| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Shared Windows AMIs
Shared Windows AMIs are the Windows AMIs that developers build and make available for other AWS developers to use. You can either use an available shared AMI or create your own AMI for sharing. Creating safe, secure, usable Windows AMIs for public consumption is a fairly straightforward process.
Creating Windows AMIs for Sharing
Following these guidelines produces a better user experience, makes your users' instances less vulnerable to security issues, and helps protect you.
To create a Windows AMI for sharing, follow these guidelines:
Follow the instructions to launch and connect to a Windows instance.
Customize the instance by installing the software and applications you want to share. Do the following to make yor AMI safe and secure for sharing:
Always delete the shell history before bundling. The shell history may contain sensitive information.
If you have saved your instance credentials, such as your key pair, remove them or move them to a location that is not going to be included in the AMI.
Ensure that the Administrator password, and passwords on any other accounts, is set to an appropriate value for sharing. These passwords will be available for anyone who launches your shared AMI.
Remove any saved passwords.
Make sure to test your AMI before you release to the public.
Run Sysprep to prepare the instance and enable the new password generation on new instance launch. The instance will shut down.
Create an image of the instance.
Sharing AMIs
Amazon EC2 enables you to share your AMIs with other AWS accounts. This section describes how to share AMIs using the Amazon EC2 command line tools.
Note
Before proceeding, make sure to read the security guidelines for sharing AMIs in the Creating Windows AMIs for Sharing.
AMIs have a launchPermission property that controls which
AWS accounts, besides the owner's, are allowed to launch instances of that AMI. By
modifying an AMI's launchPermission property, you can allow all
AWS accounts to launch the AMI (i.e., make the AMI public) or only allow a few
specific accounts to launch the AMI.
The launchPermission attribute is a list of accounts and
launch groups. Launch permissions can
be granted by adding or removing items from the list. Explicit launch permissions for
accounts are granted or revoked by adding or removing AWS account IDs. The
only launch group currently supported is the all group, which makes
the AMI public. The rest of this section refers to launch groups simply as groups.
Launch groups are not the same as security groups and the two should not be confused. An
AMI can have both public and explicit launch permissions.
Note
You are not billed when your AMI is launched by other AWS accounts. The accounts launching the AMI are billed.
Making an AMI Public
To make an AMI public
Add the
allgroup to the AMI'slaunchPermission.C:\>ec2-modify-image-attribute<ami_id>--launch-permission -a allThe
<ami_id>parameter is the ID of the AMI.This example makes the ami-2bb65342 AMI public.
C:\>ec2-modify-image-attributelaunchPermission ami-2bb65342 ADD group allami-2bb65342--launch-permission -a all
To check the launch permissions of an AMI
Enter the following command, where
<ami_id>is the ID of the AMI.C:\>ec2-describe-image-attribute<ami_id>-lThis example displays the launch permissions of the ami-2bb65342 AMI.
C:\>ec2-describe-image-attributelaunchPermission ami-2bb65342 group allami-2bb65342-l
To make an AMI private again
Remove the
allgroup from its launch permissions, where<ami_id>is the ID of the AMI.C:\>ec2-modify-image-attribute<ami_id>-l -r allThis will not affect any explicit launch permissions for the AMI or any running instances of the AMI.
This example removes the
allgroup from the permissions of the ami-2bb65342 AMI, making it private.C:\>ec2-modify-image-attributelaunchPermission ami-2bb65342 REMOVE group allami-2bb65342-l -r all
Sharing an AMI with Specific AWS Accounts
You can share an AMI with specific AWS accounts without making the AMI public. All you need is the account ID.
To grant explicit launch permissions
Enter the following command:
C:\>ec2-modify-image-attribute<ami_id>-l -a<user_id>The
<ami_id>is the ID of the AMI and<user_id>is the account ID, without hyphens.The following example grants launch permissions to the AWS account with ID 111122223333 for the ami-2bb65342 AMI:
C:\>ec2-modify-image-attributelaunchPermission ami-2bb65342 ADD userId 111122223333ami-2bb65342-l -a111122223333
To remove launch permissions for an account
Enter the following command:
C:\>ec2-modify-image-attribute<ami_id>-l -r<user_id>The
<ami_id>is the ID of the AMI and<user_id>is the account ID, without hyphens.The following example removes launch permissions from the AWS account with ID 111122223333 for the ami-2bb65342 AMI:
C:\>ec2-modify-image-attributelaunchPermission ami-2bb65342 REMOVE userId 111122223333ami-2bb65342-l -r111122223333
To remove all launch permissions
Enter the following command to remove all public and explicit launch permissions:
C:\>ec2-reset-image-attribute<ami_id>-lThe
<ami_id>is the ID of the AMI.The following example removes all public and explicit launch permissions from the ami-2bb65342 AMI:
C:\>ec2-reset-image-attributelaunchPermission ami-2bb65342 RESETami-2bb65342-l
Note
The AMI owner always has rights to the AMI and is unaffected by this command.
