-minute increments) allowed for the copy operation. The completion duration applies to all snapshots associated with the AMI.
For more information, see [Time-based copies](https://docs.aws.amazon.com/ebs/latest/userguide/time-based-copies.html) in the *Amazon EBS User Guide*.
+ To complete the copy on a best-effort basis:
+ Leave **Enable time-based copy** unselected.
1. (EBS-backed AMIs only) **Encrypt EBS snapshots of AMI copy**: Select this checkbox to encrypt the target snapshots, or to re-encrypt them using a different key. If encryption by default is enabled, the **Encrypt EBS snapshots of AMI copy** checkbox is selected and cannot be cleared. For more information, see [Encryption and copying](how-ami-copy-works.md#ami-copy-encryption).
1. (EBS-backed AMIs only) **KMS key**: The KMS key to used to encrypt the target snapshots.
1. **Tags**: You can tag the new AMI and the new snapshots with the same tags, or you can tag them with different tags.
+ To tag the new AMI and the new snapshots with the *same* tags, choose **Tag image and snapshots together**. The same tags are applied to the new AMI and every snapshot that is created.
+ To tag the new AMI and the new snapshots with *different* tags, choose **Tag image and snapshots separately**. Different tags are applied to the new AMI and the snapshots that are created. Note, however, that all the new snapshots that are created get the same tags; you can't tag each new snapshot with a different tag.
To add a tag, choose **Add tag**, and enter the key and value for the tag. Repeat for each tag.
1. When you're ready to copy the AMI, choose **Copy AMI**.
The initial status of the new AMI is `Pending`. The AMI copy operation is complete when the status is `Available`.
------
#### [ AWS CLI ]
**To copy an AMI from one Region to another Region**
Use the [copy-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-image.html) command. You must specify both the source and destination Regions. You specify the source Region using the `--source-region` parameter. You can specify the destination Region using the `--region` parameter (or omit this parameter to assume the default Region configured in your AWS CLI settings).
```
aws ec2 copy-image \
--source-image-id ami-0abcdef1234567890 \
--source-region us-west-2 \
--name my-ami \
--region us-east-1
```
When you encrypt a target snapshot during AMI copy, you must specify these additional parameters: `--encrypted` and `--kms-key-id`.
**To copy an AMI from a Region to a Local Zone**
Use the [copy-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-image.html) command. You must specify both the source and destination. You specify the source Region using the `--source-region` parameter. You specify the destination Local Zone using the `--destination-availability-zone` parameter (you can use `--destination-availability-zone-id` instead). Note that you can only copy an AMI from a Region to a Local Zone within that same Region.
```
aws ec2 copy-image \
--source-image-id ami-0abcdef1234567890 \
--source-region cn-north-1 \
--destination-availability-zone cn-north-1-pkx-1a \
--name my-ami \
--region cn-north-1
```
**To copy an AMI from a Local Zone to a Region**
Use the [copy-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-image.html) command. You must specify both the source and destination. You specify the source Region using the `--source-region` parameter. You specify the destination Region using the `--region` parameter (or omit this parameter to assume the default Region configured in your AWS CLI settings). The source Local Zone is assumed from the location of the specified source AMI ID. Note that you can only copy an AMI from a Local Zone to its parent Region.
```
aws ec2 copy-image \
--source-image-id ami-0abcdef1234567890 \
--source-region cn-north-1 \
--name my-ami \
--region cn-north-1
```
**To copy an AMI from one Local Zone to another Local Zone**
Use the [copy-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-image.html) command. You must specify both the source and destination. You specify the source Region of the Local Zone using the `--source-region` parameter. You specify the destination Local Zone using the `--destination-availability-zone` parameter (you can use `--destination-availability-zone-id` instead). The source Local Zone is assumed from the location of the specified source AMI ID. You specify the parent Region of the destination Local Zone using the `--region` parameter (or omit this parameter to assume the default Region configured in your AWS CLI settings).
