Disable an Amazon EC2 AMI - Amazon Elastic Compute Cloud

Disable an Amazon EC2 AMI

You can disable an AMI to prevent it from being used for instance launches. You can't launch new instances from a disabled AMI. You can re-enable a disabled AMI so that it can be used again for instance launches.

Warning

Disabling an AMI removes all its launch permissions.

When an AMI is disabled:

  • The AMI's state changes to disabled.

  • A disabled AMI can't be shared. If an AMI was public or previously shared, it is made private. If an AMI was shared with an AWS account, organization, or Organizational Unit, they lose access to the disabled AMI.

  • A disabled AMI does not appear in DescribeImages API calls by default.

  • A disabled AMI does not appear under the Owned by me console filter. To find disabled AMIs, use the Disabled images console filter.

  • A disabled AMI is not available to select for instance launches in the EC2 console. For example, a disabled AMI does not appear in the AMI catalog in the launch instance wizard or when creating a launch template.

  • Launch services, such as launch templates and Auto Scaling groups, can continue to reference disabled AMIs. Subsequent instance launches from a disabled AMI will fail, so we recommend updating launch templates and Auto Scaling groups to reference available AMIs only.

  • EC2 instances that were previously launched using an AMI that is subsequently disabled are not affected, and can be stopped, started, and rebooted.

  • You can't delete snapshots associated with disabled AMIs. Attempting to delete an associated snapshot results in the snapshot is currently in use error.

When an AMI is re-enabled:

  • The AMI's state changes to available, and it can be used to launch instances.

  • The AMI can be shared.

  • AWS accounts, organizations, and Organizational Units that lost access to the AMI when it was disabled do not regain access automatically, but the AMI can be shared with them again.

You can disable both private and public AMIs.

You can archive the snapshots that are associated with your disabled EBS-backed AMIs. This can help you to reduce the storage costs associated with your rarely-used AMIs that need to be retained for long periods. For more information, see Archive Amazon EBS snapshots in the Amazon EBS User Guide.

Costs

When you disable an AMI, the AMI is not deleted. If the AMI is an EBS-backed AMI, you continue to pay for the AMI's EBS snapshots. If you want to keep the AMI, you might be able to reduce your storage costs by archiving the snapshots. For more information, see Archive Amazon EBS snapshots in the Amazon EBS User Guide. If you don't want to keep the AMI and its snapshots, you must deregister the AMI and delete the snapshots. For more information, see EBS-backed AMIs.

Prerequisites

To disable or re-enable an AMI, you must be the owner of the AMI.

Required IAM permissions

To disable and re-enable an AMI, you must have the following IAM permissions:

  • ec2:DisableImage

  • ec2:EnableImage

Disable an AMI

You can disable an AMI by using the EC2 console or the AWS Command Line Interface (AWS CLI). You must be the AMI owner to perform this procedure.

Console
To disable an AMI
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the left navigation pane, choose AMIs.

  3. From the filter bar, choose Owned by me.

  4. Select the AMI, and then choose Actions, Disable AMI. You can select multiple AMIs to disable at once.

  5. In the Disable AMI window, choose Disable AMI.

AWS CLI
To disable an AMI

Use the disable-image command and specify the ID of the AMI.

aws ec2 disable-image --image-id ami-1234567890abcdef0

Expected output

{ "Return": "true" }

Describe disabled AMIs

You can view disabled AMIs in the EC2 console and by using the AWS CLI.

You must be the AMI owner to view disabled AMIs. Because disabled AMIs are made private, you can't view disabled AMIs if you're not the owner.

Console
To view disabled AMIs
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the left navigation pane, choose AMIs.

  3. From the filter bar, choose Disabled images.

    The Disabled images filter.
AWS CLI

By default, when you use the describe-images command to describe all AMIs, disabled AMIs do not appear in the results. This is because the default is --no-include-disabled. To include disabled AMIs in the results, you must specify the --include-disabled parameter.

To include all disabled AMIs when describing all AMIs

Use the describe-images command and specify the --include-disabled parameter to retrieve disabled AMIs in addition to all other AMIs. Optionally, specify --owners self to retrieve only the AMIs that you own.

aws ec2 describe-images \ --region us-east-1 \ --owners self --include-disabled

If you specify the ID of a disabled AMI, but do not specify --include-disabled, the disabled AMI is returned in the results.

aws ec2 describe-images \ --region us-east-1 \ --image-ids ami-1234567890EXAMPLE
To retrieve only disabled AMIs

Specify --filters Name=state,Values=disabled. You must also specify --include-disabled, otherwise you'll get an error.

aws ec2 describe-images \ --include-disabled \ --filters Name=state,Values=disabled

Example output

The State field displays the state of an AMI. disabled indicates that the AMI is disabled.

{ "Images": [ { "VirtualizationType": "hvm", "Description": "Provided by Red Hat, Inc.", "PlatformDetails": "Red Hat Enterprise Linux", "EnaSupport": true, "Hypervisor": "xen", "State": "disabled", "SriovNetSupport": "simple", "ImageId": "ami-1234567890EXAMPLE", "DeprecationTime": "2023-05-10T13:17:12.000Z" "UsageOperation": "RunInstances:0010", "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "SnapshotId": "snap-111222333444aaabb", "DeleteOnTermination": true, "VolumeType": "gp2", "VolumeSize": 10, "Encrypted": false } } ], "Architecture": "x86_64", "ImageLocation": "123456789012/RHEL-8.0.0_HVM-20190618-x86_64-1-Hourly2-GP2", "RootDeviceType": "ebs", "OwnerId": "123456789012", "RootDeviceName": "/dev/sda1", "CreationDate": "2019-05-10T13:17:12.000Z", "Public": false, "ImageType": "machine", "Name": "RHEL-8.0.0_HVM-20190618-x86_64-1-Hourly2-GP2" } ] }

Re-enable a disabled AMI

You can re-enable a disabled AMI. You must be the AMI owner to perform this procedure.

Console
To re-enable a disabled AMI
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the left navigation pane, choose AMIs.

  3. From the filter bar, choose Disabled images.

  4. Select the AMI, and then choose Actions, Enable AMI. You can select multiple AMIs to re-enable several AMIs at once.

  5. In the Enable AMI window, choose Enable.

AWS CLI
To re-enable a disabled AMI

Use the enable-image command and specify the ID of the AMI.

aws ec2 enable-image --image-id ami-1234567890abcdef0

Expected output

{ "Return": "true" }