Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs
To control the discovery and use of Amazon Machine Images (AMIs) by users in your Amazon Web Services account, you can use the Allowed AMIs feature. This feature allows you to specify criteria that AMIs must meet to be visible and available within your account. When the criteria are enabled, users launching instances will only see and have access to AMIs that comply with the specified criteria. For example, you can specify a list of trusted AMI providers as the criteria, and only AMIs from these providers will be visible and available for use.
Before enabling the Allowed AMIs settings, you can enable audit
mode to preview which AMIs will or won't be visible and available for use.
This lets you refine the criteria as needed to ensure that only the intended AMIs are
visible and available to users in your account. Additionally, you can run the describe-instance-image-metadata
You specify the Allowed AMIs settings at the account level, either directly in the account or by using a declarative policy. These settings must be configured in each Amazon Web Services Region where you want to control the discovery and use of AMIs. Using a declarative policy allows you to apply the settings across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the settings directly within an account. This topic describes how to configure the settings directly within an account. For information about using declarative policies, see Declarative policies in the Amazon Organizations User Guide.
Note
The Allowed AMIs feature only controls the discovery and use of public AMIs or AMIs shared with your account. It does not restrict the AMIs owned by your account. Regardless of the criteria you set, the AMIs created by your account will always be discoverable and usable by users in your account.
Key benefits of Allowed AMIs
-
Compliance and security: Users can only discover and use AMIs that meet the specified criteria, reducing the risk of non-compliant AMI usage.
-
Efficient management: By reducing the number of allowed AMIs, managing the remaining ones becomes easier and more efficient.
-
Centralized account-level implementation: Configure the Allowed AMIs settings at the account level, either directly within the account or through a declarative policy. This provides a centralized and efficient way to control AMI usage across the entire account.
Contents
- How Allowed AMIs works
- Best practices for implementing Allowed AMIs
- Required IAM permissions
- Enable audit mode and specify criteria
- Enable Allowed AMIs
- Disable Allowed AMIs
- Update Allowed AMIs criteria
- Identify Allowed AMIs state and criteria
- Identify AMIs that meet the Allowed AMIs criteria
- Identify whether instances were launched with AMIs that aren't allowed
How Allowed AMIs works
You specify criteria that automatically filter and determine which AMIs can be discovered and used in your account. You specify the criteria in JSON configuration, and then enable the criteria by running the enable API operation.
JSON configuration for the Allowed AMIs criteria
The core configuration for Allowed AMIs is the JSON configuration that defines the criteria for allowed AMIs.
Currently, the only supported criteria are AMI providers. Valid values are aliases that are defined by Amazon, and Amazon Web Services account IDs, as follows:
-
amazon
– An alias that identifies AMIs created by Amazon -
aws-marketplace
– An alias that identifies AMIs created by verified providers in the Amazon Web Services Marketplace -
aws-backup-vault
– An alias that identifies backup AMIs that reside in logically air-gapped Amazon Backup vault accounts. If you use the Amazon Backup logically air-gapped vault feature, ensure this alias is included as an AMI provider. -
Amazon Web Services account IDs – One or more 12-digit Amazon Web Services account IDs
-
none
– Indicates that only AMIs created by your account can be discovered and used. Public or shared AMIs can't be discovered and used. If you specifynone
, you can't specify an alias or account ID.
The AMI criteria are specified in JSON format. Here's an example that specifies two aliases and three Amazon Web Services account IDs:
{ "ImageCriteria": [ { "ImageProviders": [ "amazon", "aws-marketplace", "
123456789012
", "112233445566
", "009988776655
" ] } ] }
Limits for the JSON configuration
-
ImageCriteria
objects: Maximum of 10ImageCriteria
objects can be specified in a single configuration. -
ImageProviders
values: Maximum of 200 values across allImageCriteria
objects.
Example of limits
Consider the following example to illustrate these limits, where different
ImageProviders
lists are used to group the AMI provider accounts:
{ "ImageCriteria": [ { "ImageProviders": ["amazon", "aws-marketplace"] }, { "ImageProviders": ["
123456789012
", "112233445566
", "121232343454
"] }, { "ImageProviders": ["998877665555
", "987654321098
"] } // Up to 7 more ImageCriteria objects can be added // Up to 193 more ImageProviders values can be added ] }
In this example:
-
There are 3
imageCriteria
objects (up to 7 more can be added to reach the limit of 10). -
There are 7 total
imageProviders
values across all objects (up to 193 more can be added to reach the limit of 200).