```
aws ec2 copy-image \
--source-image-id ami-0abcdef1234567890 \
--source-region cn-north-1 \
--destination-availability-zone cn-north-1-pkx-1a \
--name my-ami \
--region cn-north-1
```
------
#### [ PowerShell ]
**To copy an AMI from one Region to another Region**
Use the [Copy-EC2Image](https://docs.aws.amazon.com/powershell/latest/reference/items/Copy-EC2Image.html) cmdlet. You must specify both the source and destination Regions. You specify the source Region using the `-SourceRegion` parameter. You can specify the destination Region using the `-Region` parameter or the [Set-AWSDefaultRegion](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-installing-specifying-region.html) cmdlet.
```
Copy-EC2Image `
-SourceImageId ami-0abcdef1234567890 `
-SourceRegion us-west-2 `
-Name my-ami `
-Region us-east-1
```
When you encrypt a target snapshot during AMI copy, you must specify these additional parameters: `-Encrypted` and `-KmsKeyId`.
**To copy an AMI from a Region to a Local Zone**
Use the [Copy-EC2Image](https://docs.aws.amazon.com/powershell/latest/reference/items/Copy-EC2Image.html) cmdlet. You must specify both the source and destination. You specify the source Region using the `-SourceRegion` parameter. You specify the destination Local Zone using the `-DestinationAvailabilityZone` parameter (you can use `-DestinationAvailabilityZoneId` instead). Note that you can only copy an AMI from a Region to a Local Zone within that same Region.
```
Copy-EC2Image `
-SourceImageId ami-0abcdef1234567890 `
-SourceRegion cn-north-1 `
-DestinationAvailabilityZone cn-north-1-pkx-1a `
-Name my-ami `
-Region cn-north-1
```
**To copy an AMI from a Local Zone to a Region**
Use the [Copy-EC2Image](https://docs.aws.amazon.com/powershell/latest/reference/items/Copy-EC2Image.html) cmdlet. You must specify both the source and destination. You specify the source Region using the `-SourceRegion` parameter. You specify the destination Region using the `-Region` parameter or the [Set-AWSDefaultRegion](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-installing-specifying-region.html) cmdlet. The source Local Zone is assumed from the location of the specified source AMI ID. Note that you can only copy an AMI from a Local Zone to its parent Region.
```
Copy-EC2Image `
-SourceImageId ami-0abcdef1234567890 `
-SourceRegion cn-north-1 `
-Name my-ami `
-Region cn-north-1
```
**To copy an AMI from one Local Zone to another Local Zone**
Use the [Copy-EC2Image](https://docs.aws.amazon.com/powershell/latest/reference/items/Copy-EC2Image.html) cmdlet. You must specify both the source and destination. You specify the source Region of the Local Zone using the `-SourceRegion` parameter. You specify the destination Local Zone using the `-DestinationAvailabilityZone` parameter (you can use `-DestinationAvailabilityZoneId` instead). The source Local Zone is assumed from the location of the specified source AMI ID. You specify the parent Region of the destination Local Zone using the `-Region` parameter or the [Set-AWSDefaultRegion](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-installing-specifying-region.html) cmdlet.
```
Copy-EC2Image `
-SourceImageId ami-0abcdef1234567890 `
-SourceRegion cn-north-1 `
-DestinationAvailabilityZone cn-north-1-pkx-1a `
-Name my-ami `
-Region cn-north-1
```
------
## Stop a pending AMI copy operation
You can stop a pending AMI copy using the following procedures.
------
#### [ Console ]
**To stop an AMI copy operation**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. From the navigation bar, select the destination Region from the Region selector.
1. In the navigation pane, choose **AMIs**.
1. Select the AMI to stop copying, and then choose **Actions**, **Deregister AMI**.
1. When asked for confirmation, choose **Deregister AMI**.
------
#### [ AWS CLI ]
**To stop an AMI copy operation**
Use the [deregister-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/deregister-image.html) command.
