Menu
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Finding Shared AMIs

You can use the Amazon EC2 console or the command line to find shared AMIs.

Finding a Shared AMI (Console)

To find a shared private AMI using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose AMIs.

  3. In the first filter, choose Private images. All AMIs that have been shared with you are listed. To granulate your search, choose the Search bar and use the filter options provided in the menu.

To find a shared public AMI using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose AMIs.

  3. To find shared AMIs, choose Public images from the Filter list. To granulate your search, choose the Search bar and use the filter options provided in the menu.

  4. Use filters to list only the types of AMIs that interest you. For example, choose Amazon images to display only Amazon's public images.

Finding a Shared AMI (AWS CLI)

To find a shared public AMI using the command line tools

Use the describe-images command to list AMIs. You can scope the list to the types of AMIs that interest you, as shown in the following examples.

The following command lists all public AMIs using the --executable-users option. This list includes any public AMIs that you own.

$ aws ec2 describe-images --executable-users all

The following command lists the AMIs for which you have explicit launch permissions. This list excludes any such AMIs that you own.

$ aws ec2 describe-images --executable-users self

The following command lists the AMIs owned by Amazon. Amazon's public AMIs have an aliased owner, which appears as amazon in the account field. This enables you to find AMIs from Amazon easily. Other users can't alias their AMIs.

$ aws ec2 describe-images --owners amazon

The following command lists the AMIs owned by the specified AWS account.

$ aws ec2 describe-images --owners 123456789012

To reduce the number of displayed AMIs, use a filter to list only the types of AMIs that interest you. For example, use the following filter to display only EBS-backed AMIs.

--filters "Name=root-device-type,Values=ebs"

Finding a Shared AMI (Amazon EC2 CLI)

To find a shared public AMI using the command line tools

Use the ec2-describe-images command to list AMIs. You can scope the list to the types of AMIs that interest you, as shown in the following examples.

The following command lists all public AMIs using the -x all option. This list includes any public AMIs that you own.

$ ec2-describe-images -x all

The following command lists the AMIs for which you have explicit launch permissions. This list excludes any such AMIs that you own.

$ ec2-describe-images -x self

The following command lists the AMIs owned by Amazon. Amazon's public AMIs have an aliased owner, which appears as amazon in the account field. This enables you to find AMIs from Amazon easily. Other users can't alias their AMIs.

$ ec2-describe-images -o amazon

The following command lists the AMIs owned by the specified AWS account.

$ ec2-describe-images -o <target_uid>

The <target_uid> is the account ID that owns the AMIs for which you are looking.

To reduce the number of displayed AMIs, use a filter to list only the types of AMIs that interest you. For example, use the following filter to display only EBS-backed AMIs.

--filter "root-device-type=ebs"

Using Shared AMIs

Before you use a shared AMI, take the following steps to confirm that there are no pre-installed credentials that would allow unwanted access to your instance by a third party and no pre-configured remote logging that could transmit sensitive data to a third party. Check the documentation for the Linux distribution used by the AMI for information about improving the security of the system.

To ensure that you don't accidentally lose access to your instance, we recommend that you initiate two SSH sessions and keep the second session open until you've removed credentials that you don't recognize and confirmed that you can still log into your instance using SSH.

  1. Identify and disable any unauthorized public SSH keys. The only key in the file should be the key you used to launch the AMI. The following command locates authorized_keys files:

    $ sudo find / -name "authorized_keys" -print -exec cat {} \;
  2. Disable password-based authentication for the root user. Open the ssh_config file and edit the PermitRootLogin line as follows:

    PermitRootLogin without-password

    Alternatively, you can disable the ability to log into the instance as root:

    PermitRootLogin No

    Restart the sshd service.

  3. Check whether there are any other user accounts that are able to log in to your instance. Accounts with superuser privileges are particularly dangerous. Remove or lock the password of any unknown accounts.

  4. Check for open ports that you aren't using and running network services listening for incoming connections.

  5. To prevent preconfigured remote logging, you should delete the existing configuration file and restart the rsyslog service. For example:

    $ sudo rm /etc/rsyslog.config
    $ sudo service rsyslog restart
  6. Verify that all cron jobs are legitimate.

If you discover a public AMI that you feel presents a security risk, contact the AWS security team. For more information, see the AWS Security Center.