# Create an Amazon S3-backed AMI
The AMI that you specify when you launch your instance determines the type of root volume.
To create an Amazon S3-backed Linux AMI, start from an instance that you've launched from an existing Amazon S3-backed Linux AMI. After you've customized the instance to suit your needs, bundle the volume and register a new AMI, which you can use to launch new instances with these customizations.
You can't create an Amazon S3-backed Windows AMI because Windows AMIs don't support instance store for the root volume.
**Important**
Only the following instance types support an instance store volume as the root volume and require an Amazon S3-backed AMI: C1, C3, D2, I2, M1, M2, M3, R3, and X1.
The AMI creation process is different for Amazon EBS-backed AMIs. For more information, see [Create an Amazon EBS-backed AMI](creating-an-ami-ebs.md).
**Topics**
+ [Overview of AMI creation](#process-creating-an-ami-instance-store)
+ [Prerequisites](#bundle-ami-prerequisites)
+ [Create an AMI from an Amazon Linux instance](#amazon_linux_instructions)
+ [Set up the Amazon EC2 AMI tools](set-up-ami-tools.md)
+ [Amazon EC2 AMI tools reference](ami-tools-commands.md)
+ [Convert your Amazon S3-backed AMI to an EBS-backed AMI](Using_ConvertingS3toEBS.md)
## Overview of AMI creation
The following diagram summarizes the process of creating an AMI from an instance with an instance store root volume.
![\[Creating an Amazon S3-backed AMI.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/ami_create_instance_store.png)
First, launch an instance from an AMI that's similar to the AMI that you'd like to create. You can connect to your instance and customize it. When the instance is set up the way you want it, you can bundle it. It takes several minutes for the bundling process to complete. After the process completes, you have a bundle, which consists of an image manifest (`image.manifest.xml`) and files (`image.part.`*xx*) that contain a template for the root volume. Next you upload the bundle to your Amazon S3 bucket and then register your AMI.
**Note**
To upload objects to an S3 bucket for your Amazon S3-backed Linux AMI, ACLs must be enabled for the bucket. Otherwise, Amazon EC2 will not be able to set ACLs on the objects to upload. If your destination bucket uses the bucket owner enforced setting for S3 Object Ownership, this won’t work because ACLs are disabled. For more information, see [Controlling ownership of objects and disabling ACLs for your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html).
When you launch an instance using the new AMI, we create the root volume for the instance using the bundle that you uploaded to Amazon S3. The storage space used by the bundle in Amazon S3 incurs charges to your account until you delete it. For more information, see [Deregister an Amazon EC2 AMI](deregister-ami.md).
If you add instance store volumes to your instance in addition to the root volume, the block device mapping for the new AMI contains information for these volumes, and the block device mappings for instances that you launch from the new AMI automatically contain information for these volumes. For more information, see [Block device mappings for volumes on Amazon EC2 instances](block-device-mapping-concepts.md).
## Prerequisites
Before you can create an AMI, you must complete the following tasks:
+ Install the AMI tools. For more information, see [Set up the Amazon EC2 AMI tools](set-up-ami-tools.md).
+ Install the AWS CLI. For more information, see [Getting started with the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html).
+ Ensure that you have an S3 bucket for the bundle, and that your bucket has ACLs enabled. For more information on configuring ACLs, see [Configuring ACLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html).
+ To create an S3 bucket using the AWS Management Console, open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/) and choose **Create Bucket**.
+ To create an S3 bucket with the AWS CLI, you can use the [mb](https://docs.aws.amazon.com/cli/latest/reference/s3/mb.html) command. If your installed version of the AMI tools is 1.5.18 or later, you can also use the `ec2-upload-bundle` command to create the S3 bucket. For more information, see [ec2-upload-bundle](ami-tools-commands.md#ami-upload-bundle).
+ Ensure that the files in your bundle aren't encrypted in the S3 bucket. If you require encryption for your AMI, you can use an EBS-backed AMI instead. For more information, see [Use encryption with EBS-backed AMIs](AMIEncryption.md).
+ Ensure that you have your AWS account ID. For more information, see [View AWS account identifiers](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html) in the *AWS Account Management Reference Guide*.
+ Ensure that you have credentials to use the AWS CLI. For more information, see [Authentication and access credentials for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-authentication.html) in the *AWS Command Line Interface User Guide*.
+ Ensure that you have an X.509 certificate and corresponding private key.
+ If you need to create an X.509 certificate, see [Manage signing certificates](set-up-ami-tools.md#ami-tools-managing-certs). The X.509 certificate and private key are used to encrypt and decrypt your AMI.
+ [China (Beijing)] Use the `$EC2_AMITOOL_HOME/etc/ec2/amitools/cert-ec2-cn-north-1.pem` certificate.
+ [AWS GovCloud (US-West)] Use the `$EC2_AMITOOL_HOME/etc/ec2/amitools/cert-ec2-gov.pem` certificate.
+ Connect to your instance and customize it. For example, you can install software and applications, copy data, delete temporary files, and modify the Linux configuration.
## Create an AMI from an Amazon Linux instance
The following procedures describe how to create an AMI from an instance with an instance store root volume running Amazon Linux 1. They might not work for instances running other Linux distributions.
**To prepare to use the AMI tools (HVM instances only)**
1. The AMI tools require GRUB Legacy to boot properly. Use the following command to install GRUB:
```
[ec2-user ~]$ sudo yum install -y grub
```
1. Install the partition management packages with the following command:
```
[ec2-user ~]$ sudo yum install -y gdisk kpartx parted
```
**To create an AMI from an Amazon Linux instance with an instance store root volume**
This procedure assumes that you have satisfied the prerequisites in [Prerequisites](#bundle-ami-prerequisites).
In the following commands, replace each *user input placeholder* with your own information.
1. Upload your credentials to your instance. We use these credentials to ensure that only you and Amazon EC2 can access your AMI.
1. Create a temporary directory on your instance for your credentials as follows:
```
[ec2-user ~]$ mkdir /tmp/cert
```
This enables you to exclude your credentials from the created image.
1. Copy your X.509 certificate and corresponding private key from your computer to the `/tmp/cert` directory on your instance using a secure copy tool such as [scp](linux-file-transfer-scp.md). The `-i my-private-key.pem` option in the following **scp** command is the private key you use to connect to your instance with SSH, not the X.509 private key. For example:
```
you@your_computer:~ $ scp -i my-private-key.pem /path/to/pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem /path/to/cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem ec2-user@ec2-203-0-113-25.compute-1.amazonaws.com:/tmp/cert/
pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem 100% 717 0.7KB/s 00:00
cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem 100% 685 0.7KB/s 00:00
```
Alternatively, because these are plain text files, you can open the certificate and key in a text editor and copy their contents into new files in `/tmp/cert`.
