Back to all posts
Cybersecurity

Free Tool to Copy AMIs to AWS GovCloud

Rajeev Thakur
September 12, 2022

Copying AMIs between two AWS partitions can be time-consuming and error-prone. Most of the work we do begins in the AWS Commercial partition and then gets ported over to AWS GovCloud for our US government clients. We love providing AMI services to our gov clients, but the out-of-the-box tooling took hours and slowed us down.

So, we built our own tool. It’s fast, reliable, plugs into your existing automation pipelines, and freely available on GitHub. All you need is:

  • A configuration file
  • Some temporary storage
  • AWS accounts in each partition (and their secret keys)
  • Our shell script

With RapidFort’s GovCloud AMI tool, it only takes a few minutes to migrate an AMI, there’s no public exposure of S3 buckets, and it’s entirely script-based. Our tool uses your AWS secrets to retain your security and you can even use ephemeral accounts that exist only for the duration of the AMI transfer.

Using RapidFort’s GovCloud AMI Tool

Our GovCloud AMI migration tool is simple, secure, fast, and easy to integrate. The configuration file is very straightforward and looks like this:

# AWS partition commercial

AWS_REGION_COMMERCIAL=<UPDATE_BEFORE_USING>

AWS_ACCESS_KEY_ID_COMMERCIAL=<UPDATE_BEFORE_USING>

AWS_SECRET_ACCESS_KEY_COMMERCIAL=<UPDATE_BEFORE_USING>

S3_BUCKET_COMMERCIAL=<UPDATE_BEFORE_USING>

# AWS partition gov

AWS_REGION_GOV=<UPDATE_BEFORE_USING>

AWS_ACCESS_KEY_ID_GOV=<UPDATE_BEFORE_USING>

AWS_SECRET_ACCESS_KEY_GOV=<UPDATE_BEFORE_USING>

S3_BUCKET_GOV=<UPDATE_BEFORE_USING>

Credentials for AWS Commercial and AWS GovCloud can be dynamically updated via automation or stored locally in a secure location. (Just don’t check this file into your code repository with all the secrets pasted in!)

The file ami-cp.sh does all the work. You can look at the method import_ami() yourself, but from a high level here’s what we do:

  • Duplicate the AMI in your AWS commercial S3 bucket
  • Fetch the duplicated AMI
  • Copy it to your AWS GovCloud S3 bucket
  • Launch the AMI as an EC2 instance

Here’s a diagram that shows how our tool works:

The best part? It completes in just a few minutes.

Here’s the basic usage:

./ami-cp.sh import_ami ami-0123456789abcdef my-cool-ami

Download the code on GitHub here: 

https://github.com/rapidfort/ami-copy-across-aws-partitions

Start Copying AMIs Today

We’d love to get your feedback on the tool and we’d be happy to take your pull requests. If you find this tool to be useful, we’d love it if you shared it with the broader DevOps community.

We have a lot of small tools like this to make our everyday lives easier. Please follow the RapidFort blog and stay tuned for more tools in the near future. And while you’re here, we encourage you to learn more about how RapidFort can minimize the software attack surface of your container infrastructure.

Cybersecurity
Your journey to secure containers and productive development begins here
See RapidFort in action
Sign up for our newsletter
Be the first to know about releases and industry news and insights.