# VM Import/Export Requirements
Before attempting to import a VM, you might need to perform tasks such as preparing your AWS environment by creating a service account with appropriate permissions. You might also need to prepare your locally hosted VM so that is accessible once it is imported into AWS. Review each of these requirements to ensure that your resources are supported for import and take action as needed.
**Topics**
+ [
# Requirements for resources that you import with VM Import/Export
](prerequisites.md)
+ [
# Limitations for resources being imported with VM Import/Export
](limitations-image-importing.md)
+ [
# Configurations to export VMs from your virtualization environment
](prepare-vm-image.md)
+ [
# Required permissions for VM Import/Export
](required-permissions.md)
# Requirements for resources that you import with VM Import/Export
Before you begin, you must be aware of the operating systems and image formats that VM Import/Export supports, and understand the limitations on importing instances and volumes.
**Topics**
+ [
## Image formats supported by VM Import/Export
](#vmimport-image-formats)
+ [
## Operating systems supported by VM Import/Export
](#vmimport-operating-systems)
+ [
## Boot modes supported by VM Import/Export
](#vmimport-boot-modes)
+ [
## Volume types and file systems supported by VM Import/Export
](#vmimport-volume-types)
## Image formats supported by VM Import/Export
VM Import/Export supports the following image formats for importing both disks and VMs:
+ Open Virtual Appliance (OVA) image format, which supports importing images with multiple hard disks.
+ Stream-optimized ESX Virtual Machine Disk (VMDK) image format, which is compatible with VMware ESX and VMware vSphere virtualization products.
+ Fixed and Dynamic Virtual Hard Disk (VHD/VHDX) image formats, which are compatible with Microsoft Hyper-V, Microsoft Azure, and Citrix Xen virtualization products.
+ Raw format for importing disks and VMs.
**Important**
VMs that are created as the result of a physical-to-virtual (P2V) conversion are not supported. For more information, see [Limitations for resources being imported with VM Import/Export](limitations-image-importing.md).
## Operating systems supported by VM Import/Export
The following operating systems (OS) can be imported to and exported from Amazon EC2. VMs using `ARM64` architecture are not currently supported.
**Important**
Starting from April 1, 2026, VM Import Export will stop supporting i386 architecture. Import and Export tasks will stop working for i386 OS versions. These OS versions include Windows Server 2003 (32-bit), Windows Server 2003 R2 (32-bit), Windows Server 2008 (32-bit), Windows 7 (32-bit), Windows 8 (32-bit), CentOS 5 (32-bit), CentOS 6 (32-bit), Debian 6 (32-bit), Debian 7 (32-bit), Debian 10 (32-bit), Debian 11 (32-bit), Debian 12 (32-bit), Fedora 18 (32-bit), Fedora 19 (32-bit), Fedora 20 (32-bit), Oracle Linux 5 (32-bit), Oracle Linux 6 (32-bit), SUSE Linux Enterprise Server 11 (32-bit), Red Hat Enterprise Linux 5 (32-bit), Red Hat Enterprise Linux 6 (32-bit), Ubuntu 12.04 (32-bit), Ubuntu 12.10 (32-bit), Ubuntu 13.04 (32-bit), Ubuntu 13.10 (32-bit), Ubuntu 14.04 (32-bit), Ubuntu 14.10 (32-bit), Ubuntu 15.04 (32-bit), Ubuntu 16.04 (32-bit), Ubuntu 16.10 (32-bit), and Ubuntu 17.04 (32-bit).