1. Prepare the bundle to upload to Amazon S3 by running the [ec2-bundle-vol](ami-tools-commands.md#ami-bundle-vol) command from inside your instance. Be sure to specify the `-e` option to exclude the directory where your credentials are stored. By default, the bundle process excludes files that might contain sensitive information. These files include `*.sw`, `*.swo`, `*.swp`, `*.pem`, `*.priv`, `*id_rsa*`, `*id_dsa*` `*.gpg`, `*.jks`, `*/.ssh/authorized_keys`, and `*/.bash_history`. To include all of these files, use the `--no-filter` option. To include some of these files, use the `--include` option.
**Important**
By default, the AMI bundling process creates a compressed, encrypted collection of files in the `/tmp` directory that represents your root volume. If you do not have enough free disk space in `/tmp` to store the bundle, you need to specify a different location for the bundle to be stored with the `-d /path/to/bundle/storage` option. Some instances have ephemeral storage mounted at `/mnt` or `/media/ephemeral0` that you can use, or you can also create, attach, and mount a new Amazon EBS) volume to store the bundle. For more information, see [Create an Amazon EBS volume](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-creating-volume.html) in the *Amazon EBS User Guide*.
1. You must run the **ec2-bundle-vol** command as root. For most commands, you can use **sudo** to gain elevated permissions, but in this case, you should run **sudo -E su** to keep your environment variables.
```
[ec2-user ~]$ sudo -E su
```
Note that bash prompt now identifies you as the root user, and that the dollar sign has been replaced by a hash tag, signalling that you are in a root shell:
```
[root ec2-user]#
```
1. To create the AMI bundle, run the [ec2-bundle-vol](ami-tools-commands.md#ami-bundle-vol) command as follows:
```
[root ec2-user]# ec2-bundle-vol -k /tmp/cert/pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -c /tmp/cert/cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -u 123456789012 -r x86_64 -e /tmp/cert --partition gpt
```
**Note**
For the China (Beijing) and AWS GovCloud (US-West) Regions, use the `--ec2cert` parameter and specify the certificates as per the [prerequisites](#bundle-ami-prerequisites).
It can take a few minutes to create the image. When this command completes, your `/tmp` (or non-default) directory contains the bundle (`image.manifest.xml`, plus multiple `image.part.`*xx* files).
1. Exit from the root shell.
```
[root ec2-user]# exit
```
1. (Optional) To add more instance store volumes, edit the block device mappings in the `image.manifest.xml` file for your AMI. For more information, see [Block device mappings for volumes on Amazon EC2 instances](block-device-mapping-concepts.md).
1. Create a backup of your `image.manifest.xml` file.
```
[ec2-user ~]$ sudo cp /tmp/image.manifest.xml /tmp/image.manifest.xml.bak
```
1. Reformat the `image.manifest.xml` file so that it is easier to read and edit.
```
[ec2-user ~]$ sudo xmllint --format /tmp/image.manifest.xml.bak > /tmp/image.manifest.xml
```
1. Edit the block device mappings in `image.manifest.xml` with a text editor. The example below shows a new entry for the `ephemeral1` instance store volume.
**Note**
For a list of excluded files, see [ec2-bundle-vol](ami-tools-commands.md#ami-bundle-vol).
```
ami
sda
ephemeral0
sdb
ephemeral1
sdc
root
/dev/sda1
```
1. Save the `image.manifest.xml` file and exit your text editor.
1. To upload your bundle to Amazon S3, run the [ec2-upload-bundle](ami-tools-commands.md#ami-upload-bundle) command as follows.
```
[ec2-user ~]$ ec2-upload-bundle -b amzn-s3-demo-bucket/bundle_folder/bundle_name -m /tmp/image.manifest.xml -a your_access_key_id -s your_secret_access_key
```
**Important**
To register your AMI in a Region other than US East (N. Virginia), you must specify both the target Region with the `--region` option and a bucket path that already exists in the target Region or a unique bucket path that can be created in the target Region.
1. (Optional) After the bundle is uploaded to Amazon S3, you can remove the bundle from the `/tmp` directory on the instance using the following **rm** command:
```
[ec2-user ~]$ sudo rm /tmp/image.manifest.xml /tmp/image.part.* /tmp/image
```
**Important**
If you specified a path with the `-d /path/to/bundle/storage` option in [Step 2](#step_with_bundle_path_amazon_linux), use that path instead of `/tmp`.
1. To register your AMI, run the [register-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) command as follows.
```
[ec2-user ~]$ aws ec2 register-image --image-location amzn-s3-demo-bucket/bundle_folder/bundle_name/image.manifest.xml --name AMI_name --virtualization-type hvm
```
**Important**
If you previously specified a Region for the [ec2-upload-bundle](ami-tools-commands.md#ami-upload-bundle) command, specify that Region again for this command.
# Set up the Amazon EC2 AMI tools
You can use the AMI tools to create and manage Amazon S3-backed Linux AMIs. To use the tools, you must install them on your Linux instance. The AMI tools are available as both an RPM and as a .zip file for Linux distributions that don't support RPM.
**To set up the AMI tools using the RPM**
1. Install Ruby using the package manager for your Linux distribution, such as yum. For example:
```
[ec2-user ~]$ sudo yum install -y ruby
```
1. Download the RPM file using a tool such as wget or curl. For example:
```
[ec2-user ~]$ wget https://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.noarch.rpm
```
1. Verify the RPM file's signature using the following command:
```
[ec2-user ~]$ rpm -K ec2-ami-tools.noarch.rpm
```
The command above should indicate that the file's SHA1 and MD5 hashes are `OK.` If the command indicates that the hashes are `NOT OK`, use the following command to view the file's Header SHA1 and MD5 hashes:
```
[ec2-user ~]$ rpm -Kv ec2-ami-tools.noarch.rpm
```
Then, compare your file's Header SHA1 and MD5 hashes with the following verified AMI tools hashes to confirm the file's authenticity:
+ Header SHA1: a1f662d6f25f69871104e6a62187fa4df508f880
+ MD5: 9faff05258064e2f7909b66142de6782
If your file's Header SHA1 and MD5 hashes match the verified AMI tools hashes, continue to the next step.
1. Install the RPM using the following command:
```
[ec2-user ~]$ sudo yum install ec2-ami-tools.noarch.rpm
```
1. Verify your AMI tools installation using the [ec2-ami-tools-version](ami-tools-commands.md#ami-tools-version) command.