Publishing Shared AMIs
After you create a shared AMI, you can publish information about it in the Amazon EC2 Resource Center.
To publish your AMI
Post your AMI in the Public AMIs folder of the Amazon Web Services Resource Center, and include the following information:
AMI ID
AMI name (for Amazon EBS-backed AMIs) or AMI manifest (for Amazon EC2 instance store-backed AMIs)
Publisher
Publisher URL
OS / Distribution
Key feature
Description
Daemons / Services
Release Notes
If you want to, you can paste the following information into the document. You must be in HTML edit mode.
<strong>AMI ID: </strong>[ami-id]<br /> <strong>AMI Manifest: </strong>[myawsbucket/image.manifest.xml]<br /> <h2>About this &AMI;</h2> <ul> <li>Published by [Publisher] (<a href="http://www.mysite.com">[http://www.mysite.com]</a>).<br /> </li> <li>[Key Features] <br /> </li> <li>[Description]</li> <li>This image contains the following daemons / services: <ul> <li>[Daemon 1]</li> <li>[Daemon 2]</li> </ul> </li> </ul> <h2><strong>What's New?</strong></h2>The following changes were made on [Date].<br /> <ul> <li>[Release Notes 1]</li> </ul> <span style="font-size: x-small; font-family: courier new,courier"> - [Note 1]</span><br /> <span style="font-size: x-small; font-family: courier new,courier"> - [Note 2]</span><br /> <span style="font-size: x-small; font-family: courier new,courier"> - [Note 3]</span><br /> <ul>
Identify Yourself
Currently, there is no easy way to know who provided a shared AMI because each AMI is represented by an account ID.
We recommend that you post a description of your AMI, and the AMI ID, in the Amazon EC2 developer forum. This provides a convenient central location for users who are interested in trying new shared AMIs. You can also post the AMI to the Amazon Machine Images (AMIs) page.
Using a Shared Windows AMI
This section describes how to find and safely use shared AMIs. One of the easiest ways to get started with Amazon EC2 is to use a shared AMI that has the components you need and add custom content.
Find Shared AMIs
To find shared AMIs
Enter the
ec2-describe-imagescommand (or the abbreviatedec2dimcommand) with a flag to filter the results.The following examples show how to use a flag to filter the results.
The following command displays a list of all public AMIs. The
-x allflag shows AMIs executable by all AWS accounts (i.e., AMIs with public launch permissions). This includes AMIs you own with public launch permissions.C:\>ec2dim -x allThe following command displays a list of AMIs for which you have explicit launch permissions. AMIs that you own are excluded from the list.
C:\>ec2dim -x selfThe following command displays a list of AMIs owned by .
C:\>ec2dim -o amazonThe following command displays a list of AMIs owned by a particular AWS account.
C:\>ec2dim -o<target_uid>The
<target_uid>is the account ID that owns the AMIs you're looking for.
For more information about the flags and how to use flags to filter the results, go to ec2-describe-images in the Amazon Elastic Compute Cloud Command Line Reference.
Safe Use of Shared AMIs
You launch AMIs at your own risk. cannot vouch for the integrity or security of AMIs shared by other EC2 users. Therefore, you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center and perform the appropriate due diligence.
Ideally, you should get the AMI ID from a trusted source (such as a website or another EC2 user that you trust). If you do not know the source of an AMI, we recommend that you search the AWS forums for comments on the AMI before launching it. Conversely, if you have questions or observations about a shared AMI, feel free to use the AWS forums to ask or comment.
's public images have an aliased owner and display
amazon in the userId field. This allows you
to find 's public images easily.
Note
Users cannot alias an AMI's owner.
For information on launching, connecting, and using the Windows instances, see Using Instances.
