Service Upgrade

Announcement on Rule Changes for Sharing an Encrypted Image on Elastic Compute Service (ECS)

Affected Time

2025-07-01 00:00:00 (UTC+08) Changes will take effect after this time

Starting from Juny 1st, 2025, the rules for sharing encrypted images on ECS will change. After the change, images encrypted with Service Keys will no longer be supported. Only encrypted images encrypted with Customer Master Keys (CMKs) will be supported.

Reason for the Change

This change is intended to further improve the security of the shared encrypted image process.

Details of the Change

When a user specifies an encrypted image for sharing through the console (Elastic Compute Service ECS Console Image Page or Resource Management Console Resource Sharing Page) or OpenAPI (Elastic Compute Service ECS Interface: ModifyImageSharePermission or Resource Management - Resource Sharing Interface: CreateResourceShare):

Rules before change: The encrypted image specified for sharing can be an image encrypted by a Service Key or a Customer Master Key (CMK).

Rules after the change: The encrypted image specified for sharing only supports images encrypted by a Customer Master Key (CMK). If the encrypted image is encrypted using a Service Key, an error will be reported during sharing.

Related documents:

What users need to do

  1. Code or template modification: If you call the above interface in the code or template (such as Resource Orchestration Service ROS template and CloudOps Orchestration Service OOS template), please ensure that the image to be shared specified in the code or template is an image encrypted by the Customer Master Key (CMK);
  2. Image optimization: If you have an encrypted image encrypted by a Service Key and plan to share it with others, please copy the image and change the key to the Customer Master Key (CMK).