```
[ec2-user ~]$ ec2-ami-tools-version
```
**Note**
If you receive a load error such as "cannot load such file -- ec2/amitools/version (LoadError)", complete the next step to add the location of your AMI tools installation to your `RUBYLIB` path.
1. (Optional) If you received an error in the previous step, add the location of your AMI tools installation to your `RUBYLIB` path.
1. Run the following command to determine the paths to add.
```
[ec2-user ~]$ rpm -qil ec2-ami-tools | grep ec2/amitools/version
/usr/lib/ruby/site_ruby/ec2/amitools/version.rb
/usr/lib64/ruby/site_ruby/ec2/amitools/version.rb
```
In the above example, the missing file from the previous load error is located at `/usr/lib/ruby/site_ruby` and `/usr/lib64/ruby/site_ruby`.
1. Add the locations from the previous step to your `RUBYLIB` path.
```
[ec2-user ~]$ export RUBYLIB=$RUBYLIB:/usr/lib/ruby/site_ruby:/usr/lib64/ruby/site_ruby
```
1. Verify your AMI tools installation using the [ec2-ami-tools-version](ami-tools-commands.md#ami-tools-version) command.
```
[ec2-user ~]$ ec2-ami-tools-version
```
**To set up the AMI tools using the .zip file**
1. Install Ruby and unzip using the package manager for your Linux distribution, such as **apt-get**. For example:
```
[ec2-user ~]$ sudo apt-get update -y && sudo apt-get install -y ruby unzip
```
1. Download the .zip file using a tool such as wget or curl. For example:
```
[ec2-user ~]$ wget https://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip
```
1. Unzip the files into a suitable installation directory, such as `/usr/local/ec2`.
```
[ec2-user ~]$ sudo mkdir -p /usr/local/ec2
$ sudo unzip ec2-ami-tools.zip -d /usr/local/ec2
```
Notice that the .zip file contains a folder ec2-ami-tools-*x*.*x*.*x*, where *x*.*x*.*x* is the version number of the tools (for example, `ec2-ami-tools-1.5.7`).
1. Set the `EC2_AMITOOL_HOME` environment variable to the installation directory for the tools. For example:
```
[ec2-user ~]$ export EC2_AMITOOL_HOME=/usr/local/ec2/ec2-ami-tools-x.x.x
```
1. Add the tools to your `PATH` environment variable. For example:
```
[ec2-user ~]$ export PATH=$EC2_AMITOOL_HOME/bin:$PATH
```
1. You can verify your AMI tools installation using the [ec2-ami-tools-version](ami-tools-commands.md#ami-tools-version) command.
```
[ec2-user ~]$ ec2-ami-tools-version
```
## Manage signing certificates
Certain commands in the AMI tools require a signing certificate (also known as X.509 certificate). You must create the certificate and then upload it to AWS. For example, you can use a third-party tool such as OpenSSL to create the certificate.
**To create a signing certificate**
1. Install and configure OpenSSL.
1. Create a private key using the `openssl genrsa` command and save the output to a `.pem` file. We recommend that you create a 2048- or 4096-bit RSA key.
```
openssl genrsa 2048 > private-key.pem
```
1. Generate a certificate using the `openssl req` command.
```
openssl req -new -x509 -nodes -sha256 -days 365 -key private-key.pem -outform PEM -out certificate.pem
```
To upload the certificate to AWS, use the [upload-signing-certificate](https://docs.aws.amazon.com/cli/latest/reference/iam/upload-signing-certificate.html) command.
```
aws iam upload-signing-certificate --user-name user-name --certificate-body file://path/to/certificate.pem
```
To list the certificates for a user, use the [list-signing-certificates](https://docs.aws.amazon.com/cli/latest/reference/iam/list-signing-certificates.html) command:
```
aws iam list-signing-certificates --user-name user-name
```
To disable or re-enable a signing certificate for a user, use the [update-signing-certificate](https://docs.aws.amazon.com/cli/latest/reference/iam/update-signing-certificate.html) command. The following command disables the certificate:
```
aws iam update-signing-certificate --certificate-id OFHPLP4ZULTHYPMSYEX7O4BEXAMPLE --status Inactive --user-name user-name
```
To delete a certificate, use the [delete-signing-certificate](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-signing-certificate.html) command:
```
aws iam delete-signing-certificate --user-name user-name --certificate-id OFHPLP4ZULTHYPMSYEX7O4BEXAMPLE
```
# Amazon EC2 AMI tools reference
You can use the AMI tools commands to create and manage Amazon S3-backed Linux AMIs. To set up the tools, see [Set up the Amazon EC2 AMI tools](set-up-ami-tools.md).
For information about your access keys, see [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in the *IAM User Guide*.
**Topics**
+ [ec2-ami-tools-version](#ami-tools-version)
+ [ec2-bundle-image](#ami-bundle-image)
+ [ec2-bundle-vol](#ami-bundle-vol)
+ [ec2-delete-bundle](#ami-delete-bundle)
+ [ec2-download-bundle](#ami-download-bundle)
+ [ec2-migrate-manifest](#ami-migrate-manifest)
+ [ec2-unbundle](#ami-unbundle)
+ [ec2-upload-bundle](#ami-upload-bundle)
+ [Common options for AMI tools](#common-args-ami)
## ec2-ami-tools-version
### Description
Describes the version of the AMI tools.
### Syntax
**ec2-ami-tools-version**
### Output
The version information.
### Example
This example command displays the version information for the AMI tools that you're using.
```
[ec2-user ~]$ ec2-ami-tools-version
1.5.2 20071010
```
## ec2-bundle-image
### Description
Creates an Amazon S3-backed Linux AMI from an operating system image created in a loopback file.
### Syntax
****ec2-bundle-image** -c *path* -k *path* -u *account* -i *path* [-d *path*] [--ec2cert *path*] [-r *architecture*] [--productcodes *code1*,*code2*,...] [-B *mapping*] [-p *prefix*]**
### Options
`-c, --cert` *path*
The user's PEM encoded RSA public key certificate file.
Required: Yes
`-k, --privatekey` *path*
The path to a PEM-encoded RSA key file. You'll need to specify this key to unbundle this bundle, so keep it in a safe place. Note that the key doesn't have to be registered to your AWS account.
Required: Yes
`-u, --user ` *account*
The user's AWS account ID, without dashes.
Required: Yes
`-i, --image` *path*
The path to the image to bundle.
Required: Yes
`-d, --destination` *path*
The directory in which to create the bundle.
Default: `/tmp`
Required: No
`--ec2cert` *path*
The path to the Amazon EC2 X.509 public key certificate used to encrypt the image manifest.
