Amazon Elastic Compute Cloud
User Guide (API Version 2013-02-01)
AWS Documentation » Amazon EC2 » User Guide » Amazon Machine Images (AMI) » Shared AMIs
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...
Filter View:

Shared AMIs

This topic describes how to find and safely use shared AMIs. One of the easiest ways to get started with Amazon EC2 is to use a shared AMI that has the components you need, and add custom content.

Topics

Find Shared AMIs

You can find a shared AMI using the console, the command line tools, or the API.

AWS Management Console

To find a shared AMI

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click AMIs.

    The console displays any AMIs you own.

  3. To find shared AMIs, select Public Images from the Filter drop-down list.

  4. To list only the type of AMIs that interest you, use the options from the Filter drop-down lists to filter on the type of image and the platform. For example, select Amazon Images to display only Amazon's public images.

Command Line Tools

To find shared AMIs, use the ec2-describe-images command with a flag to filter the results.

The following command displays a list of all public AMIs. The -x all flag shows AMIs that can be used by all AWS accounts to launch an instance (in other words, AMIs with public launch permissions). This includes the AMIs that you own with public launch permissions.

PROMPT> ec2-describe-images -x all

The following command displays a list of AMIs for which you have explicit launch permissions. Any such AMIs that you own are excluded from the list.

PROMPT> ec2-describe-images -x self

The following command displays a list of AMIs owned by Amazon.

PROMPT> ec2-describe-images -o amazon

The following command displays a list of AMIs owned by a particular AWS account.

PROMPT> ec2-describe-images -o <target_uid>

The <target_uid> is the account ID that owns the AMIs for which you are looking.

To reduce the number of displayed AMIs, use a filter to list only the types of AMIs that interest you. For example, use --filter "platform=windows" to display only Windows-based AMIs.

API

To find a shared AMI

  1. Use the DescribeImages action to list all Amazon AMIs. Construct the following request.

    https://ec2.amazonaws.com/
?Action=DescribeImages
&User.1=amazon
&AUTHPARAMS

  2. To reduce the number of displayed AMIs, use a filter to list only the types of AMIs that interest you. For example, use the following to display only Windows-based AMIs.

    &Filter.1.Name=platform
&Filter.1.Value.1=windows

Safe Use of Shared AMIs

You launch AMIs at your own risk. Amazon cannot vouch for the integrity or security of AMIs shared by other EC2 users. Therefore, you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center and perform the appropriate due diligence.

Ideally, you should get the AMI ID from a trusted source (a website, another EC2 user, etc.). If you do not know the source of an AMI, we recommend that you search the forums for comments on the AMI before launching it. Conversely, if you have questions or observations about a shared AMI, feel free to use the https://forums.aws.amazon.com/ to ask or comment.

Amazon's public images have an aliased owner and display amazon in the userId field. This allows you to find Amazon's public images easily.

Note

Users cannot alias an AMI's owner.

If you plan to use a shared AMI, review the following table to confirm the instance is not doing anything malicious.

Launch Confirmation Process

1

Check the SSH authorized keys file. The only key in the file should be the key you used to launch the AMI.

2

Check open ports and running services.

3

Change the root password if it is not randomized on startup. For more information on randomizing the root password on startup, see Disable Password-Based Logins for Root.

4

Check if SSH allows root password logins. For more information on disabling root based password logins, see Disable Password-Based Logins for Root and Restrict Access to the Root Account.

5

Check whether there are any other user accounts that might allow back-door entry to your instance. Accounts with super user privileges are particularly dangerous.

6

Verify that all cron jobs are legitimate.


For more information, see Sharing AMIs Safely.

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...