Sharing Encrypted AMIs Across AWS Accounts

I tried to share an encrypted AMI with another AWS account and hit this error:

"Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot."

AWS-managed KMS keys can't be shared across accounts. You need a customer-managed key.

The Process

1. Create a customer-managed KMS key:

In the source account, create a new KMS key. The key policy must grant the target account decrypt permissions:

{
  "Sid": "Allow target account",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::TARGET_ACCOUNT_ID:root"
  },
  "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

2. Copy the AMI with the new key:

In EC2 console: Select AMI → Actions → Copy AMI

Keep the same region, but change the encryption key to your new customer-managed key. This creates a new AMI you can share.

3. Share the AMI:

Select the new AMI → Actions → Edit AMI permissions → Add the target account ID.

4. Copy to target account:

In the target account, find the shared AMI under "Private images." Copy it to your account. During the copy, you can re-encrypt with a key owned by the target account.

Re-encrypting removes the dependency on the source account's KMS key. I recommend this for production.

Why Re-encrypt?

If you launch instances from a shared AMI without re-encrypting, those instances depend on the source account's KMS key. If that key is deleted or permissions are revoked, you can't start new instances from that AMI.

Copying and re-encrypting with your own key eliminates this dependency.

Key Takeaways

• AWS-managed KMS keys cannot be shared across accounts
• Create a customer-managed key with cross-account permissions in the key policy
• Copy the AMI using the new key before sharing
• In the target account, copy and re-encrypt with a locally-owned key
• Re-encrypting removes operational coupling between accounts