Deregister (delete) an AMI - Amazon Elastic Compute Cloud
ConsiderationsDeregister an AMICheck when an AMI was last usedProtect an AMI from deregistrationAvoid costs from unused resources

Deregister (delete) an AMI

When you deregister an AMI, Amazon EC2 permanently deletes it. Once deregistered, you can't use the AMI to launch new instances. You might consider deregistering an AMI when you have finished using it.

To protect against accidental or malicious deregistering of an AMI, you can turn on deregistration protection. If you accidentally deregister an EBS-backed AMI, you can use the Recycle Bin to restore it only if you restore it within the allowed time period before it is permanently deleted.

Deregistering an AMI has no effect on any instances that were launched from the AMI. You can continue to use these instances. Deregistering an AMI also has no effect on any snapshots that were created during the AMI creation process. You'll continue to incur usage costs for these instances and storage costs for the snapshots. Therefore, to avoid incurring unnecessary costs, we recommend that you terminate any instances and delete any snapshots that you do not need. For more information, see Avoid costs from unused resources.

Considerations

  • You can't deregister an AMI that is not owned by your account.

  • You can't use Amazon EC2 to deregister an AMI that is managed by the AWS Backup service. Instead, use AWS Backup to delete the corresponding recovery points in the backup vault. For more information, see Deleting backups in the AWS Backup Developer Guide.

Deregister an AMI

Use any of the following methods to deregister an EBS-backed AMI or instance store-backed AMI.

Tip

To avoid incurring unnecessary costs, you should delete any resources that you do not need. For example, for EBS-backed AMIs, if you do not need the snapshots associated with the deregistered AMI, you should delete them. For more information, see Avoid costs from unused resources.

Console
To deregister an AMI

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose AMIs.

  3. From the filter bar, choose Owned by me to list your available AMIs, or choose Disabled images to list your disabled AMIs.

  4. Select the AMI to deregister.

  5. Choose Actions, Deregister AMI.

  6. When you are prompted for confirmation, choose Deregister AMI.

    It might take a few minutes before the console removes the AMI from the list. Choose Refresh to refresh the status.

AWS CLI
To deregister an AMI

Use the deregister-image command and specify the ID of the AMI to deregister.

aws ec2 deregister-image --image-id ami-0123456789example
Powershell
To deregister an AMI

Use the Unregister-EC2Image cmdlet and specify the ID of the AMI to deregister.

Unregister-EC2Image -ImageId ami-0123456789example

Check when an AMI was last used

LastLaunchedTime is a timestamp that indicates when your AMI was last used to launch an instance. AMIs that have not been used recently to launch an instance might be good candidates for deregistering or deprecation.

Note

  • When the AMI is used to launch an instance, there is a 24-hour delay before that usage is reported.

  • lastLaunchedTime data is available starting April 2017.

Console
To view the last launched time of an AMI

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the left navigation pane, choose AMIs.

  3. From the filter bar, choose Owned by me.

  4. Select the AMI, and then check the Last launched time field (if you selected the check box next to the AMI, it's located on the Details tab). The field shows the date and time when the AMI was last used to launch an instance.

AWS CLI

You can use either the describe-images or describe-image-attribute command to view the last launched time of an AMI.

To view the last launched time of an AMI by using describe-images

Use the describe-images command and specify the ID of the AMI.

aws ec2 describe-images --image-id ami-0123456789example

Example output

Note

The LastLaunchedTime field only appears in the output for AMIs that you own.

{
    "Images": [
       {
           ...
           "LastLaunchedTime": {
               "Value": "2024-04-02T02:03:18Z"
           },
           ...
       }
   ]
}
To view the last launched time of an AMI

Use the describe-image-attribute command and specify --attribute lastLaunchedTime. You must be owner of the AMI to run this command.

aws ec2 describe-image-attribute \
    --image-id ami-0123456789example \
    --attribute lastLaunchedTime

Example output

{
    "ImageId": "ami-1234567890example",
    "LastLaunchedTime": {
        "Value": "2022-02-10T02:03:18Z"
    }
}

Protect an AMI from deregistration

You can turn on deregistration protection on an AMI to prevent accidental or malicious deletion. When you turn on deregistration protection, the AMI can’t be deregistered by any user, regardless of their IAM permissions. If you want to deregister the AMI, you must first turn off the deregistration protection on it.

When you turn on deregistration protection on an AMI, you have the option to include a 24-hour cooldown period. This cooldown period is the time during which deregistration protection remains in effect after you turn it off. During this cooldown period, the AMI can’t be deregistered. When the cooldown period ends, the AMI can be deregistered.

Deregistration protection is turned off by default on all existing and new AMIs.

Turn on deregistration protection

Use any of the following methods to turn on deregistration protection on an AMI. To do this, you must be the owner of the AMI.

Console
To turn on deregistration protection on an AMI

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose AMIs.

  3. From the filter bar, choose Owned by me to list your available AMIs, or choose Disabled images to list your disabled AMIs.

  4. Select the AMI on which you want to turn on deregistration protection, and then choose Actions, Manage AMI deregistration protection.