The `us-gov-west-1` and `cn-north-1` Regions use a non-default public key certificate and the path to that certificate must be specified with this option. The path to the certificate varies based on the installation method of the AMI tools. For Amazon Linux, the certificates are located at `/opt/aws/amitools/ec2/etc/ec2/amitools/`. If you installed the AMI tools from the RPM or ZIP file in [Set up the Amazon EC2 AMI tools](set-up-ami-tools.md), the certificates are located at `$EC2_AMITOOL_HOME/etc/ec2/amitools/`.
Required: Only for the `us-gov-west-1` and `cn-north-1` Regions.
`-r, --arch` *architecture*
Image architecture. If you don't provide the architecture on the command line, you'll be prompted for it when bundling starts.
Valid values: `i386` \$1 `x86_64`
Required: No
`--productcodes` *code1,code2,...*
Product codes to attach to the image at registration time, separated by commas.
Required: No
`-B, --block-device-mapping` *mapping*
Defines how block devices are exposed to an instance of this AMI if its instance type supports the specified device.
Specify a comma-separated list of key-value pairs, where each key is a virtual name and each value is the corresponding device name. Virtual names include the following:
+ `ami`—The root file system device, as seen by the instance
+ `root`—The root file system device, as seen by the kernel
+ `swap`—The swap device, as seen by the instance
+ `ephemeralN`—The Nth instance store volume
Required: No
`-p, --prefix` *prefix*
The filename prefix for bundled AMI files.
Default: The name of the image file. For example, if the image path is `/var/spool/my-image/version-2/debian.img`, then the default prefix is `debian.img`.
Required: No
`--kernel` *kernel\$1id*
Deprecated. Use [register-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) to set the kernel.
Required: No
`--ramdisk` *ramdisk\$1id*
Deprecated. Use [register-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) to set the RAM disk if required.
Required: No
### Output
Status messages describing the stages and status of the bundling process.
### Example
This example creates a bundled AMI from an operating system image that was created in a loopback file.
```
[ec2-user ~]$ ec2-bundle-image -k pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -c cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -u 111122223333 -i image.img -d bundled/ -r x86_64
Please specify a value for arch [i386]:
Bundling image file...
Splitting bundled/image.gz.crypt...
Created image.part.00
Created image.part.01
Created image.part.02
Created image.part.03
Created image.part.04
Created image.part.05
Created image.part.06
Created image.part.07
Created image.part.08
Created image.part.09
Created image.part.10
Created image.part.11
Created image.part.12
Created image.part.13
Created image.part.14
Generating digests for each part...
Digests generated.
Creating bundle manifest...
ec2-bundle-image complete.
```
## ec2-bundle-vol
### Description
Creates an Amazon S3-backed Linux AMI by compressing, encrypting, and signing a copy of the root volume for the instance.
Amazon EC2 attempts to inherit product codes, kernel settings, RAM disk settings, and block device mappings from the instance.
By default, the bundle process excludes files that might contain sensitive information. These files include `*.sw`, `*.swo`, `*.swp`, `*.pem`, `*.priv`, `*id_rsa*`, `*id_dsa*` `*.gpg`, `*.jks`, `*/.ssh/authorized_keys`, and `*/.bash_history`. To include all of these files, use the `--no-filter` option. To include some of these files, use the `--include` option.
For more information, see [Create an Amazon S3-backed AMI](creating-an-ami-instance-store.md).
### Syntax
****ec2-bundle-vol** -c *path* -k *path* -u *account* [-d *path*] [--ec2cert *path*] [-r *architecture*] [--productcodes *code1*,*code2*,...] [-B *mapping*] [--all] [-e *directory1*,*directory2*,...] [-i *file1*,*file2*,...] [--no-filter] [-p *prefix*] [-s *size*] [--[no-]inherit] [-v *volume*] [-P *type*] [-S *script*] [--fstab *path*] [--generate-fstab] [--grub-config *path*]**
### Options
`-c, --cert` *path*
The user's PEM encoded RSA public key certificate file.
Required: Yes
`-k, --privatekey ` *path*
The path to the user's PEM-encoded RSA key file.
Required: Yes
`-u, --user` *account*
The user's AWS account ID, without dashes.
Required: Yes
`-d, --destination` *destination*
The directory in which to create the bundle.
Default: `/tmp`
Required: No
`--ec2cert` *path*
The path to the Amazon EC2 X.509 public key certificate used to encrypt the image manifest.
The `us-gov-west-1` and `cn-north-1` Regions use a non-default public key certificate and the path to that certificate must be specified with this option. The path to the certificate varies based on the installation method of the AMI tools. For Amazon Linux, the certificates are located at `/opt/aws/amitools/ec2/etc/ec2/amitools/`. If you installed the AMI tools from the RPM or ZIP file in [Set up the Amazon EC2 AMI tools](set-up-ami-tools.md), the certificates are located at `$EC2_AMITOOL_HOME/etc/ec2/amitools/`.
Required: Only for the `us-gov-west-1` and `cn-north-1` Regions.
`-r, --arch ` *architecture*
The image architecture. If you don't provide this on the command line, you'll be prompted to provide it when the bundling starts.
Valid values: `i386` \$1 `x86_64`
Required: No
`--productcodes` *code1,code2,...*
Product codes to attach to the image at registration time, separated by commas.
Required: No
`-B, --block-device-mapping` *mapping*
Defines how block devices are exposed to an instance of this AMI if its instance type supports the specified device.
Specify a comma-separated list of key-value pairs, where each key is a virtual name and each value is the corresponding device name. Virtual names include the following:
+ `ami`—The root file system device, as seen by the instance
+ `root`—The root file system device, as seen by the kernel
+ `swap`—The swap device, as seen by the instance
+ `ephemeralN`—The Nth instance store volume
Required: No
`-a, --all`
Bundle all directories, including those on remotely mounted file systems.
Required: No
`-e, --exclude ` *directory1,directory2,...*
A list of absolute directory paths and files to exclude from the bundle operation. This parameter overrides the `--all` option. When exclude is specified, the directories and subdirectories listed with the parameter will not be bundled with the volume.
Required: No
`-i, --include ` *file1,file2,...*
A list of files to include in the bundle operation. The specified files would otherwise be excluded from the AMI because they might contain sensitive information.
Required: No
`--no-filter`
If specified, we won't exclude files from the AMI because they might contain sensitive information.
Required: No
`-p, --prefix ` *prefix*
The file name prefix for bundled AMI files.
Default: `image`
Required: No
`-s, --size` *size*
The size, in MB (1024 \$1 1024 bytes), of the image file to create. The maximum size is 10240 MB.
Default: 10240
Required: No
`--[no-]inherit`
Indicates whether the image should inherit the instance's metadata (the default is to inherit). Bundling fails if you enable `--inherit` but the instance metadata is not accessible.