```
aws ec2 deregister-image --image-id ami-0abcdef1234567890
```
------
#### [ PowerShell ]
**To stop an AMI copy operation using**
Use the [Unregister-EC2Image](https://docs.aws.amazon.com/powershell/latest/reference/items/Unregister-EC2Image.html) cmdlet.
```
Unregister-EC2Image -ImageId ami-0abcdef1234567890
```
------
# How Amazon EC2 AMI copy works
Copying a source AMI results in an identical but distinct new AMI that we also refer to as the *target* AMI. The target AMI has its own unique AMI ID. You can change or deregister the source AMI with no effect on the target AMI. The reverse is also true.
With an EBS-backed AMI, each of its backing snapshots is copied to an identical but distinct target snapshot. If you copy an AMI to a new Region, the snapshots are complete (non-incremental) copies. If you encrypt unencrypted backing snapshots or encrypt them to a new KMS key, the snapshots are complete (non-incremental) copies. Subsequent copy operations of an AMI result in incremental copies of the backing snapshots.
**Topics**
+ [
## Cross-Region copying
](#copy-amis-across-regions)
+ [
## Cross-account copying
](#copy-ami-across-accounts)
+ [
## Time-based AMI copy operations
](#ami-time-based)
+ [
## Encryption and copying
](#ami-copy-encryption)
## Cross-Region copying
Copying an AMI across geographically diverse Regions provides the following benefits:
+ Consistent global deployment: Copying an AMI from one Region to another enables you to launch consistent instances in different Regions based on the same AMI.
+ Scalability: You can more easily design and build global applications that meet the needs of your users, regardless of their location.
+ Performance: You can increase performance by distributing your application, as well as locating critical components of your application in closer proximity to your users. You can also take advantage of Region-specific features, such as instance types or other AWS services.
+ High availability: You can design and deploy applications across AWS Regions, to increase availability.
The following diagram shows the relationship between a source AMI and two copied AMIs in different Regions, as well as the EC2 instances launched from each. When you launch an instance from an AMI, it resides in the same Region where the AMI resides. If you make changes to the source AMI and want those changes to be reflected in the AMIs in the target Regions, you must recopy the source AMI to the target Regions.
![\[AMIs copied in different Regions\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/ami_copy.png)
When you first copy an Amazon S3-backed AMI to a Region, we create an Amazon S3 bucket for the AMIs copied to that Region. All Amazon S3-backed AMIs that you copy to that Region are stored in this bucket. The bucket names have the following format: amis-for-*account*-in-*region*-*hash*. For example: `amis-for-123456789012-in-us-east-2-yhjmxvp6`.
**Prerequisite**
Prior to copying an AMI, you must ensure that the contents of the source AMI are updated to support running in a different Region. For example, you should update any database connection strings or similar application configuration data to point to the appropriate resources. Otherwise, instances launched from the new AMI in the destination Region might still use the resources from the source Region, which can impact performance and cost.
**Limitations**
+ Destination Regions are limited to 300 concurrent AMI copy operations. This also applies to time-based AMI copy operations.
+ You can't copy a paravirtual (PV) AMI to a Region that does not support PV AMIs. For more information, see [Virtualization types](ComponentsAMIs.md#virtualization_types).
## Cross-account copying
If an AMI from another AWS account is [shared with your AWS account](sharingamis-explicit.md), you can copy the shared AMI. This is known as cross-account copying. The AMI that is shared with you is the source AMI. When you copy the source AMI, you create a new AMI. The new AMI is often referred to as the target AMI.
**AMI costs**
+ For a shared AMI, the account of the shared AMI is charged for the storage in the Region.
+ If you copy an AMI that is shared with your account, you are the owner of the target AMI in your account.
+ The owner of the source AMI is charged standard Amazon EBS or Amazon S3 transfer fees.