  5. In the Manage AMI deregistration protection dialog box, you can turn on deregistration protection with or without a cooldown period. Choose one of the following options:

    • Enable with a 24-hour cooldown period – With a cooldown period, the AMI can’t be deregistered for 24 hours when deregistration protection is turned off.

    • Enable without cooldown – Without a cooldown period, the AMI can be deregistered immediately when deregistration protection is turned off.

  6. Choose Save.

AWS CLI
To turn on deregistration protection on an AMI

Use the enable-image-deregistration-protection command and specify the AMI ID. To include the optional 24-hour cooldown period, include --with-cooldown set to true. To exclude the cooldown period, omit the --with-cooldown parameter.

aws ec2 enable-image-deregistration-protection \
    --image-id ami-0123456789example \
    --with-cooldown true

Turn off deregistration protection

Use any of the following methods to turn off deregistration protection on an AMI. To do this, you must be the owner of the AMI.

Note

If you chose to include a 24-hour cooldown period when you turned on deregistration protection for the AMI, then, when you turn off deregistration protection, you won’t immediately be able to deregister the AMI. The cooldown period is the 24-hour time period during which deregistration protection remains in effect even after you turn it off. During this cooldown period, the AMI can’t be deregistered. After the cooldown period ends, the AMI can be deregistered.

Console
To turn off deregistration protection on an AMI

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose AMIs.

  3. From the filter bar, choose Owned by me to list your available AMIs, or choose Disabled images to list your disabled AMIs.

  4. Select the AMI to turn off deregistration protection, and then choose Actions, Manage AMI deregistration protection.

  5. In the Manage AMI deregistration protection dialog box, choose Disable.

  6. Choose Save.

AWS CLI
To turn off deregistration protection on an AMI

Use the disable-image-deregistration-protection command and specify the AMI ID.

aws ec2 disable-image-deregistration-protection --image-id ami-0123456789example

Avoid costs from unused resources

When you deregister an AMI, you don't delete the resources that are associated with the AMI. These resources include the snapshots for EBS-backed AMIs and the files in Amazon S3 for instance store-backed AMIs. When you deregister an AMI, you also don't terminate or stop any instances launched from the AMI.

You will continue to incur costs for storing the snapshots and files, and you will incur costs for any running instances. For more information, see How you're charged.

To avoid incurring these types of unnecessary costs, we recommend deleting any resources that you don't need.

To determine whether your AMI is EBS-backed or instance store-backed, see Determine the root device type of your AMI.

Delete resources associated with your Amazon EBS-backed AMI

Use any of the following methods to delete the resources associated with your EBS-backed AMI.

Console
To delete resources associated with your EBS-backed AMI

  1. Deregister the AMI.

    Note the AMI ID—this can help you find the snapshots to delete in the next step.

  2. Delete snapshots that you don't need.

    The ID of the associated AMI is displayed in the Description column on the Snapshots screen.

  3. Terminate instances that you don't need.

AWS CLI
To delete resources associated with your EBS-backed AMI

  1. Deregister the AMI by using the deregister-image command.

    aws ec2 deregister-image --image-id ami-0123456789example

  2. Delete snapshots that you don't need by using the delete-snapshot command.

    aws ec2 delete-snapshot --snapshot-id snap-0123456789example

  3. Terminate instances that you don't need by using the terminate-instances command.

    aws ec2 terminate-instances --instance-ids i-0123456789example
PowerShell
To delete resources associated with your EBS-backed AMI

  1. Deregister the AMI by using the Unregister-EC2Image cmdlet.

    Unregister-EC2Image -ImageId ami-0123456789example

  2. Delete snapshots that you don't need by using the Remove-EC2Snapshot cmdlet.

    Remove-EC2Snapshot -SnapshotId snap-0123456789example

  3. Terminate instances that you don't need by using the Remove-EC2Instance cmdlet.

    Remove-EC2Instance -InstanceId i-0123456789example

The following diagram illustrates the flow for you to delete resources associated with an EBS-backed AMI.

Flow to delete resources associated with your Amazon EBS-backed AMI.

Delete resources associated with your instance store-backed AMI

Use the following method to delete the resources associated with your instance store-backed AMI.

To delete resources associated with your instance store-backed AMI

  1. Deregister the AMI by using the deregister-image command.

    aws ec2 deregister-image --image-id ami-0123456789example

  2. Delete the bundle in Amazon S3 by using the ec2-delete-bundle (AMI tools) command.

    ec2-delete-bundle -b myawsbucket/myami -a your_access_key_id -s your_secret_access_key -p image

  3. Terminate instances that you don't need by using the terminate-instances command.

    aws ec2 terminate-instances --instance-ids i-0123456789example

  4. If you are finished with the Amazon S3 bucket that you uploaded the bundle to, you can delete the bucket. To delete an Amazon S3 bucket, open the Amazon S3 console, select the bucket, choose Actions, and then choose Delete.

The following diagram illustrates the flow for you to delete resources associated with your instance store-backed AMI.

Flow to delete resources associated with your instance store-backed AMI.