**Important**
We strongly recommend that you avoid using OS versions that have reached End-of-Life (EOL). OS vendors typically don't provide security patches or other updates for versions that have reached EOL. Continuing to use an EOL system greatly increases the risk of not being able to apply upgrades, including security fixes, and other operational problems. VM Import Export functionalities are not tested on OS versions that have reached EOL. EOL OS versions include Windows Server 2003 (all versions), Windows Server 2003 R2 (all versions), Windows Server 2008 (all versions), Windows Server 2008 R2 (all versions), Windows Server 1709 (all versions), Windows Server 1803 (all versions), Windows 7 (all versions), Windows 8 (all versions), Windows 8.1 (all versions), CentOS 5 (all versions), CentOS 6 (all versions), CentOS 7 (all versions), CentOS 8 (all versions), Debian 6 (all versions), Debian 7 (all versions), Debian 10 (all versions), Fedora 18 (all versions), Fedora 19 (all versions), Fedora 20 (all versions), Fedora 37 (all versions), Fedora 38 (all versions), Fedora 39 (all versions), Fedora 40 (all versions), Oracle Linux 5 (all versions), Oracle Linux 6 (all versions), Red Hat Enterprise Linux 5 (all versions), Red Hat Enterprise Linux 6 (all versions), SUSE Linux Enterprise Server 11 (all versions), SUSE Linux Enterprise Server 12 (all versions), Ubuntu 12.04 (all versions), Ubuntu 12.10 (all versions), Ubuntu 13.04 (all versions), Ubuntu 13.10 (all versions), Ubuntu 14.04 (all versions), Ubuntu 14.10 (all versions), Ubuntu 15.04 (all versions), Ubuntu 16.04 (all versions), Ubuntu 16.10 (all versions), and Ubuntu 17.04 (all versions).
### Linux/Unix
The following Linux/Unix operating systems are support by VM Import/Export.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vm-import/latest/userguide/prerequisites.html)
### Windows
The following Windows operating systems are supported by VM Import/Export.
| Operating system | Edition | Bit version | Available with non-default Regions |
| --- | --- | --- | --- |
| Windows Server 2003 (Service Pack 1 or later) | Standard, Datacenter, Enterprise | 32, 64 | No |
| Windows Server 2003 R2 | Standard, Datacenter, Enterprise | 32, 64 | No |
| Windows Server 2008 | Standard, Datacenter, Enterprise | 32, 64 | No |
| Windows Server 2008 R2 | Standard, Web Server, Datacenter, Enterprise | 64 | Yes 5 |
| Windows Server 2012 | Standard, Datacenter | 64 | Yes 5 |
| Windows Server 2012 R2 | Standard, Datacenter | 64 | Yes 5 |
| Windows Server 2016 | Standard, Datacenter 3 | 64 | Yes 5 |
| Windows Server 1709 | Standard, Datacenter | 64 | Yes 5 |
| Windows Server 1803 | Standard, Datacenter | 64 | Yes 5 |
| Windows Server 2019 | Standard, Datacenter | 64 | Yes 5 |
| Windows Server 2022 | Standard, Datacenter | 64 | Yes 5,6 |
| Windows Server 2025 | Standard, Datacenter | 64 | Yes 5,6 |
| Windows 7 1 | Home, Professional, Enterprise, Ultimate | 32, 64 4 | Yes 5 |
| Windows 8 1 | Home, Professional, Enterprise | 32, 64 4 | Yes 5 |
| Windows 8.1 1 | Professional, Enterprise | 64 | Yes 5 |
| Windows 10 1 | Home, Professional, Enterprise, Education | 64 | Yes 5 |
| Windows 11 1,2 | Home, Professional, Enterprise, Education | 64 | Yes 5,7 |
1 The operating system must have its language set as `US English` during import.
2 Windows 11 requires the Unified Extensible Firmware Interface (UEFI) boot mode to function. To help ensure a successful import of your VM, we recommend that you specify the optional `--boot-mode` parameter as `uefi`. For more information, see [Boot modes supported by VM Import/Export](#vmimport-boot-modes).
3 Nano Server installations are not supported.
4 Only the 64-bit version of the OS is supported when launching instances within non-default AWS Regions. For more information, see [Available Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) in the *Amazon EC2 User Guide*.
5 You must first enable the Region before you can use the operating system there. For more information, see [Enable or disable AWS Regions in your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in the *AWS Account Management Reference Guide*.
