AWS海外区域和国内区域是互相隔离的两套系统，它们之间的信息数据无法共享。所以直接在账户层面将无法对海外账号和国内账号设置权限来共享数据。

接下来，我们将通过海外区域创建的EC2实例制作成AMI镜像，利用S3存储桶和中转主机的aws-cli工具，将海外区域的EC2实例迁移到国内区域。

解决思路

---

1. 将EC2实例导出为AMI镜像（海外账号）。
2. 将该镜像存储到S3存储桶（海外账号）。
3. 使用中转主机，将S3存储桶中的AMI镜像下载到中转主机。
4. 中转主机重新配置登录国内账号，将下载好的AMI镜像上传到国内账号的S3存储桶。
5. 还原AMI镜像。

实现过程

---

海外账号和国内账号均需创建AKSK

1. 在AWS控制台界面创建Access keys (access key ID and secret access key)。
2. 使用账号密码登录到AWS控制台主界面。
3. 在主界面右上角点击你的用户名，出来下拉菜单，在下拉菜单界面点击My Security Credentials。
4. 在Your Security Credentials界面当中，点击Access keys (access key ID and secret access key)栏目，然后点击Create New Access key。
5. 在创建成功时会弹出对话框告诉你AKSK，记得把文件下载下来，因为这个文件只有在第一次创建时才能获取，以后是无法获取的。

| 注：以下操作均在中转主机上执行。这台主机可以是海外EC2实例、国内EC2实例、甚至可以是本地主机或者其他云平台的主机。

确保中转主机安装aws-cli

执行以下命令安装aws-cli，此方式适用于Linux系统。

curl "<https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip>" -o "awscliv2.zip"

unzip awscliv2.zip

./aws/install

aws --version

使用aws-cli登录海外账号

[root@localhost ~] aws configure

AWS Access Key ID [None]: # 输入海外账号的access key

AWS Secret Access Key [None]: # 输入海外账号的 secret key

Default region name [None]: us-east-1 # 你的默认区域

Default output format [None]: json # 输出内容格式

为EC2实例创建AMI镜像

aws ec2 create-image --instance-id i-0fa1e28ba0e99b2f6 --name "ami-test" --description "ami test"

{

"ImageId": "ami-0591c2c1b99828acb"

}

创建海外区域的S3存储桶并将镜像存储到存储桶

1. 创建海外区域的S3存储桶

aws s3api create-bucket --bucket s3-ami-test-source --region us-east-1

{

"Location": "/s3-ami-test-source"

}

2. 将AMI镜像存储到S3存储桶

aws ec2 create-store-image-task --image-id ami-0591c2c1b99828acb --bucket s3-ami-test-source

{

"ObjectKey": "ami-0591c2c1b99828acb.bin"

}

将S3存储桶中的镜像文件下载到中转主机

aws s3 cp s3://s3-ami-test/ami-0591c2c1b99828acb.bin ./

使用AWS-CLI配置登录国内账号

[root@localhost ~] aws configure

AWS Access Key ID [None]: #输入国内账号的access key

AWS Secret Access Key [None]: # 输入国内账号的 secret key

Default region name [None]: cn-northwest-1 # 你的默认区域

Default output format [None]: json # 输出内容格式

创建国内区域的S3存储桶并将镜像上传到存储桶

1. 创建国内区域的S3存储桶

aws s3api create-bucket --bucket s3-ami-test-destination --region cn-northwest-1 --create-bucket-configuration LocationConstraint=cn-northwest-1

{

"Location": "<http://s3-ami-test-destination.s3.cn-northwest-1.amazonaws.com.cn/>"

}

2. 将下载到中转主机本地的AMI镜像上传到国内区域的S3存储桶

aws s3 cp ami-0591c2c1b99828acb.bin s3://s3-ami-test-destination

从S3存储桶中还原AMI镜像

aws ec2 create-restore-image-task --object-key ami-0591c2c1b99828acb.bin --bucket s3-ami-test-destination --name "ami-test"

{

"ImageId": "ami-0591c2c1b99828acb"

}

此时可以看到镜像创建还原成功。

Firewall access

You will need to set your firewall(s) to allow access to the following ports:

• SMTP: 25
• POP3: 110
• IMAP: 143
• SMTP Secure: 465
• MSA: 587
• IMAP Secure: 993
• POP3 Secure: 995

By default, the Cloud Panel Firewall denies access to all but the most commonly-used ports.

