Announcement on Rule Changes for Creating ECS Instances or Replacing Operating System Using Shared Encrypted Images
May 28, 2024
Elastic Compute Service
Starting from June 30th, 2024, the rules for creating cloud server ECS or replacing operating system with shared encrypted images will change. After the change, when the sharee uses a shared encrypted image to create an ECS or replace operating system, encryption must be specified and the sharee's own key must be used.
Reason for change
This change is to avoid the problem that the shared encrypted image cannot be used normally by the sharee when the original key of the sharer is disabled/deleted, or the key usage permission granted to the sharee expires.
Details and Impact of the Change
1. If the sharee creates ECS through the launching page
If the sharee creates ECS through the launching page in the console, the rules change as follows:
● Original rule: On the ECS launching page, when a shared encrypted image is selected, the sharee can check whether to encrypt the system disk and data disk. If encryption is not checked, the key of the shared encrypted image itself (that is, the key of the sharer) will be used when creating the cloud disk.
● Rules after change: On the ECS purchase page, when a shared encrypted image is selected, encryption will be checked by default for the system disk and data disk(if any), and unchecking is not supported. The sharee needs to choose the key under its own account.
Impact of change
● When the sharee creates an ECS through the launching page in the console and selects the shared encrypted image, the disks of the instance must be encrypted and the sharee need to specify a new key.
2. If the sharee creates ECS or replace operating system through the OpenAPI
If the sharee creates an ECS by calling the OpenAPI (RunInstances or CreateInstance), or replace operating system by calling the OpenAPI (ReplaceSystemDisk), the rules change as follows:
● Original rule: When calling the above interface and the specified ImageId is a shared encrypted image, if the Encrypted parameter value is not specified, the key of the shared encrypted image itself (that is, the key of the sharer) will be used to create the cloud disk.
● Rules after change: When calling the above interface and the specified ImageId is a shared encrypted image, if the Encrypted parameter value is not specified, an error will be reported when creating the cloud disk. The user must set the Encrypted parameter value to true to call it correctly.
Impact of change
● When the sharee calls the RunInstances or CreateInstance interface to create an ECS or calls ReplaceSystemDisk to change the operating system, and the specified ImageId is a shared encrypted image, if the Encypted parameter value is not specified, the interface call will report an error. You need to set the value of the Encrypted parameter in the interface to true before the call can be successful.
Reason for change
This change is to avoid the problem that the shared encrypted image cannot be used normally by the sharee when the original key of the sharer is disabled/deleted, or the key usage permission granted to the sharee expires.
Details and Impact of the Change
1. If the sharee creates ECS through the launching page
If the sharee creates ECS through the launching page in the console, the rules change as follows:
● Original rule: On the ECS launching page, when a shared encrypted image is selected, the sharee can check whether to encrypt the system disk and data disk. If encryption is not checked, the key of the shared encrypted image itself (that is, the key of the sharer) will be used when creating the cloud disk.
● Rules after change: On the ECS purchase page, when a shared encrypted image is selected, encryption will be checked by default for the system disk and data disk(if any), and unchecking is not supported. The sharee needs to choose the key under its own account.
Impact of change
● When the sharee creates an ECS through the launching page in the console and selects the shared encrypted image, the disks of the instance must be encrypted and the sharee need to specify a new key.
2. If the sharee creates ECS or replace operating system through the OpenAPI
If the sharee creates an ECS by calling the OpenAPI (RunInstances or CreateInstance), or replace operating system by calling the OpenAPI (ReplaceSystemDisk), the rules change as follows:
● Original rule: When calling the above interface and the specified ImageId is a shared encrypted image, if the Encrypted parameter value is not specified, the key of the shared encrypted image itself (that is, the key of the sharer) will be used to create the cloud disk.
● Rules after change: When calling the above interface and the specified ImageId is a shared encrypted image, if the Encrypted parameter value is not specified, an error will be reported when creating the cloud disk. The user must set the Encrypted parameter value to true to call it correctly.
Impact of change
● When the sharee calls the RunInstances or CreateInstance interface to create an ECS or calls ReplaceSystemDisk to change the operating system, and the specified ImageId is a shared encrypted image, if the Encypted parameter value is not specified, the interface call will report an error. You need to set the value of the Encrypted parameter in the interface to true before the call can be successful.