6 Windows Server 2022 and Windows Server 2025 are not supported in the China (Beijing) and China (Ningxia) Regions.
7 Windows 11 isn't supported in the Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Asia Pacific (Melbourne), China (Beijing), China (Ningxia), Europe (Spain), Europe (Zurich), and Middle East (UAE) Regions.
## Boot modes supported by VM Import/Export
When a computer boots, the first software that it runs is responsible for initializing the platform and providing an interface for the operating system to perform platform-specific operations. VM Import/Export supports two variants of the boot mode: Unified Extensible Firmware Interface (UEFI) and Legacy BIOS. You can choose whether to specify the optional `--boot-mode` parameter as `legacy-bios` or `uefi` when importing your VM.
Refer to the [Boot Modes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html) section of the *Amazon Elastic Compute Cloud User Guide* for more information about specifying a boot mode, and UEFI variables.
## Volume types and file systems supported by VM Import/Export
VM Import/Export supports importing Windows and Linux VMs with the following file systems.
### Linux/Unix
MBR partitioned volumes and GUID Partition Table (GPT) partitioned volumes that are formatted using the ext2, ext3, ext4, Btrfs, JFS, or XFS file system are supported.
**Important**
Btrfs subvolumes are not supported.
### Windows
GUID Partition Table (GPT) and Master Boot Record (MBR) partitioned volumes that are formatted using the NTFS file system are supported. If no boot parameter is specified, and the VM is compatible in both boot modes, the GPT volumes will be converted to MBR partitioned volumes.
VM Import/Export will automatically detect the boot modes your Windows VM is compatible with. If the Windows VM is only compatible in a single boot mode, you don't need to specify a specific `--boot-mode` parameter.
If your Windows VM is compatible with both boot modes, and the following criteria is met for the imported disk, VM Import/Export will select Legacy BIOS by default. You can specify `uefi` for the `--boot-mode` parameter to override this behavior.
+ The disk is smaller than 2 terabytes
+ The disk does not contain more than 4 primary partitions
+ The disk is not a Windows dynamic disk
+ The file format is VHDX
# Limitations for resources being imported with VM Import/Export
Review the following limitations that apply when you import a VM into Amazon EC2.
**Topics**
+ [
## General limitations for your resources
](#limitations-image-importing-general)
+ [
## Limitations for Linux/Unix resources
](#limitations-image-importing-linux)
+ [
## Limitations for Windows resources
](#limitations-image-importing-windows)
## General limitations for your resources
The following limitations apply to any operating system that you can import.
+ VMs that are created as the result of a physical-to-virtual (P2V) conversion are not supported. A P2V conversion occurs when a disk image is created by performing a Linux or Windows installation process on a physical machine and then importing a copy of that Linux or Windows installation to a VM.
+ Importing VMs with dual-boot configurations isn't supported.
+ Importing VMs with encrypted volumes isn't supported.
+ VM Import/Export doesn't support VMs that use Raw Device Mapping (RDM). Only VMDK disk images are supported.
+ VM Import/Export doesn't support VMware SEsparse delta-file format.
+ If you import a VM that's compatible with UEFI using the `import-image` command while specifying an EBS snapshot, you must specify a value for the `platform` parameter. For more information, see [import-snapshot](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportImage.html) in the Amazon EC2 API Reference.
+ An imported VM may fail to boot if the root partition is not on the same virtual hard drive as the MBR.
+ A VM import task fails for VMs with more than 21 volumes attached. Additional disks can be individually imported using the `ImportSnapshot` API.
+ VM Import/Export assigns only private IPv4 addresses to your instances, regardless of the auto-assign public IP setting for the subnet. To use a public IPv4 address, you can allocate an Elastic IP address to your account and associate it with your instance. You can also add IPv6 addresses. For more information, see [IP addressing for your VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html) in the *Amazon Virtual Private Cloud User Guide.*
+ Multiple network interfaces are not currently supported. After import, your VM has a single virtual network interface that uses DHCP to assign addresses.
