Make an AMI public - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Make an AMI public

You can make your AMI publicly available by sharing it with all Amazon Web Services accounts.

If you want to prevent the public sharing of your AMIs, you can enable block public access for AMIs. This blocks any attempts to make an AMI public, helping to prevent unauthorized access and potential misuse of AMI data. Note that enabling block public access does not affect your AMIs that are already publicly available; they remain publicly available.

To allow only specific accounts to use your AMI to launch instances, see Share an AMI with specific Amazon accounts.

Considerations

Consider the following before making an AMI public.

  • Ownership – To make an AMI public, your Amazon Web Services account must own the AMI.

  • Region – AMIs are a Regional resource. When you share an AMI, it is available only in the Region from which you shared it. To make an AMI available in a different Region, copy the AMI to the Region and then share it. For more information, see Copy an AMI.

  • Block public access – To publicly share an AMI, block public access for AMIs must be disabled in each Region in which the AMI will be publicly shared. After you've publicly shared the AMI, you can re-enable block public access for AMIs to prevent further public sharing of your AMIs.

  • Some AMIs can't be made public – If your AMI includes one of the following components, you can't make it public (but you can share the AMI with specific Amazon Web Services accounts):

    • Encrypted volumes

    • Snapshots of encrypted volumes

    • Product codes

  • Avoid exposing sensitive data – To avoid exposing sensitive data when you share an AMI, read the security considerations in Guidelines for shared Linux AMIs and follow the recommended actions.

  • Usage – When you share an AMI, users can only launch instances from the AMI. They can’t delete, share, or modify it. However, after they have launched an instance using your AMI, they can then create an AMI from the instance they launched.

  • Automatic deprecation – By default, the deprecation date of all public AMIs is set to two years from the AMI creation date. You can set the deprecation date to earlier than two years. To cancel the deprecation date, or to move the deprecation to a later date, you must make the AMI private by only sharing it with specific Amazon Web Services accounts.

  • Remove obsolete AMIs – After a public AMI reaches its deprecation date, if no new instances were launched from the AMI for six or more months, Amazon eventually removes the public sharing property so that obsolete AMIs don’t appear in the public AMI lists.

  • Billing – You are not billed when your AMI is used by other Amazon Web Services accounts to launch instances. The accounts that launch instances using the AMI are billed for the instances that they launch.

Share an AMI with all Amazon accounts (share publicly)

After you make an AMI public, it is available in Community AMIs in the console, which you can access from the AMI Catalog in the left navigator in the EC2 console or when launching an instance using the console. Note that it can take a short while for an AMI to appear in Community AMIs after you make it public.

Console
To make an AMI public
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose AMIs.

  3. Select your AMI from the list, and then choose Actions, Edit AMI permissions.

  4. Under AMI availability, choose Public.

  5. Choose Save changes.

Amazon CLI

Each AMI has a launchPermission property that controls which Amazon Web Services accounts, besides the owner's, are allowed to use that AMI to launch instances. By modifying the launchPermission property of an AMI, you can make the AMI public (which grants launch permissions to all Amazon Web Services accounts), or share it with only the Amazon Web Services accounts that you specify.

You can add or remove account IDs from the list of accounts that have launch permissions for an AMI. To make the AMI public, specify the all group. You can specify both public and explicit launch permissions.

To make an AMI public
  1. Use the modify-image-attribute command as follows to add the all group to the launchPermission list for the specified AMI.

    aws ec2 modify-image-attribute \ --image-id ami-0abcdef1234567890 \ --launch-permission "Add=[{Group=all}]"
  2. To verify the launch permissions of the AMI, use the describe-image-attribute command.

    aws ec2 describe-image-attribute \ --image-id ami-0abcdef1234567890 \ --attribute launchPermission
  3. (Optional) To make the AMI private again, remove the all group from its launch permissions. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command.

    aws ec2 modify-image-attribute \ --image-id ami-0abcdef1234567890 \ --launch-permission "Remove=[{Group=all}]"
PowerShell

Each AMI has a launchPermission property that controls which Amazon Web Services accounts, besides the owner's, are allowed to use that AMI to launch instances. By modifying the launchPermission property of an AMI, you can make the AMI public (which grants launch permissions to all Amazon Web Services accounts), or share it with only the Amazon Web Services accounts that you specify.

You can add or remove account IDs from the list of accounts that have launch permissions for an AMI. To make the AMI public, specify the all group. You can specify both public and explicit launch permissions.

To make an AMI public
  1. Use the Edit-EC2ImageAttribute command as follows to add the all group to the launchPermission list for the specified AMI.

    PS C:\> Edit-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission -OperationType add -UserGroup all
  2. To verify the launch permissions of the AMI, use the following Get-EC2ImageAttribute command.

    PS C:\> Get-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission
  3. (Optional) To make the AMI private again, remove the all group from its launch permissions. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command.

    PS C:\> Edit-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission -OperationType remove -UserGroup all

Block public access to your AMIs

To prevent the public sharing of your AMIs, you can enable block public access for AMIs. This setting is enabled at the account level, but you need to enable it in each Amazon Web Services Region in which you want to prevent the public sharing of your AMIs.

When block public access is enabled, any attempt to make an AMI public is automatically blocked. However, if you already have public AMIs, they remain publicly available.

To publicly share AMIs, you must disable block public access. When you’re done sharing, it's best practice to re-enable block public access to prevent any unintended public sharing of your AMIs.

