diff --git a/builder/amazon/common/ami_config.go b/builder/amazon/common/ami_config.go
index c59653863..fa442cb5c 100644
--- a/builder/amazon/common/ami_config.go
+++ b/builder/amazon/common/ami_config.go
@@ -21,6 +21,7 @@ type AMIConfig struct {
 	AMIForceDeregister      bool              `mapstructure:"force_deregister"`
 	AMIForceDeleteSnapshot  bool              `mapstructure:"force_delete_snapshot"`
 	AMIEncryptBootVolume    bool              `mapstructure:"encrypt_boot"`
+	AMIKmsKeyId             string            `mapstructure:"kms_key_id"`
 	SnapshotTags            map[string]string `mapstructure:"snapshot_tags"`
 }
 
diff --git a/builder/amazon/ebs/step_encrypted_ami.go b/builder/amazon/ebs/step_encrypted_ami.go
index f51b944bc..8ab84e8e1 100644
--- a/builder/amazon/ebs/step_encrypted_ami.go
+++ b/builder/amazon/ebs/step_encrypted_ami.go
@@ -18,9 +18,13 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 	config := state.Get("config").(Config)
 	ec2conn := state.Get("ec2").(*ec2.EC2)
 	ui := state.Get("ui").(packer.Ui)
+	kmsKeyId := config.AMIConfig.AMIKmsKeyId
 
 	// Encrypt boot not set, so skip step
 	if !config.AMIConfig.AMIEncryptBootVolume {
+		if kmsKeyId != "" {
+			ui.Say(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId))
+		}
 		return multistep.ActionContinue
 	}
 
@@ -36,11 +40,16 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 
 	ui.Say(fmt.Sprintf("Copying AMI: %s(%s)", region, id))
 
+	if kmsKeyId != "" {
+		ui.Say(fmt.Sprintf("Encypting with KMS Key ID: %s", kmsKeyId))
+	}
+
 	copyOpts := &ec2.CopyImageInput{
 		Name:          &config.AMIName, // Try to overwrite existing AMI
 		SourceImageId: aws.String(id),
 		SourceRegion:  aws.String(region),
 		Encrypted:     aws.Bool(true),
+		KmsKeyId:      aws.String(kmsKeyId),
 	}
 
 	copyResp, err := ec2conn.CopyImage(copyOpts)
diff --git a/website/source/docs/builders/amazon-ebs.html.md b/website/source/docs/builders/amazon-ebs.html.md
index 92e366e0e..0a656c19f 100644
--- a/website/source/docs/builders/amazon-ebs.html.md
+++ b/website/source/docs/builders/amazon-ebs.html.md
@@ -77,6 +77,8 @@ builder.
 
     -   `encrypted` (boolean) - Indicates whether to encrypt the volume or not
 
+    -   `kms_key_id` (string) - The ID of the KMS key to use for volume encryption
+
     -   `iops` (integer) - The number of I/O operations per second (IOPS) that the
         volume supports. See the documentation on
         [IOPs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html)