Install Postfix

To install Postfix, first update your packages:

sudo apt-get update

Then install Postfix:

sudo apt-get install postfix

Postfix is installed by default on most Ubuntu 16.04 systems, so this command will most likely exit with a message that postfix is already the newest version (3.1.0-3)..

If Postfix continues with an installation, simply accept all of the defaults at each prompt to complete the process.

Configure Postfix

After the installation is complete, run the command to configure Postfix:

sudo dpkg-reconfigure postfix

Enter the following values at the prompts, replacing example.com with your own domain name. Use the up arrow and down arrow to move up and down to highlight answers, and Enter to select your answer.

1. Select OK to proceed.
2. Choose Internet Site.
3. System Mail Name: example.com
4. Root and postmaster mail recipient: root
5. Other destinations for mail: example.com, localhost.example.com, localhost
6. Force synchronous updates on mail queue?: No
7. Local networks: 127.0.0.0/8
8. Use procmail for local delivery?: No
9. Mailbox size limit (bytes): 0
10. Local address extension character: +
11. Internet protocols to use: all

After the initial Postfix configuration has been done, you can change Postfix settings with the command:

sudo postconf -e '[new setting]'

Create an SSL certificate

We will create a self-signed SSL certificate to secure incoming and outgoing email connections:

sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout mailserver.key -out mailserver.crt -nodes -days 365

sudo openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Answer the questions at the prompts, or just hit [Enter] to leave an answer blank. This command will create two files: mailserver.key and mailserver.crt.

Create a folder for the SSL certificate files:

sudo mkdir /etc/postfix/ssl

Then move the files into this folder:

sudo mv mailserver.key /etc/postfix/ssl
sudo mv mailserver.crt /etc/postfix/ssl
sudo mv cakey.pem /etc/postfix/ssl
sudo mv cacert.pem /etc/postfix/ssl

Set up SMTP AUTH

SMTP AUTH is a basic method of securing your mail server. We strongly recommend the use of SMTP AUTH on all mail servers.

To begin, use the following commands to configure Postfix to use SMTP AUTH:

sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions =  permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'

Replace example.com with your own domain name:

sudo postconf -e 'myhostname = example.com' 

Next, create the file /etc/postfix/sasl/smtpd.conf and open it for editing:

sudo nano /etc/postfix/sasl/smtpd.conf

Add the following content:

pwcheck_method: saslauthd
mech_list: plain login

After you have finished configuring Postfix, restart the Postfix daemon with the command:

sudo systemctl restart postfix

Install SASL

Postfix will use SASL to handle the authentication with SMTP AUTH. Now that Postfix has been configured to use SMTP AUTH, install SASL with the command:

sudo apt-get install libsasl2-2 sasl2-bin libsasl2-modules

After the installation is done, edit /etc/default/saslauthd:

sudo nano /etc/default/saslauthd

Scroll down to the line:

# Should saslauthd run automatically on startup? (default: no)
START=no

Change START to yes:

# Should saslauthd run automatically on startup? (default: no)
START=yes

Below that line, add the following three lines:

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"

Scroll down to the bottom of the file to the line:

OPTIONS="-c -m /var/run/saslauthd"

Change the last line to read:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Save and exit the file.

Next, run the following command to update the dpkg state:

sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

Note: If you get an error message that /var/spool/postfix/var/run/saslauthd does not exist, ignore it. This directory will be created when you start the SASL daemon.

Create a symlink for the config file:

sudo ln -s /etc/default/saslauthd /etc/saslauthd

And finally, start the SASL daemon:

sudo /etc/init.d/saslauthd start