Amazon-ebs builder: issues with copying amis to different regions when ebs encryption by default is enabled

Recently we enabled encryption by default for ebs in one region. We have a packer build that creates AMI’s in that region and then copies them to 3 other regions.

This started to fail with messages like this:
Error Copying AMI (ami-0125d9bff2692bf12) to region (us-west-1): InvalidRequest: Snapshot snap-05e305fba8f5b61d4 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

After some searching and upgrading packer, I updated the build to encrypt boot and added region_kms_key_ids like this:
“region_kms_key_ids”: {
“us-west-1”: “alias/aws/ebs”,
“us-west-2”: “alias/aws/ebs”,
“eu-west-1”: “alias/aws/ebs”

However, I got this error:

  • Cannot share AMI encrypted with default KMS key

So, it sounds like I will need to create custom keys in each region that can be used by the packer build, and reference those instead of the default keys? Is there any workaround, or is this a limitation of the AWS api?