+ You are charged for the storage of the target AMI in the destination Region.
**Resource permissions**
To copy an AMI that was shared with you from another account, the owner of the source AMI must grant you read permissions for the storage that backs the AMI, not just for the AMI itself. The storage is either the associated EBS snapshot (for an Amazon EBS-backed AMI) or an associated S3 bucket (for an Amazon S3-backed AMI). If the shared AMI has encrypted snapshots, the owner must share the key or keys with you. For more information about granting resource permissions, for EBS snapshots, see [Share an Amazon EBS snapshot with other AWS accounts](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) in the *Amazon EBS User Guide*, and for S3 buckets, see [Identity and access management for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-iam.html) in the *Amazon S3 User Guide*.
**Note**
Tags that are attached to the source AMI are not copied across accounts to the target AMI.
## Time-based AMI copy operations
When you initiate a time-based AMI copy operation for an EBS-backed AMI with a single associated snapshot, it behaves in the same way as an **individual time-based snapshot copy operation**, and the same throughput limitations apply.
When you initiate a time-based AMI copy operation for an EBS-backed AMI with a multiple associated snapshots, it behaves in the same way as **concurrent time-based snapshot copy operations**, and the same throughput limitations apply. Each associated snapshot results in a separate snapshot copy request, each of which contributes to your cumulative snapshot copy throughput quota. The completion duration that you specify applies to each associated snapshot.
For more information, see [ Time-based copies](https://docs.aws.amazon.com/ebs/latest/userguide/time-based-copies.html) in the *Amazon EBS User Guide*.
## Encryption and copying
The following table shows encryption support for various AMI-copying scenarios. While it is possible to copy an unencrypted snapshot to yield an encrypted snapshot, you cannot copy an encrypted snapshot to yield an unencrypted one.
| Scenario | Description | Supported |
| --- | --- | --- |
| 1 | Unencrypted to unencrypted | Yes |
| 2 | Encrypted to encrypted | Yes |
| 3 | Unencrypted to encrypted | Yes |
| 4 | Encrypted to unencrypted | No |
**Note**
Encrypting during the `CopyImage` action applies only to Amazon EBS-backed AMIs. Because an Amazon S3-backed AMI does not use snapshots, you can't use copying to change its encryption status.
When you copy an AMI without specifying encryption parameters, the backing snapshot is copied with its original encryption status by default. Therefore, if the source AMI is backed by an unencrypted snapshot, the resulting target snapshot will also be unencrypted. Similarly, if the source AMI's snapshot is encrypted, the resulting target snapshot will also be encrypted by the same AWS KMS key. For AMIs backed by multiple snapshots, each target snapshot preserves the encryption state of its corresponding source snapshot.
To change the encryption state of the target backing snapshots during an AMI copy, you can specify encryption parameters. The following example shows a non-default case, where encryption parameters are specified with the `CopyImage` action to change the target AMI's encryption state.
**Copy an unencrypted source AMI to an encrypted target AMI**
In this scenario, an AMI backed by an unencrypted root snapshot is copied to an AMI with an encrypted root snapshot. The `CopyImage` action is invoked with two encryption parameters, including a customer managed key. As a result, the encryption status of the root snapshot changes, so that the target AMI is backed by a root snapshot containing the same data as the source snapshot, but encrypted using the specified key. You incur storage costs for the snapshots in both AMIs, as well as charges for any instances you launch from either AMI.
**Note**
Enabling encryption by default has the same effect as setting the `Encrypted` parameter to `true` for all snapshots in the AMI.
![\[Copy AMI and encrypt snapshot on the fly\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/ami-to-ami-convert.png)
Setting the `Encrypted` parameter encrypts the single snapshot for this instance. If you do not specify the `KmsKeyId` parameter, the default customer managed key is used to encrypt the snapshot copy.
For more information about copying AMIs with encrypted snapshots, see [Use encryption with EBS-backed AMIs](AMIEncryption.md).