Required: No
`-v, --volume ` *volume*
The absolute path to the mounted volume from which to create the bundle.
Default: The root directory (/)
Required: No
`-P, --partition` *type*
Indicates whether the disk image should use a partition table. If you don't specify a partition table type, the default is the type used on the parent block device of the volume, if applicable, otherwise the default is `gpt`.
Valid values: `mbr` \$1 `gpt` \$1 `none`
Required: No
`-S, --script` *script*
A customization script to be run right before bundling. The script must expect a single argument, the mount point of the volume.
Required: No
`--fstab` *path*
The path to the fstab to bundle into the image. If this is not specified, Amazon EC2 bundles /etc/fstab.
Required: No
`--generate-fstab`
Bundles the volume using an Amazon EC2-provided fstab.
Required: No
`--grub-config`
The path to an alternate grub configuration file to bundle into the image. By default, `ec2-bundle-vol` expects either `/boot/grub/menu.lst` or `/boot/grub/grub.conf` to exist on the cloned image. This option allows you to specify a path to an alternative grub configuration file, which will then be copied over the defaults (if present).
Required: No
`--kernel` *kernel\$1id*
Deprecated. Use [register-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) to set the kernel.
Required: No
`--ramdisk`*ramdisk\$1id*
Deprecated. Use [register-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) to set the RAM disk if required.
Required: No
### Output
Status messages describing the stages and status of the bundling.
### Example
This example creates a bundled AMI by compressing, encrypting and signing a snapshot of the local machine's root file system.
```
[ec2-user ~]$ ec2-bundle-vol -d /mnt -k pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -c cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -u 111122223333 -r x86_64
Copying / into the image file /mnt/image...
Excluding:
sys
dev/shm
proc
dev/pts
proc/sys/fs/binfmt_misc
dev
media
mnt
proc
sys
tmp/image
mnt/img-mnt
1+0 records in
1+0 records out
mke2fs 1.38 (30-Jun-2005)
warning: 256 blocks unused.
Splitting /mnt/image.gz.crypt...
Created image.part.00
Created image.part.01
Created image.part.02
Created image.part.03
...
Created image.part.22
Created image.part.23
Generating digests for each part...
Digests generated.
Creating bundle manifest...
Bundle Volume complete.
```
## ec2-delete-bundle
### Description
Deletes the specified bundle from Amazon S3 storage. After you delete a bundle, you can't launch instances from the corresponding AMI.
### Syntax
****ec2-delete-bundle** -b *bucket* -a *access\$1key\$1id* -s *secret\$1access\$1key* [-t *token*] [--url *url*] [--region *region*] [--sigv *version*] [-m *path*] [-p *prefix*] [--clear] [--retry] [-y]**
### Options
`-b, --bucket `*bucket*
The name of the Amazon S3 bucket containing the bundled AMI, followed by an optional '/'-delimited path prefix
Required: Yes
`-a, --access-key` *access\$1key\$1id*
The AWS access key ID.
Required: Yes
`-s, --secret-key` *secret\$1access\$1key*
The AWS secret access key.
Required: Yes
`-t, --delegation-token` *token*
The delegation token to pass along to the AWS request. For more information, see [Temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*.
Required: Only when you are using temporary security credentials.
Default: The value of the `AWS_DELEGATION_TOKEN` environment variable (if set).
`--region`*region*
The Region to use in the request signature.
Default: `us-east-1`
Required: Required if using signature version 4
`--sigv`*version*
The signature version to use when signing the request.
Valid values: `2` \$1 `4`
Default: `4`
Required: No
`-m, --manifest`*path*
The path to the manifest file.
Required: You must specify `--prefix` or `--manifest`.
`-p, --prefix` *prefix*
The bundled AMI filename prefix. Provide the entire prefix. For example, if the prefix is image.img, use `-p image.img` and not `-p image`.
Required: You must specify `--prefix` or `--manifest`.
`--clear`
Deletes the Amazon S3 bucket if it's empty after deleting the specified bundle.
Required: No
`--retry`
Automatically retries on all Amazon S3 errors, up to five times per operation.
Required: No
`-y, --yes`
Automatically assumes the answer to all prompts is yes.
Required: No
### Output
Amazon EC2 displays status messages indicating the stages and status of the delete process.
### Example
This example deletes a bundle from Amazon S3.
```
[ec2-user ~]$ ec2-delete-bundle -b amzn-s3-demo-bucket -a your_access_key_id -s your_secret_access_key
Deleting files:
amzn-s3-demo-bucket/image.manifest.xml
amzn-s3-demo-bucket/image.part.00
amzn-s3-demo-bucket/image.part.01
amzn-s3-demo-bucket/image.part.02
amzn-s3-demo-bucket/image.part.03
amzn-s3-demo-bucket/image.part.04
amzn-s3-demo-bucket/image.part.05
amzn-s3-demo-bucket/image.part.06
Continue? [y/n]
y
Deleted amzn-s3-demo-bucket/image.manifest.xml
Deleted amzn-s3-demo-bucket/image.part.00
Deleted amzn-s3-demo-bucket/image.part.01
Deleted amzn-s3-demo-bucket/image.part.02
Deleted amzn-s3-demo-bucket/image.part.03
Deleted amzn-s3-demo-bucket/image.part.04
Deleted amzn-s3-demo-bucket/image.part.05
Deleted amzn-s3-demo-bucket/image.part.06
ec2-delete-bundle complete.
```
## ec2-download-bundle
### Description
Downloads the specified Amazon S3-backed Linux AMIs from Amazon S3 storage.
### Syntax
****ec2-download-bundle** -b *bucket* -a *access\$1key\$1id* -s *secret\$1access\$1key* -k *path* [--url *url*] [--region *region*] [--sigv *version*] [-m *file*] [-p *prefix*] [-d *directory*] [--retry]**
### Options
`-b, --bucket` *bucket*
The name of the Amazon S3 bucket where the bundle is located, followed by an optional '/'-delimited path prefix.
Required: Yes
`-a, --access-key` *access\$1key\$1id*
The AWS access key ID.
Required: Yes
`-s, --secret-key` *secret\$1access\$1key*
The AWS secret access key.
Required: Yes
`-k, --privatekey` *path*
The private key used to decrypt the manifest.
Required: Yes
`--url` *url*
The Amazon S3 service URL.
Default: `https://s3.amazonaws.com/`
Required: No
`--region` *region*
The Region to use in the request signature.
Default: `us-east-1`
Required: Required if using signature version 4
`--sigv` *version*
The signature version to use when signing the request.
