How to transfer an Amazon Lightsail instance to another AWS account

IggyBlob
5 min readMar 26, 2023

--

Photo by Chris Briggs on Unsplash

Amazon Lightsail is a beginner-friendly virtual private server (VPS) service from Amazon Web Services (AWS) that makes it easy to launch and manage a VPS instance without requiring extensive technical knowledge. What’s not so easy anymore is transferring your existing Lightsail instance to another AWS account. Amazon doesn’t let you do that directly out of Lightsail, and requires you to take a detour via EC2. But don’t you worry, this guide has you covered.

Prerequisites

This tutorial assumes that you have access to two separate AWS accounts: a source account, which houses the Lightsail instance, and a target account, to which we are going to transfer the instance. The examples below use the fictitious IDs 111122223334 and 444455556666 for the source and target accounts, respectively.

Step 1: Take a snapshot and export it to EC2

In the source account, go to Lightsail Console, open the instance you want to transfer, and find the Snapshots tab. If you haven’t yet created a snapshot of your instance or want to create a more recent one, do so using the Create snapshot button. Once the snapshot is ready, locate it in the list and click the Export to Amazon EC2 button of the more menu. This will create an Amazon Machine Image (AMI) from the snapshot, which can then be used to spin up new EC2 instances.

Step 2: Locate the exported AMI

You can keep track of the exporting process via the Lightsail Task Monitor (two cogwheels located at the top of the page). Once finished, click the Open the Amazon EC2 console link. This takes you directly to the AMI overview in EC2 where you can inspect the created image.

What we want to do now is share the AMI with our target account such that we can spin up a copy of our Lightsail instance there. There are a few intermediate steps before we can do so that may not seem intuitive, so read on for an explanation or skip ahead to Step 3 if you just want to get it done.

You see, the data of your Lightsail instance is stored on an Elastic Block Storage (EBS). A Lightsail snapshot also includes an encrypted EBS snapshot, which is attached to the AMI when exported to EC2. By default, the EBS snapshot is encrypted with an AWS-managed key, and AWS prohibits us from sharing an AMI that has such an AWS-encrypted EBS attached.

Step 3: Create a customer-managed key

Open the Key Management Service (KMS) Console and select Customer-managed keys. Click Create key and follow the wizard. Keep the defaults (Key type: Symmetric, Key usage: Encrypt and decrypt) and specify an alias. Select your user as Key administrator and Key user. Most importantly, click on Add another AWS account and add your target account ID. This enables the target account to decrypt the image data later on.

Review the key and click Finish.

Step 4: Copy the exported AMI

Head back over to the AMI overview in EC2. Select the exported Lightsail image, expand the Actions, and click Copy AMI.

In the wizard, specify a name for the copy and check Encrypt EBS snapshots of AMI copy. Select the customer-managed key created in Step 3 as KMS key.

Click Copy AMI.

Step 5: Share the copied AMI with the target account

Back in the AMI overview, you should see a new entry for the copied image. Wait until its status changes from Pending to Available, then select it. In the permissions tab at the bottom, find the Shared accounts section and click Add account ID.

In the popup window, add your target account ID. Click Share AMI and then Save changes.

Step 6: Some IAM permissions

Now it’s finally time to head over to your target account.

Your target account user with whom you will create the new instance still lacks permission to decrypt the shared image with the customer-managed key of the source account.

So, in the target account, open the IAM console, choose Policies, and then click Create policy. Switch to the JSON tab and paste in the following policy. Make sure to specify the ARN of your customer-managed key created in Step 3 for Resource (yes, the ARN should reference the source account!).

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": "<customer-manged key ARN from source account>"
}
]
}

Review the policy, enter a meaningful name, and click Create policy. Select the created policy, open the Policy usage tab, and choose Attach. Select your user and then click Attach policy.

Step 7: Launch the instance in the target account

In the target account, open the AMI overview in the EC2 console. Switch to Private images on the top of the page; you should see the shared AMI from the source account. Select it and click Launch instance from AMI.

In the launch wizard, choose an instance type that best fits the original Lightsail configuration and select an existing key pair or create a new one. It does not matter what key pair you select here since the instance will use the same login configuration as the original Lightsail instance.

Under Network settings, you probably want to enable SSH access and HTTP(S) traffic if your instance hosts a public web server. Alternatively, select an already-existing security group.

Once you’re done configuring, click Launch instance.

After your instance reached Running state, locate its public IP address or IPv4 DNS in the Instances overview. To connect via SSH, retrieve the private key and user name from the Lightsail console of the source account.

--

--