You can restrict IAM permissions to an administrator user so that only they can enable or disable block public access for AMIs.

Default settings

The Block public access for AMIs setting is either enabled or disabled by default depending on whether your account is new or existing, and whether you have public AMIs. The following table lists the default settings:

Amazon account Block public access for AMIs default setting
New accounts Enabled

Existing accounts with no public AMIs ¹

Enabled

Existing accounts with one or more public AMIs

Disabled

¹ If your account had one or more public AMIs on or after July 15, 2023, Block public access for AMIs is disabled by default for your account, even if you subsequently made all the AMIs private.

Required IAM permissions

To use block public access for AMIs, you must have the following IAM permissions:

  • EnableImageBlockPublicAccess

  • DisableImageBlockPublicAccess

  • GetImageBlockPublicAccessState

Enable block public access for AMIs

To prevent the public sharing of your AMIs, enable block public access for AMIs at the account level. You must enable block public access for AMIs in each Amazon Web Services Region in which you want to prevent the public sharing of your AMIs. If you already have public AMIs, they will remain publicly available.

Console
To enable block public access for AMIs in the specified Region
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. From the navigation bar (at the top of the screen), select the Region in which to enable block public access for AMIs.

  3. If the dashboard is not displayed, in the navigation pane, choose EC2 Dashboard.

  4. Under Account attributes, choose Data protection and security.

  5. Under Block public access for AMIs, choose Manage.

  6. Select the Block new public sharing check box, and then choose Update.

    Note

    The API can take up to 10 minutes to configure this setting. During this time, the value will be New public sharing allowed. When the API has completed the configuration, the value will automatically change to New public sharing blocked.

Amazon CLI
To enable block public access for AMIs

Use the enable-image-block-public-access command.

  • For a specific Region

    aws ec2 enable-image-block-public-access \ --region us-east-1 \ --image-block-public-access-state block-new-sharing

    Expected output

    { "ImageBlockPublicAccessState": "block-new-sharing" }
  • For all Regions in your account

    echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 enable-image-block-public-access \ --region $region \ --image-block-public-access-state block-new-sharing \ --output text) echo -e "$region \t $output" ); done

    Expected output

    Region Public Access State -------------- ---------------------- ap-south-1 block-new-sharing eu-north-1 block-new-sharing eu-west-3 block-new-sharing ...
Note

The API can take up to 10 minutes to configure this setting. During this time, if you run the get-image-block-public-access-state command, the response will be unblocked. When the API has completed the configuration, the response will be block-new-sharing.

Disable block public access for AMIs

To allow the users in your account to publicly share your AMIs, disable block public access at the account level. You must disable block public access for AMIs in each Amazon Web Services Region in which you want to allow the public sharing of your AMIs.

Console
To disable block public access for AMIs in the specified Region
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. From the navigation bar (at the top of the screen), select the Region in which to disable block public access for AMIs.

  3. If the dashboard is not displayed, in the navigation pane, choose EC2 Dashboard.

  4. Under Account attributes, choose Data protection and security.

  5. Under Block public access for AMIs, choose Manage.

  6. Clear the Block new public sharing check box, and then choose Update.

  7. Enter confirm when prompted for confirmation, and then choose Allow public sharing.

    Note

    The API can take up to 10 minutes to configure this setting. During this time, the value will be New public sharing blocked. When the API has completed the configuration, the value will automatically change to New public sharing allowed.

Amazon CLI
To disable block public access for AMIs

Use the disable-image-block-public-access command.

  • For a specific Region

    aws ec2 disable-image-block-public-access --region us-east-1

    Expected output

    { "ImageBlockPublicAccessState": "unblocked" }
  • For all Regions in your account

    echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 disable-image-block-public-access \ --region $region \ --output text) echo -e "$region \t $output" ); done

    Expected output

    Region Public Access State -------------- ---------------------- ap-south-1 unblocked eu-north-1 unblocked eu-west-3 unblocked ...
Note

The API can take up to 10 minutes to configure this setting. During this time, if you run the get-image-block-public-access-state command, the response will be block-new-sharing. When the API has completed the configuration, the response will be unblocked.

View the block public access state for AMIs

To see whether the public sharing of your AMIs is blocked in your account, you can view the state for block public access for AMIs. You must view the state in each Amazon Web Services Region in which you want to see whether the public sharing of your AMIs is blocked.

Console
To view the block public access state for AMIs in the specified Region
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. From the navigation bar (at the top of the screen), select the Region in which to view the block public access state for AMIs.

  3. If the dashboard is not displayed, in the navigation pane, choose EC2 Dashboard.

  4. Under Account attributes, choose Data protection and security.

  5. Under Block public access for AMIs, check the Public access field. The value is either New public sharing blocked or New public sharing allowed.

Amazon CLI
To get the block public access state for AMIs

Use the get-image-block-public-access-state command.

  • For a specific Region

    aws ec2 get-image-block-public-access-state --region us-east-1

    Expected output – The value is either block-new-sharing or unblocked.

    { "ImageBlockPublicAccessState": "block-new-sharing" }
  • For all Regions in your account

    echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 get-image-block-public-access-state \ --region $region \ --output text) echo -e "$region \t $output" ); done

    Expected output – The value is either block-new-sharing or unblocked.

    Region Public Access State -------------- ---------------------- ap-south-1 block-new-sharing eu-north-1 unblocked eu-west-3 block-new-sharing ...