+ Disk images must be less than 16 TiB. For disk images that are larger than 8 TiB, you must use a [manifest file](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/manifest.html).
+ You can use the `ImportInstance` operation to import VMs with disks up to the maximum supported size.
+ You can use the `ImportImage` operation to import VMs with disks less than 8 TiB in size.
## Limitations for Linux/Unix resources
The following limitations apply to Linux operating systems that you can import.
+ Imported Linux VMs must use 64-bit images. Migrating 32-bit Linux images isn't supported.
+ Imported Linux VMs should use default kernels for best results. VMs that use custom Linux kernels might not migrate successfully.
+ When preparing Linux VMs for import, make sure that there is sufficient disk space available on the root volume for installing drivers and other software.
+ To help ensure your Linux VM can import successfully and run on Amazon EC2 using the [AWS Nitro System](https://aws.amazon.com/ec2/nitro/), you can install the AWS NVMe and AWS Elastic Network Adapter (ENA) drivers before exporting your VM from its virtualization environment. For more information, see [Amazon EBS and NVMe on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html) and [Enable enhanced networking with the Elastic Network Adapter (ENA) on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-ena.html) in the *Amazon EC2 User Guide*.
+ If you import a Linux VM compatible with UEFI, you must have a fallback EFI binary, BOOTX64.EFI, located on the EFI System Partition.
+ Debian VMs that are missing a fallback EFI binary will have one automatically created from your GRUBX64.EFI, if it exists in your EFI System Partition.
+ Predictable network interface names are not supported for virtual machine imports.
## Limitations for Windows resources
The following limitations apply to Windows operating systems that you can import.
+ When preparing Windows VMs for import, make sure that there is sufficient disk space available on the root volume for installing drivers and other software. For Microsoft Windows VMs, configure a fixed page file size and ensure that there is at least 6 GiB of free space available on the root volume. If Windows is configured to use the "Automatically manage paging file size for all drives" setting, it might create 16 GB `pagefile.sys` files on the C drive of the instance.
+ If you import a Windows VM compatible with UEFI, we convert GPT boot volumes to MBR if the following are true: the image format is VHDX, the uncompressed size is 2 TiB or smaller, there are no more than three primary partitions, and the volume is not a dynamic disk.
+ If you import a Windows Server 2012 R2 VM, VM Import/Export installs the single root I/O virtualization (SR-IOV) drivers. These drivers are not required unless you plan to use enhanced networking, which provides higher performance (packets per second), lower latency, and lower jitter.
+ VM Import/Export does not support Emergency Management Services (EMS). If EMS is enabled for a source Windows VM, we disable it in the imported image.
+ Windows language packs that use UTF-16 (or non-ASCII) characters are not supported for import. We recommend using the English language pack when importing Windows VMs.
+ Windows Server VMs with the Hyper-V server role installed are not supported.
# Configurations to export VMs from your virtualization environment
Before you can import your VM to Amazon EC2, you need to export it from your virtualization environment. Use the following guidelines to configure your VM before exporting it.
**Topics**
+ [
## General configurations
](#prepare-vm-image-general)
+ [
## Linux/Unix configurations
](#prepare-vm-image-linux)
+ [
## Windows configurations
](#prepare-vm-image-windows)
## General configurations
The following configurations should be made in your VM before you export it from your virtualization environment. You should also review the section specific to your operating system for additional required configurations.
+ Disable any antivirus or intrusion detection software on your VM. These services can be re-enabled after the import process is complete.
+ Uninstall the VMware Tools from your VMware VM.
+ Disconnect any CD-ROM drives (virtual or physical).
