Share an AMI with specific AWS accounts - Amazon Elastic Compute Cloud
ConsiderationsShare an AMI (console)Share an AMI (Tools for Windows PowerShell)Share an AMI (AWS CLI)

Share an AMI with specific AWS accounts

You can share an AMI with specific AWS accounts without making the AMI public. All you need are the AWS account IDs.

Considerations

Consider the following when sharing AMIs with specific AWS accounts.

  • Ownership – To share an AMI, your AWS account must own the AMI.

  • Sharing limits – For the maximum number of entities to which an AMI can be shared within a Region, see the Amazon EC2 service quotas.

  • Tags – You can't share user-defined tags (tags that you attach to an AMI). When you share an AMI, your user-defined tags are not available to any AWS account that the AMI is shared with.

  • Encryption and keys – You can share AMIs that are backed by unencrypted and encrypted snapshots.

    • The encrypted snapshots must be encrypted with a KMS key. You can’t share AMIs that are backed by snapshots that are encrypted with the default AWS managed key. For more information, see Share an Amazon EBS snapshot.

    • If you share an AMI that is backed by encrypted snapshots, you must allow the AWS accounts to use the KMS keys that were used to encrypt the snapshots. For more information, see Allow organizations and OUs to use a KMS key.

  • Region – AMIs are a Regional resource. When you share an AMI, it is only available in that Region. To make an AMI available in a different Region, copy the AMI to the Region and then share it. For more information, see Copy an AMI.

  • Usage – When you share an AMI, users can only launch instances from the AMI. They can’t delete, share, or modify it. However, after they have launched an instance using your AMI, they can then create an AMI from their instance.

  • Copying shared AMIs – If users in another account want to copy a shared AMI, you must grant them read permissions for the storage that backs the AMI. For more information, see Cross-account copying.

  • Billing – You are not billed when your AMI is used by other AWS accounts to launch instances. The accounts that launch instances using the AMI are billed for the instances that they launch.

Share an AMI (console)

New console
To grant explicit launch permissions using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose AMIs.

  3. Select your AMI in the list, and then choose Actions, Edit AMI permissions.

  4. Choose Private.

  5. Under Shared accounts, choose Add account ID.

  6. For AWS account ID, enter the AWS account ID with which you want to share the AMI, and then choose Share AMI.

    To share this AMI with multiple accounts, repeat Steps 5 and 6 until you have added all the required account IDs.

    Note

    You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.

  7. Choose Save changes when you are done.

  8. (Optional) To view the AWS account IDs with which you have shared the AMI, select the AMI in the list, and choose the Permissions tab. To find AMIs that are shared with you, see Find shared AMIs.

Old console
To grant explicit launch permissions using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose AMIs.

  3. Select your AMI in the list, and then choose Actions, Modify Image Permissions.

  4. Specify the AWS account ID of the user with whom you want to share the AMI in the AWS Account Number field, then choose Add Permission.

    To share this AMI with multiple users, repeat this step until you have added all the required users.

    Note

    You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.

  5. Choose Save when you are done.

  6. (Optional) To view the AWS account IDs with which you have shared the AMI, select the AMI in the list, and choose the Permissions tab. To find AMIs that are shared with you, see Find shared AMIs.

Share an AMI (Tools for Windows PowerShell)

Use the Edit-EC2ImageAttribute command (Tools for Windows PowerShell) to share an AMI as shown in the following examples.

To grant explicit launch permissions

The following command grants launch permissions for the specified AMI to the specified AWS account.

PS C:\> Edit-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission -OperationType add -UserId "123456789012"
Note

You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.

To remove launch permissions for an account

The following command removes launch permissions for the specified AMI from the specified AWS account.

PS C:\> Edit-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission -OperationType remove -UserId "123456789012"
To remove all launch permissions

The following command removes all public and explicit launch permissions from the specified AMI. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command.

PS C:\> Reset-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission

Share an AMI (AWS CLI)

Use the modify-image-attribute command (AWS CLI) to share an AMI as shown in the following examples.

To grant explicit launch permissions

The following command grants launch permissions for the specified AMI to the specified AWS account.

aws ec2 modify-image-attribute \
    --image-id ami-0abcdef1234567890 \
    --launch-permission "Add=[{UserId=123456789012}]"
Note

You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.

To remove launch permissions for an account

The following command removes launch permissions for the specified AMI from the specified AWS account.

aws ec2 modify-image-attribute \
    --image-id ami-0abcdef1234567890 \
    --launch-permission "Remove=[{UserId=123456789012}]"
To remove all launch permissions

The following command removes all public and explicit launch permissions from the specified AMI. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command.

aws ec2 reset-image-attribute \
    --image-id ami-0abcdef1234567890 \
    --attribute launchPermission