Valid values: `2` \$1 `4`
Default: `4`
Required: No
`-m, --manifest` *file*
The name of the manifest file (without the path). We recommend that you specify either the manifest (`-m`) or a prefix (`-p`).
Required: No
`-p, --prefix ` *prefix*
The filename prefix for the bundled AMI files.
Default: `image`
Required: No
`-d, --directory ` *directory*
The directory where the downloaded bundle is saved. The directory must exist.
Default: The current working directory.
Required: No
`--retry`
Automatically retries on all Amazon S3 errors, up to five times per operation.
Required: No
### Output
Status messages indicating the various stages of the download process are displayed.
### Example
This example creates the `bundled` directory (using the Linux **mkdir** command) and downloads the bundle from the `amzn-s3-demo-bucket` Amazon S3 bucket.
```
[ec2-user ~]$ mkdir bundled
[ec2-user ~]$ ec2-download-bundle -b amzn-s3-demo-bucket/bundles/bundle_name -m image.manifest.xml -a your_access_key_id -s your_secret_access_key -k pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -d mybundle
Downloading manifest image.manifest.xml from amzn-s3-demo-bucket to mybundle/image.manifest.xml ...
Downloading part image.part.00 from amzn-s3-demo-bucket/bundles/bundle_name to mybundle/image.part.00 ...
Downloaded image.part.00 from amzn-s3-demo-bucket
Downloading part image.part.01 from amzn-s3-demo-bucket/bundles/bundle_name to mybundle/image.part.01 ...
Downloaded image.part.01 from amzn-s3-demo-bucket
Downloading part image.part.02 from amzn-s3-demo-bucket/bundles/bundle_name to mybundle/image.part.02 ...
Downloaded image.part.02 from amzn-s3-demo-bucket
Downloading part image.part.03 from amzn-s3-demo-bucket/bundles/bundle_name to mybundle/image.part.03 ...
Downloaded image.part.03 from amzn-s3-demo-bucket
Downloading part image.part.04 from amzn-s3-demo-bucket/bundles/bundle_name to mybundle/image.part.04 ...
Downloaded image.part.04 from amzn-s3-demo-bucket
Downloading part image.part.05 from amzn-s3-demo-bucket/bundles/bundle_name to mybundle/image.part.05 ...
Downloaded image.part.05 from amzn-s3-demo-bucket
Downloading part image.part.06 from amzn-s3-demo-bucket/bundles/bundle_name to mybundle/image.part.06 ...
Downloaded image.part.06 from amzn-s3-demo-bucket
```
## ec2-migrate-manifest
### Description
Modifies an Amazon S3-backed Linux AMI (for example, its certificate, kernel, and RAM disk) so that it supports a different Region.
### Syntax
****ec2-migrate-manifest** -c *path* -k *path* -m *path* \$1(-a *access\$1key\$1id* -s *secret\$1access\$1key* --region *region*) \$1 (--no-mapping)\$1 [--ec2cert *ec2\$1cert\$1path*] [--kernel *kernel-id*] [--ramdisk *ramdisk\$1id*]**
### Options
`-c, --cert` *path*
The user's PEM encoded RSA public key certificate file.
Required: Yes
`-k, --privatekey` *path*
The path to the user's PEM-encoded RSA key file.
Required: Yes
`--manifest` *path*
The path to the manifest file.
Required: Yes
`-a, --access-key` *access\$1key\$1id*
The AWS access key ID.
Required: Required if using automatic mapping.
`-s, --secret-key ` *secret\$1access\$1key*
The AWS secret access key.
Required: Required if using automatic mapping.
`--region` *region*
The Region to look up in the mapping file.
Required: Required if using automatic mapping.
`--no-mapping`
Disables automatic mapping of kernels and RAM disks.
During migration, Amazon EC2 replaces the kernel and RAM disk in the manifest file with a kernel and RAM disk designed for the destination region. Unless the `--no-mapping` parameter is given, `ec2-migrate-bundle` might use the `DescribeRegions` and `DescribeImages` operations to perform automated mappings.
Required: Required if you're not providing the `-a`, `-s`, and `--region` options used for automatic mapping.
`--ec2cert` *path*
The path to the Amazon EC2 X.509 public key certificate used to encrypt the image manifest.
The `us-gov-west-1` and `cn-north-1` Regions use a non-default public key certificate and the path to that certificate must be specified with this option. The path to the certificate varies based on the installation method of the AMI tools. For Amazon Linux, the certificates are located at `/opt/aws/amitools/ec2/etc/ec2/amitools/`. If you installed the AMI tools from the ZIP file in [Set up the Amazon EC2 AMI tools](set-up-ami-tools.md), the certificates are located at `$EC2_AMITOOL_HOME/etc/ec2/amitools/`.
Required: Only for the `us-gov-west-1` and `cn-north-1` Regions.
`--kernel` *kernel\$1id*
The ID of the kernel to select.
We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/linux/al2/ug/UserProvidedKernels.html) in the *Amazon Linux 2 User Guide*.
Required: No
`--ramdisk` *ramdisk\$1id*
The ID of the RAM disk to select.
We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/linux/al2/ug/UserProvidedKernels.html) in the *Amazon Linux 2 User Guide*.
Required: No
### Output
Status messages describing the stages and status of the bundling process.
### Example
This example copies the AMI specified in the `my-ami.manifest.xml` manifest from the US to the EU.
```
[ec2-user ~]$ ec2-migrate-manifest --manifest my-ami.manifest.xml --cert cert-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem --privatekey pk-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem --region eu-west-1
Backing up manifest...
Successfully migrated my-ami.manifest.xml It is now suitable for use in eu-west-1.
```
## ec2-unbundle
### Description
Re-creates the bundle from an Amazon S3-backed Linux AMI.
### Syntax
****ec2-unbundle** -k *path* -m *path* [-s *source\$1directory*] [-d *destination\$1directory*]**
### Options
`-k, --privatekey` *path*
The path to your PEM-encoded RSA key file.
Required: Yes
`-m, --manifest` *path*
The path to the manifest file.
Required: Yes
`-s, --source` *source\$1directory*
The directory containing the bundle.
Default: The current directory.
Required: No
`-d, --destination` *destination\$1directory*
The directory in which to unbundle the AMI. The destination directory must exist.
Default: The current directory.
Required: No
### Example
This Linux and UNIX example unbundles the AMI specified in the `image.manifest.xml` file.
```
[ec2-user ~]$ mkdir unbundled
$ ec2-unbundle -m mybundle/image.manifest.xml -k pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -s mybundle -d unbundled
$ ls -l unbundled
total 1025008
-rw-r--r-- 1 root root 1048578048 Aug 25 23:46 image.img
```
### Output
Status messages indicating the various stages of the unbundling process are displayed.