+ Your source VM must have a functional DHCP client service. Ensure that the service can start and is not disabled administratively. All static IP addresses currently assigned to the source VM are removed during import. When your imported instance is launched in an Amazon VPC, it receives a primary private IP address from the IPv4 address range of the subnet. If you don't specify a primary private IP address when you launch the instance, we select an available IP address in the subnet's IPv4 range for you. For more information, see [VPC and Subnet Sizing](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing).
## Linux/Unix configurations
The following configurations should be made in your Linux VM before you export it from your virtualization environment. This section assumes you have already reviewed [General configurations](#prepare-vm-image-general).
+ Enable Secure Shell (SSH) for remote access.
+ Make sure that your host firewall (such as Linux **iptables**) allows access to SSH. Otherwise, you won't be able to access your instance after the import is complete.
+ Make sure that you have configured a non-root user to use public key-based SSH to access your instance after it is imported. The use of password-based SSH and root login over SSH are both possible, but not recommended. The use of public keys and a non-root user is recommended because it is more secure. VM Import does not configure an `ec2-user` account as part of the import process.
+ Make sure that your Linux VM uses GRUB (GRUB legacy) or GRUB 2 as its bootloader.
+ Make sure that your Linux VM uses one of the following for the root file system: EXT2, EXT3, EXT4, Btrfs, JFS, or XFS.
+ Make sure that your Linux VM is not using predictable network interface device names.
+ Shut down your VM before exporting it from your virtualization environment.
## Windows configurations
The following configurations should be made in your Windows VM before you export it from your virtualization environment. This section assumes you have already reviewed [General configurations](#prepare-vm-image-general).
+ Enable Remote Desktop (RDP) for remote access.
+ Make sure that your host firewall (Windows firewall or similar), if configured, allows access to RDP. Otherwise, you cannot access your instance after the import is complete.
+ Make sure that the administrator account and all other user accounts use secure passwords. All accounts must have passwords or the import process might fail.
+ Install .NET Framework 4.5 or later on the VM. We install the .NET framework on your VM as needed.
+ Disable Autologon on your Windows VM.
+ Open **Control Panel** > **System and Security** > **Windows Update**. In the left pane, choose **Change settings**. Choose the desired setting. Be aware that if you choose **Download updates but let me choose whether to install them** (the default value) the update check can temporarily consume between 50% and 99% of CPU resources on the instance. The check usually occurs several minutes after the instance starts. Make sure that there are no pending Microsoft updates, and that the computer is not set to install software when it reboots.
+ Apply the following hot fixes as needed:
+ [You cannot change system time if RealTimeIsUniversal registry entry is enabled in Windows](https://support.microsoft.com/en-us/topic/you-cannot-change-system-time-if-realtimeisuniversal-registry-entry-is-enabled-in-windows-78cf9fbe-eeca-4b06-a67a-2dacdf5189f9)
+ [High CPU usage during DST changeover in Windows Server 2008, Windows 7, or Windows Server 2008 R2](https://support.microsoft.com/en-us/topic/high-cpu-usage-during-dst-changeover-in-windows-server-2008-windows-7-or-windows-server-2008-r2-5c8a8dee-3510-cf7b-8296-05c13fd23bed)
+ Set the RealTimeIsUniversal registry key. For more information, see [Set the time for your Amazon EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) in the *Amazon EC2 User Guide*.
+ Run System Preparation (Sysprep) on your Windows Server VM images, either before or after importing your VM.
+ If you run Sysprep before importing your VM, the import process adds an answer file (`unattend.xml`) to the VM that automatically accepts the End User License Agreement (EULA) and sets the locale to EN-US.
+ If you run Sysprep after importing your VM, we recommend that you use EC2Launch (Windows Server 2016 and later) or EC2Config (through Windows Server 2012 R2) to run Sysprep.
**To include your own answer file instead of the default (`unattend.xml`)**
1. Copy the following sample file below and set the **processorArchitecture** parameter to **x86** or **amd64**, depending on your operating system architecture:
```
en-US
en-US
en-US
en-US
true
true
true
```
1. Save the file in the `C:\Windows\Panther` directory with the name `unattend.xml`.
1. Run Sysprep with the **/oobe** and **/generalize** options. These options strip all unique system information from the Windows installation and prompt you to reset the administrator password.
