Make an AMI public
You can make your AMI publicly available by sharing it with all AWS accounts.
If you want to prevent the public sharing of your AMIs, you can enable block public access for AMIs. This blocks any attempts to
make an AMI public, helping to prevent unauthorized access and potential misuse of AMI
data. Note that enabling block public access does not affect your AMIs that are already
publicly available; they remain publicly available.
To allow only specific accounts to use your AMI to launch instances, see Share an AMI with specific AWS
accounts.
Considerations
Consider the following before making an AMI public.
-
Ownership – To make an AMI public,
your AWS account must own the AMI.
-
Region – AMIs are a Regional
resource. When you share an AMI, it is available only in the Region from
which you shared it. To make an AMI available in a different Region, copy
the AMI to the Region and then share it. For more information, see Copy an AMI.
-
Block public access – To publicly share an AMI,
block public access for AMIs must be disabled in each
Region in which the AMI will be publicly shared. After you've publicly
shared the AMI, you can re-enable block public access for AMIs to prevent
further public sharing of your AMIs.
-
Some AMIs can't be made public – If your AMI
includes one of the following components, you can't make it public (but you
can share the AMI with specific
AWS accounts):
-
Avoid exposing sensitive data – To
avoid exposing sensitive data when you share an AMI, read the security
considerations in Guidelines for shared Linux AMIs and follow the recommended
actions.
-
Usage – When you share an AMI,
users can only launch instances from the AMI. They can’t delete, share, or
modify it. However, after they have launched an instance using your AMI,
they can then create an AMI from the instance they launched.
-
Automatic deprecation – By default, the
deprecation date of all public AMIs is set to two years from the AMI
creation date. You can set the deprecation date to earlier than two years.
To cancel the deprecation date, or to move the deprecation to a later date,
you must make the AMI private by only sharing it with specific AWS accounts.
-
Billing – You are not billed when your AMI is
used by other AWS accounts to launch instances. The accounts that launch
instances using the AMI are billed for the instances that they
launch.
Share an AMI with all AWS accounts
(share publicly)
After you make an AMI public, it is available in Community AMIs in the
console, which you can access from the AMI Catalog in the left
navigator in the EC2 console or when launching an instance using the console. Note
that it can take a short while for an AMI to appear in Community
AMIs after you make it public.
- New console
-
To make an AMI public
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
In the navigation pane, choose
AMIs.
-
Select your AMI from the list, and then choose
Actions, Edit AMI
permissions.
-
Under AMI availability, choose
Public.
-
Choose Save changes.
- Old console
-
To share a public AMI using the console
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
In the navigation pane, choose
AMIs.
-
Select your AMI from the list, and then choose
Actions, Modify Image
Permissions.
-
Choose Public, and then choose
Save.
- AWS CLI
-
Each AMI has a launchPermission
property that controls which AWS accounts,
besides the owner's, are allowed to use that AMI to launch instances. By modifying
the launchPermission
property of an AMI, you can make the AMI public
(which grants launch permissions to all AWS accounts), or share it with only the
AWS accounts that you specify.
You can add or remove account IDs from the list of accounts that have launch
permissions for an AMI. To make the AMI public, specify the all
group.
You can specify both public and explicit launch permissions.
To make an AMI public
-
Use the modify-image-attribute command as follows to
add the all
group to the launchPermission
list for
the specified AMI.
aws ec2 modify-image-attribute \
--image-id ami-0abcdef1234567890
\
--launch-permission "Add=[{Group=all}]"
-
To verify the launch permissions of the AMI, use the describe-image-attribute command.
aws ec2 describe-image-attribute \
--image-id ami-0abcdef1234567890
\
--attribute launchPermission
-
(Optional) To make the AMI private again, remove the all
group from its launch permissions. Note that the owner of the AMI always has
launch permissions and is therefore unaffected by this command.
aws ec2 modify-image-attribute \
--image-id ami-0abcdef1234567890
\
--launch-permission "Remove=[{Group=all}]"
Block public access to your AMIs
To prevent the public sharing of your AMIs, you can enable block
public access for AMIs. This setting is enabled at the account level,
but you need to enable it in each AWS Region in which you want to prevent the
public sharing of your AMIs.
When block public access is enabled, any attempt to make an AMI public is automatically
blocked. However, if you already have public AMIs, they will remain publicly
available.