In this example, AMIs are allowed from any of the specified AMI providers in all
of the ImageCriteria
objects.
Allowed AMIs operations
The Allowed AMIs feature has three operational modes for managing the image criteria: enabled, disabled, and audit mode. These allow you to enable or disable the image criteria, or review them as needed.
Enabled
When Allowed AMIs is enabled:
-
The
ImageCriteria
are applied. -
Only allowed AMIs are discoverable in the EC2 console and by APIs that use images (for example, that describe, copy, store, or perform other actions that use images).
-
Instances can only be launched using allowed AMIs.
Disabled
When Allowed AMIs is disabled:
-
The
ImageCriteria
are not applied. -
No restrictions are placed on AMI discoverability or usage.
Audit mode
In audit mode:
-
The
ImageCriteria
are applied, but no restrictions are placed on AMI discoverability or usage. -
In the EC2 console, for each AMI, the Allowed image field displays either Yes or No to indicate whether the AMI will be discoverable and available to users in the account when Allowed AMIs is enabled.
-
In the command line, the response for the
describe-image
operation includes"ImageAllowed": true
or"ImageAllowed": false
to indicate whether the AMI will be discoverable and available to users in the account when Allowed AMIs is enabled. -
In the EC2 console, the AMI Catalog displays Not allowed next to AMIs that won't be discoverable or available to users in the account when Allowed AMIs is enabled.
Best practices for implementing Allowed AMIs
When implementing Allowed AMIs, consider these best practices to ensure a smooth transition and minimize potential disruptions to your Amazon environment.
-
Enable audit mode
Begin by enabling Allowed AMIs in audit mode. This mode allows you to see which AMIs would be affected by your criteria without actually restricting access, providing a risk-free evaluation period.
-
Set Allowed AMIs criteria
Carefully establish which AMI providers align with your organization's security policies, compliance requirements, and operational needs.
Note
We recommend specifying the
amazon
alias to allow AMIs created by Amazon, ensuring that Amazon managed services you use can continue to launch EC2 instances in your account. -
Check for impact on expected business processes
Run the describe-instance-image-metadata
command and filter the response to identify any instances that were launched with AMIs that don't meet the specified criteria. This information can guide your decision to either update your launch configurations to use compliant AMIs (for example, specifying a different AMI in a launch template) or adjust your criteria to allow these AMIs. -
Enable Allowed AMIs
Once you've confirmed that the criteria will not adversely affect expected business processes, enable Allowed AMIs.
-
Monitor instance launches
Continue to monitor instance launches from AMIs across your applications and the Amazon managed services you use, such as Amazon EMR, Amazon ECR, Amazon EKS, and Amazon Elastic Beanstalk. Check for any unexpected issues and make necessary adjustments to the Allowed AMIs criteria.
-
Pilot new AMIs
To test third-party AMIs that do not comply with your current Allowed AMIs settings, Amazon recommends the following approaches:
-
Use a separate Amazon Web Services account: Create an account with no access to your business-critical resources. Ensure that the Allowed AMIs setting is not enabled in this account, or that the AMIs you want to test are explicitly allowed, so that you can test them.
-
Test in another Amazon Web Services Region: Use a Region where the third-party AMIs are available, but where you have not yet enabled the Allowed AMIs settings.
These approaches help ensure your business-critical resources remain secure while you test new AMIs.
-
Required IAM permissions
To use the Allowed AMIs feature, you need the following IAM permissions:
-
GetAllowedImagesSettings
-
EnableAllowedImagesSettings
-
DisableAllowedImagesSettings
-
ReplaceImageCriteriaInAllowedImagesSettings
Enable audit mode and specify criteria
Use the following procedures to enable the audit mode for Allowed AMIs and specify the Allowed AMIs criteria in your account for the specified Region.
Enable Allowed AMIs
Use the following procedures to enable Allowed AMIs in your account for the specified Region.
Disable Allowed AMIs
Use the following procedures to disable Allowed AMIs in your account for the specified Region.
Update Allowed AMIs criteria
Use the following procedures to update the Allowed AMIs criteria in your account for the specified Region.
Identify Allowed AMIs state and criteria
Use the following procedures to identify the current state of the Allowed AMIs setting and the Allowed AMIs criteria.
Identify AMIs that meet the Allowed AMIs criteria
Use the following procedures to identify the AMIs that are allowed or not allowed for the account.
Note
The following can only be done when Allowed AMIs is in audit mode.
Identify whether instances were launched with AMIs that aren't allowed
Use the following procedures to identify the instances that were launched with an AMI that does not meet the Allowed AMIs criteria.