## ec2-upload-bundle
### Description
Uploads the bundle for an Amazon S3-backed Linux AMI to Amazon S3 and sets the appropriate access control lists (ACLs) on the uploaded objects. For more information, see [Create an Amazon S3-backed AMI](creating-an-ami-instance-store.md).
**Note**
To upload objects to an S3 bucket for your Amazon S3-backed Linux AMI, ACLs must be enabled for the bucket. Otherwise, Amazon EC2 will not be able to set ACLs on the objects to upload. If your destination bucket uses the bucket owner enforced setting for S3 Object Ownership, this won’t work because ACLs are disabled. For more information, see [Controlling ownership of objects and disabling ACLs for your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html).
### Syntax
****ec2-upload-bundle** -b *bucket* -a *access\$1key\$1id* -s *secret\$1access\$1key* [-t *token*] -m *path* [--url *url*] [--region *region*] [--sigv *version*] [--acl *acl*] [-d *directory*] [--part *part*] [--retry] [--skipmanifest]**
### Options
`-b, --bucket` *bucket*
The name of the Amazon S3 bucket in which to store the bundle, followed by an optional '/'-delimited path prefix. If the bucket doesn't exist, it's created if the bucket name is available. Additionally, if the bucket doesn't exist and the AMI tools version is 1.5.18 or later, this command sets the ACLs for the bucket.
Required: Yes
`-a, --access-key` *access\$1key\$1id*
Your AWS access key ID.
Required: Yes
`-s, --secret-key` *secret\$1access\$1key*
Your AWS secret access key.
Required: Yes
`-t, --delegation-token` *token*
The delegation token to pass along to the AWS request. For more information, see [Temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*.
Required: Only when you are using temporary security credentials.
Default: The value of the `AWS_DELEGATION_TOKEN` environment variable (if set).
`-m, --manifest` *path*
The path to the manifest file. The manifest file is created during the bundling process and can be found in the directory containing the bundle.
Required: Yes
`--url` *url*
Deprecated. Use the `--region` option instead unless your bucket is constrained to the `EU` location (and not `eu-west-1`). The `--location` flag is the only way to target that specific location restraint.
The Amazon S3 endpoint service URL.
Default: `https://s3.amazonaws.com/`
Required: No
`--region` *region*
The Region to use in the request signature for the destination S3 bucket.
+ If the bucket doesn't exist and you don't specify a Region, the tool creates the bucket without a location constraint (in `us-east-1`).
+ If the bucket doesn't exist and you specify a Region, the tool creates the bucket in the specified Region.
+ If the bucket exists and you don't specify a Region, the tool uses the bucket's location.
+ If the bucket exists and you specify `us-east-1` as the Region, the tool uses the bucket's actual location without any error message, any existing matching files are over-written.
+ If the bucket exists and you specify a Region (other than `us-east-1`) that doesn't match the bucket's actual location, the tool exits with an error.
If your bucket is constrained to the `EU` location (and not `eu-west-1`), use the `--location` flag instead. The `--location` flag is the only way to target that specific location restraint.
Default: `us-east-1`
Required: Required if using signature version 4
`--sigv` *version*
The signature version to use when signing the request.
Valid values: `2` \$1 `4`
Default: `4`
Required: No
`--acl` *acl*
The access control list policy of the bundled image.
Valid values: `public-read` \$1 `aws-exec-read`
Default: `aws-exec-read`
Required: No
`-d, --directory` *directory*
The directory containing the bundled AMI parts.
Default: The directory containing the manifest file (see the `-m` option).
Required: No
`--part` *part*
Starts uploading the specified part and all subsequent parts. For example, `--part 04`.
Required: No
`--retry`
Automatically retries on all Amazon S3 errors, up to five times per operation.
Required: No
`--skipmanifest`
Does not upload the manifest.
Required: No
`--location` *location*
Deprecated. Use the `--region` option instead, unless your bucket is constrained to the `EU` location (and not `eu-west-1`). The `--location` flag is the only way to target that specific location restraint.
The location constraint of the destination Amazon S3 bucket. If the bucket exists and you specify a location that doesn't match the bucket's actual location, the tool exits with an error. If the bucket exists and you don't specify a location, the tool uses the bucket's location. If the bucket doesn't exist and you specify a location, the tool creates the bucket in the specified location. If the bucket doesn't exist and you don't specify a location, the tool creates the bucket without a location constraint (in `us-east-1`).
Default: If `--region` is specified, the location is set to that specified Region. If `--region` is not specified, the location defaults to `us-east-1`.
Required: No
### Output
Amazon EC2 displays status messages that indicate the stages and status of the upload process.
### Example
This example uploads the bundle specified by the `image.manifest.xml` manifest.
```
[ec2-user ~]$ ec2-upload-bundle -b amzn-s3-demo-bucket/bundles/bundle_name -m image.manifest.xml -a your_access_key_id -s your_secret_access_key
Creating bucket...
Uploading bundled image parts to the S3 bucket amzn-s3-demo-bucket ...
Uploaded image.part.00
Uploaded image.part.01
Uploaded image.part.02
Uploaded image.part.03
Uploaded image.part.04
Uploaded image.part.05
Uploaded image.part.06
Uploaded image.part.07
Uploaded image.part.08
Uploaded image.part.09
Uploaded image.part.10
Uploaded image.part.11
Uploaded image.part.12
Uploaded image.part.13
Uploaded image.part.14
Uploading manifest ...
Uploaded manifest.
Bundle upload completed.
```
## Common options for AMI tools
Most of the AMI tools accept the following optional parameters.
`--help, -h`
Displays the help message.
`--version`
Displays the version and copyright notice.
`--manual`
Displays the manual entry.
`--batch`
Runs in batch mode, suppressing interactive prompts.
`--debug`
Displays information that can be useful when troubleshooting problems.
# Convert your Amazon S3-backed AMI to an EBS-backed AMI
You can convert an Amazon S3-backed Linux AMI that you own to an Amazon EBS-backed Linux AMI.
**Important**
You can't convert an AMI that you don't own.
**To convert an Amazon S3-backed AMI to an Amazon EBS-backed AMI**
1. Launch an Amazon Linux instance from an Amazon EBS-backed AMI. For more information, see [Launch an EC2 instance using the launch instance wizard in the console](ec2-launch-instance-wizard.md). Amazon Linux instances have the AWS CLI and AMI tools pre-installed.
1. Upload the X.509 private key that you used to bundle your Amazon S3-backed AMI to your instance. We use this key to ensure that only you and Amazon EC2 can access your AMI.
