Back to all posts
Cybersecurity

Copy AMIs to AWS GovCloud Quickly and Easily

Copy AMIs into AWS GovCloud with RapidFort’s free, open source DevOps utility. Download it here and learn how it works.

Rajeev Thakur
May 25, 2022

Amazon Web Services customers are likely familiar with availability zones and regions, but it’s unlikely that they know about AWS partitions. Specifically, Amazon currently operates three partitions for their Web Services platform: AWS GovCloud, AWS China, and the standard AWS commercial offering we all know and love.

Each partition is physically and logically distinct with its own features, services, and networks. Partitions don’t interoperate and they each require completely separate accounts. Because of this total separation, anyone operating in multiple partitions has a very difficult time copying and migrating data and infrastructure between them.

For example, when we build a new feature in our commercial product and want to offer it to a US government client, we can’t simply or easily deploy it using standard AWS tools. There’s no decent point-and-click interface and the command line tools are sparse.

We were excited in 2021 when Amazon announced the ability to copy Amazon Machine Images (AMIs) across AWS partitions, but disappointed when we actually used the tool. Copying small AMIs from the commercial partition into GovCloud took several hours. Worse, Amazon’s tool provided no status updates and there was no way to see what was going on. All too often, we’d get an unhelpful failure message after several hours.

Nobody wants to wait four hours to see if something works. That’s a half day’s work, leaving at most two or three opportunities per day to copy an AMI. As a startup, we can’t move that slow.

So, we built our own tool. It’s free and open source, available for anyone to use today, and is a significant improvement to Amazon’s tool in every possible respect. In this article, I want to walk you through how it works so you can save yourself the pain and frustration we’ve faced time and time again. But first, let me provide a little context.

What is AWS GovCloud?

AWS GovCloud addresses US government regulatory and compliance requirements for anyone running sensitive workloads in the cloud for anyone at the federal, state, and local level.

It meets a variety of compliance standards, is controlled exclusively by US citizens, and runs many of the same services as the AWS commercial cloud. More importantly, it allows GovCloud customers to adhere to Federal Risk and Authorization Management Program (FedRAMP) High, Department of Defense Security Requirements Guide (DoD SRG) Impact Level 5, and Criminal Justice Services (CJIS) standards.

You use AWS GovCloud just like you use the commercial cloud. The GovCloud AWS console is available to approved US-based entities. GovCloud has its own regions and availability zones, so you can deploy across the globe and serve US government customers, just like the commercial cloud.

When doing business with government agencies, many companies need to set up parallel infrastructure. Maintaining both is expensive and difficult because pipelines change. You must prove that your employees have legitimate and authorized access needs just to deploy and run that separate infrastructure. Typically, everything is built first in the commercial cloud and then packaged and shipped to GovCloud.

What’s Wrong with Amazon’s AMI Copy Tool?

Amazon provides an AMI copy tool that uses Amazon S3 buckets. It’s a  simple approach, but clunky tool. You copy your AMI into a publicly-exposed S3 bucket and then restore it from that same bucket. The tool can also create archival copies of AMIs by storing in S3. 

You can read about the high-level methodology in Amazon’s documentation and find their GovCloud Import Tool on GitHub. Though the documentation is well done and everything looks easy to use, there are a few problems:

  1. It’s too complicated when you actually use it
  2. It’s not safe because you have to give public access to your S3 bucket
  3. It’s slow and takes hours instead of minutes
  4. It can’t be integrated with CI/CD automation

Perhaps in the future Amazon will provide a script-based utility to automate the process without publicly exposing AMIs (security through obscurity, SOC compliance issues). But right now, there’s clear opportunity for improvement, which brings us to our tool.

RapidFort’s Simple, Fast, Secure AMI Copy Tool

RapidFort’s GovCloud AMI tool is simple, secure, fast, and plugs into your existing automation pipeline. It only takes a few minutes to migrate an AMI, there’s no public exposure of S3 buckets, and is entirely script-based.

To achieve this, all you need is a simple configuration file and some temporary storage for uploading to GovCloud. Our tool uses your AWS secrets to retain your security and you can even use ephemeral accounts that exist only for the duration of the AMI transfer.

Our configuration file looks like this:

# AWS partition commercial

AWS_REGION_COMMERCIAL=<UPDATE_BEFORE_USING>

AWS_ACCESS_KEY_ID_COMMERCIAL=<UPDATE_BEFORE_USING>

AWS_SECRET_ACCESS_KEY_COMMERCIAL=<UPDATE_BEFORE_USING>

S3_BUCKET_COMMERCIAL=<UPDATE_BEFORE_USING>

# AWS partition gov

AWS_REGION_GOV=<UPDATE_BEFORE_USING>

AWS_ACCESS_KEY_ID_GOV=<UPDATE_BEFORE_USING>

AWS_SECRET_ACCESS_KEY_GOV=<UPDATE_BEFORE_USING>

S3_BUCKET_GOV=<UPDATE_BEFORE_USING>

It uses credentials for both the AWS commercial partition and the AWS GovCloud partition. These can easily be dynamically updated via automation or stored locally in a secure location. (Just don’t check this file into your code repository with all the secrets pasted in!)

The file ami-cp.sh does all the work. You can look at the method import_ami() yourself, but from a high level here’s what we do:

  • Duplicate the AMI in your AWS commercial S3 bucket
  • Fetch the duplicated AMI
  • Copy it to your AWS GovCloud S3 bucket
  • Launch the AMI as an EC2 instance

Here’s a diagram that shows how our tool works:

The best part? It completes in just a few minutes.

Here’s the basic usage:

./ami-cp.sh import_ami ami-0123456789abcdef my-cool-ami

Download the code on GitHub here: https://github.com/rapidfort/plenum/tree/main/rapidfort/ami-copy-across-aws-partitions

Start Copying AMIs Today

We’d love to get your feedback on the tool and we’d be happy to take your pull requests. If you find this tool to be useful, we’d love it if you shared it with the broader DevOps community.

We have a lot of small tools like this to make our everyday lives easier. Please follow the RapidFort blog and stay tuned for more tools in the near future. And while you’re here, we encourage you to learn more about how RapidFort can minimize the software attack surface area of your container infrastructure.

Cybersecurity
Your journey to secure containers and productive development begins here
See RapidFort in action
Sign up for our newsletter
Be the first to know about releases and industry news and insights.