Is it possible to create an encrypted ebs boot volume for a windows ec2 instance?
This AWS example shows how to copy an unencrypted boot volume, creating an encrypted boot volume: aws ec2 copy-image -r us-east-1 -s ami-60b6c60a --encrypted --kmsKeyID arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef
However, when I try this with the Microsoft Windows Server 2012 R2 Base – ami-c8a9baa2 as the source using aws ec2 copy-image --source-region us-east-1 --source-image-id ami-c8a9baa2 --name 'W12R2_Base_encrypted' --description 'Microsoft Windows Server 2012 R2 Base - ami-c8a9baa2 (encrypted)' --encrypted, I get the error: "A client error (InvalidRequest) occurred when calling the CopyImage operation: Images with EC2 BillingProduct codes cannot be copied to another AWS account."
Best Answer
It is now possible to do this (as of May 2019). You do not need to copy an AMI. Instead you can launch an instance with encrypted volumes (boot/ephemeral/ebs) directly from an unencrypted marketplace AMI.
I have not tried to do this with the CLI or programmatically, but it works from the EC2 console using the latest windows server image (Windows_Server-2019-English-Full-Base-2019.08.16)
The "extra steps" that detail creating/copying your own private AMI have been removed from their latest documentation. I could not find any more information on it other than this blog post.
Launch Encrypted EBS Bcked EC2 Instances from Unencrypted AMI's