1. Create a temporary directory on your instance for your X.509 private key as follows:
```
[ec2-user ~]$ mkdir /tmp/cert
```
1. Copy your X.509 private key from your computer to the `/tmp/cert` directory on your instance, using a secure copy tool such as [scp](linux-file-transfer-scp.md). The *my-private-key* parameter in the following command is the private key you use to connect to your instance with SSH. For example:
```
you@your_computer:~ $ scp -i my-private-key.pem /path/to/pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem ec2-user@ec2-203-0-113-25.compute-1.amazonaws.com:/tmp/cert/
pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem 100% 717 0.7KB/s 00:00
```
1. Configure your environment variables to use the AWS CLI. For more information, see [Environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).
1. (Recommended) Set environment variables for your AWS access key, secret key, and session token.
```
[ec2-user ~]$ export AWS_ACCESS_KEY_ID=your_access_key_id
[ec2-user ~]$ export AWS_SECRET_ACCESS_KEY=your_secret_access_key
[ec2-user ~]$ export AWS_SESSION_TOKEN=your_session_token
```
1. Set environment variables for your AWS access key, and secret key.
```
[ec2-user ~]$ export AWS_ACCESS_KEY_ID=your_access_key_id
[ec2-user ~]$ export AWS_SECRET_ACCESS_KEY=your_secret_access_key
```
1. Prepare an Amazon Elastic Block Store (Amazon EBS) volume for your new AMI.
1. Create an empty EBS volume in the same Availability Zone as your instance using the [create-volume](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-volume.html) command. Note the volume ID in the command output.
**Important**
This EBS volume must be the same size or larger than the original instance store root volume.
```
aws ec2 create-volume \
--size 10 \
--region us-west-2 \
--availability-zone us-west-2b
```
1. Attach the volume to your Amazon EBS-backed instance using the [attach-volume](https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-volume.html) command.
```
aws ec2 attach-volume \
--volume-id vol-01234567890abcdef \
--instance-id i-1234567890abcdef0 \
--region us-west-2
```
1. Create a folder for your bundle.
```
[ec2-user ~]$ mkdir /tmp/bundle
```
1. Download the bundle for your instance store-based AMI to `/tmp/bundle` using the [ec2-download-bundle](ami-tools-commands.md#ami-download-bundle) command.
```
[ec2-user ~]$ ec2-download-bundle -b amzn-s3-demo-bucket/bundle_folder/bundle_name -m image.manifest.xml -a $AWS_ACCESS_KEY_ID -s $AWS_SECRET_ACCESS_KEY --privatekey /path/to/pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -d /tmp/bundle
```
1. Reconstitute the image file from the bundle using the [ec2-unbundle](ami-tools-commands.md#ami-unbundle) command.
1. Change directories to the bundle folder.
```
[ec2-user ~]$ cd /tmp/bundle/
```
1. Run the [ec2-unbundle](ami-tools-commands.md#ami-unbundle) command.
```
[ec2-user bundle]$ ec2-unbundle -m image.manifest.xml --privatekey /path/to/pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem
```
1. Copy the files from the unbundled image to the new EBS volume.
```
[ec2-user bundle]$ sudo dd if=/tmp/bundle/image of=/dev/sdb bs=1M
```
1. Probe the volume for any new partitions that were unbundled.
```
[ec2-user bundle]$ sudo partprobe /dev/sdb1
```
1. List the block devices to find the device name to mount.
```
[ec2-user bundle]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
/dev/sda 202:0 0 8G 0 disk
└─/dev/sda1 202:1 0 8G 0 part /
/dev/sdb 202:80 0 10G 0 disk
└─/dev/sdb1 202:81 0 10G 0 part
```
In this example, the partition to mount is `/dev/sdb1`, but your device name will likely be different. If your volume is not partitioned, then the device to mount will be similar to `/dev/sdb` (without a device partition trailing digit).
1. Create a mount point for the new EBS volume and mount the volume.
```
[ec2-user bundle]$ sudo mkdir /mnt/ebs
[ec2-user bundle]$ sudo mount /dev/sdb1 /mnt/ebs
```
1. Open the `/etc/fstab` file on the EBS volume with your favorite text editor (such as **vim** or **nano**) and remove any entries for instance store (ephemeral) volumes. Because the EBS volume is mounted on `/mnt/ebs`, the `fstab` file is located at `/mnt/ebs/etc/fstab`.
```
[ec2-user bundle]$ sudo nano /mnt/ebs/etc/fstab
#
LABEL=/ / ext4 defaults,noatime 1 1
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/sdb /media/ephemeral0 auto defaults,comment=cloudconfig 0 2
```
In this example, the last line should be removed.
1. Unmount the volume and detach it from the instance.
```
[ec2-user bundle]$ sudo umount /mnt/ebs
[ec2-user bundle]$ aws ec2 detach-volume --volume-id vol-01234567890abcdef --region us-west-2
```
1. Create an AMI from the new EBS volume as follows.
1. Create a snapshot of the new EBS volume.
```
[ec2-user bundle]$ aws ec2 create-snapshot --region us-west-2 --description "your_snapshot_description" --volume-id vol-01234567890abcdef
```
1. Check to see that your snapshot is complete.
```
[ec2-user bundle]$ aws ec2 describe-snapshots --region us-west-2 --snapshot-id snap-0abcdef1234567890
```
1. Identify the processor architecture, virtualization type, and the kernel image (`aki`) used on the original AMI with the **describe-images** command. You need the AMI ID of the original Amazon S3-backed AMI for this step.
```
[ec2-user bundle]$ aws ec2 describe-images --region us-west-2 --image-id ami-0abcdef1234567890 --output text
IMAGES x86_64 amazon/amzn-ami-pv-2013.09.2.x86_64-s3 ami-8ef297be amazon available public machine aki-fc8f11cc instance-store paravirtual xen
```
In this example, the architecture is `x86_64` and the kernel image ID is `aki-fc8f11cc`. Use these values in the following step. If the output of the above command also lists an `ari` ID, take note of that as well.
1. Register your new AMI with the snapshot ID of your new EBS volume and the values from the previous step. If the previous command output listed an `ari` ID, include that in the following command with `--ramdisk-id ari_id`.
```
[ec2-user bundle]$ aws ec2 register-image --region us-west-2 --name your_new_ami_name --block-device-mappings DeviceName=device-name,Ebs={SnapshotId=snap-0abcdef1234567890} --virtualization-type paravirtual --architecture x86_64 --kernel-id aki-fc8f11cc --root-device-name device-name
```
1. (Optional) After you have tested that you can launch an instance from your new AMI, you can delete the EBS volume that you created for this procedure.
```
aws ec2 delete-volume --volume-id vol-01234567890abcdef
```