If you want to publicly share AMIs, you'll need to disable block public access. When you’re
done sharing, it's best practice to re-enable block public access to prevent any
unintended public sharing of your AMIs.
You can restrict IAM permissions to an administrator user so that only they can enable or
disable block public access for AMIs.
Required IAM permissions
To use block public access for AMIs, you must have the following IAM permissions:
-
EnableImageBlockPublicAccess
-
DisableImageBlockPublicAccess
-
GetImageBlockPublicAccessState
Enable block public access for
AMIs
To prevent the public sharing of your AMIs, enable block public access for AMIs at the
account level. You must enable block public access for AMIs in each AWS Region
in which you want to prevent the public sharing of your AMIs. If you already
have public AMIs, they will remain publicly available.
- Console
-
To enable block public access for AMIs in the specified Region
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
From the navigation bar (at the top of the screen), select the Region in which to
enable block public access for AMIs.
-
If the dashboard is not displayed, in the navigation pane,
choose EC2 Dashboard.
-
Under Account attributes, choose
Data protection and
security.
-
Under Block public access for AMIs,
choose Manage.
-
Select the Block new public sharing check box, and then choose
Update.
The API can take up to 10 minutes to configure this setting. During this time, the
value will be New public sharing
allowed. When the API has completed the
configuration, the value will automatically change to
New public sharing
blocked.
- AWS CLI
-
To enable block public access for AMIs in the specified Region
Use the enable-image-block-public-access command and
specify the Region in which to enable block public access for
AMIs. For the --image-block-public-access-state
parameter, specify block-new-sharing
.
aws ec2 enable-image-block-public-access \
--region us-east-1
\
--image-block-public-access-state block-new-sharing
Expected output
{
"ImageBlockPublicAccessState": "block-new-sharing"
}
The API can take up to 10 minutes to configure this setting. During this time, if you
run the get-image-block-public-access-state command, the
response will be unblocked
. When the API has
completed the configuration, the response will be
block-new-sharing
.
Disable block public access for
AMIs
To allow the users in your account to publicly share your AMIs, disable block public
access at the account level. You must disable block public access for AMIs in
each AWS Region in which you want to allow the public sharing of your
AMIs.
- Console
-
To disable block public access for AMIs in the specified Region
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
From the navigation bar (at the top of the screen), select the Region in which to
disable block public access for AMIs.
-
If the dashboard is not displayed, in the navigation pane,
choose EC2 Dashboard.
-
Under Account attributes, choose
Data protection and
security.
-
Under Block public access for AMIs,
choose Manage.
-
Clear the Block new public sharing check box, and then choose
Update.
-
Enter confirm
when prompted for confirmation, and then choose
Allow public sharing.
The API can take up to 10 minutes to configure this setting. During this time, the
value will be New public sharing
blocked. When the API has completed the
configuration, the value will automatically change to
New public sharing
allowed.
- AWS CLI
-
To disable block public access for AMIs in the specified Region
Use the disable-image-block-public-access command and
specify the Region in which to disable block public access for
AMIs.
aws ec2 disable-image-block-public-access --region us-east-1
Expected output
{
"ImageBlockPublicAccessState": "unblocked"
}
The API can take up to 10 minutes to configure this setting. During this time, if you
run the get-image-block-public-access-state command, the
response will be block-new-sharing
. When the API
has completed the configuration, the response will be
unblocked
.
View the block public access state for
AMIs
To see whether the public sharing of your AMIs is blocked in your account, you can view
the state for block public access for AMIs. You must view the state in each
AWS Region in which you want to see whether the public sharing of your AMIs is
blocked.
- Console
-
To view the block public access state for AMIs in the specified Region
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
From the navigation bar (at the top of the screen), select the Region in which to
view the block public access state for AMIs.
-
If the dashboard is not displayed, in the navigation pane,
choose EC2 Dashboard.
-
Under Account attributes, choose
Data protection and
security.
-
Under Block public access for AMIs, check the Public
access field. The value is either
New public sharing blocked or
New public sharing allowed.
- AWS CLI
-
To get the block public access state for AMIs in the specified Region
Use the get-image-block-public-access-state command and
specify the Region in which to get the block public access state
for AMIs.
aws ec2 get-image-block-public-access-state --region us-east-1
Expected output – The value is either block-new-sharing
or
unblocked
.
{
"ImageBlockPublicAccessState": "block-new-sharing"
}