1. Shut down the VM and export it from your virtualization environment.
# Required permissions for VM Import/Export
VM Import/Export requires certain permissions for your users, groups, and roles. Additionally, a service role is required to perform certain operations on your behalf.
**Topics**
+ [
## Required permissions
](#iam-permissions-image)
+ [
## Required service role
](#vmimport-role)
## Required permissions
Your users, groups, and roles need the following permissions in their IAM policy to use VM Import/Export:
**Note**
Some actions require the use of an Amazon Simple Storage Service (Amazon S3) bucket. This example policy does not grant permission to create S3 buckets. The user or role that you use will need to specify an existing bucket, or have permissions to create a new bucket with the `s3:CreateBucket` action.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-import-bucket",
"arn:aws:s3:::amzn-s3-demo-import-bucket/*",
"arn:aws:s3:::amzn-s3-demo-export-bucket",
"arn:aws:s3:::amzn-s3-demo-export-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeExportImageTasks",
"ec2:DescribeImages",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:ExportImage",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask"
],
"Resource": "*"
}
]
}
```
------
## Required service role
VM Import/Export requires a role to perform certain operations on your behalf. You must create a service role named `vmimport` with a trust relationship policy document that allows VM Import/Export to assume the role, and you must attach an IAM policy to the role. For more information, see [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) in the *IAM User Guide*.
**Prerequisite**
You must enable AWS Security Token Service (AWS STS) in any Region where you plan to use VM Import/Export. For more information, see [Activating and deactivating AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate).
**To create the service role**
1. Create a file named `trust-policy.json` on your computer. Add the following policy to the file:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "vmimport"
}
}
}
]
}
```
------
1. Use the [https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html) command to create a role named `vmimport` and grant VM Import/Export access to it. Ensure that you specify the full path to the location of the `trust-policy.json` file that you created in the previous step, and that you include the `file://` prefix as shown the following example:
```
aws iam create-role --role-name vmimport --assume-role-policy-document "file://C:\import\trust-policy.json"
```
1. Create a file named `role-policy.json` with the following policy, where *amzn-s3-demo-import-bucket* is the bucket for imported disk images and *amzn-s3-demo-export-bucket* is the bucket for exported disk images:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-import-bucket",
"arn:aws:s3:::amzn-s3-demo-import-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-export-bucket",
"arn:aws:s3:::amzn-s3-demo-export-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
```
------
1. (Optional) To import resources encrypted using an AWS KMS key from AWS Key Management Service, add the following permissions to the `role-policy.json` file.
```
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Resource": "*"
}
```
If you use a KMS key other than the default provided by Amazon EBS, you must grant VM Import/Export permission to the KMS key if you enable Amazon EBS encryption by default or enable encryption on an import operation. You can specify the Amazon Resource Name (ARN) of the KMS key as the resource instead of \$1.
1. (Optional) To attach license configurations to an AMI, add the following License Manager permissions to the `role-policy.json` file.
```
{
"Effect": "Allow",
"Action": [
"license-manager:GetLicenseConfiguration",
"license-manager:UpdateLicenseSpecificationsForResource",
"license-manager:ListLicenseSpecificationsForResource"
],
"Resource": "*"
}
```
1. Use the following [https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html) command to attach the policy to the role created above. Ensure that you specify the full path to the location of the `role-policy.json` file.
```
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\import\role-policy.json"
```
1. For additional security controls, context keys such as `aws:SourceAccount` and `aws:SourceArn` can be added to the trust policy for this newly created role. VM Import/Export will publish the `SourceAccount` and `SourceArn` keys as specified in the example below to assume this role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vmie.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:Externalid": "vmimport",
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:vmie:*:111122223333:*"
}
}
}
]
}
```
------