Share an AMI with specific Amazon accounts - Amazon Elastic Compute Cloud
ConsiderationsShare an AMI (console)Share an AMI (Tools for Windows PowerShell)Share an AMI (Amazon CLI)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Share an AMI with specific Amazon accounts

You can share an AMI with specific Amazon Web Services accounts without making the AMI public. All you need are the Amazon Web Services account IDs.

An Amazon Web Services account ID is a 12-digit number, such as 012345678901, that uniquely identifies an Amazon Web Services account. For more information, see Viewing Amazon Web Services account identifiers in the Amazon Account Management Reference Guide.

Considerations

Consider the following when sharing AMIs with specific Amazon Web Services accounts.

  • Ownership – To share an AMI, your Amazon Web Services account must own the AMI.

  • Sharing limits – For the maximum number of entities to which an AMI can be shared within a Region, see the Amazon EC2 service quotas.

  • Tags – You can't share user-defined tags (tags that you attach to an AMI). When you share an AMI, your user-defined tags are not available to any Amazon Web Services account that the AMI is shared with.

  • Encryption and keys – You can share AMIs that are backed by unencrypted and encrypted snapshots.

    • The encrypted snapshots must be encrypted with a KMS key. You can’t share AMIs that are backed by snapshots that are encrypted with the default Amazon managed key. For more information, see Share an Amazon EBS snapshot.

    • If you share an AMI that is backed by encrypted snapshots, you must allow the Amazon Web Services accounts to use the KMS keys that were used to encrypt the snapshots. . To set up the key policy that you need to launch Auto Scaling instances when you use a customer managed key for encryption, see Required Amazon KMS key policy for use with encrypted volumes in the Amazon EC2 Auto Scaling User Guide.

  • Region – AMIs are a Regional resource. When you share an AMI, it is only available in that Region. To make an AMI available in a different Region, copy the AMI to the Region and then share it. For more information, see Copy an AMI.

  • Usage – When you share an AMI, users can only launch instances from the AMI. They can’t delete, share, or modify it. However, after they have launched an instance using your AMI, they can then create an AMI from their instance.

  • Copying shared AMIs – If users in another account want to copy a shared AMI, you must grant them read permissions for the storage that backs the AMI. For more information, see Cross-account copying.

  • Billing – You are not billed when your AMI is used by other Amazon Web Services accounts to launch instances. The accounts that launch instances using the AMI are billed for the instances that they launch.

Share an AMI (console)

New console
To grant explicit launch permissions using the console

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose AMIs.

  3. Select your AMI in the list, and then choose Actions, Edit AMI permissions.

  4. Choose Private.

  5. Under Shared accounts, choose Add account ID.

  6. For Amazon Web Services account ID, enter the Amazon Web Services account ID with which you want to share the AMI, and then choose Share AMI.

    To share this AMI with multiple accounts, repeat Steps 5 and 6 until you have added all the required account IDs.

    Note

    You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.

  7. Choose Save changes when you are done.

  8. (Optional) To view the Amazon Web Services account IDs with which you have shared the AMI, select the AMI in the list, and choose the Permissions tab. To find AMIs that are shared with you, see Find shared AMIs.

Old console
To grant explicit launch permissions using the console

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose AMIs.

  3. Select your AMI in the list, and then choose Actions, Modify Image Permissions.

  4. Specify the Amazon Web Services account ID of the user with whom you want to share the AMI in the Amazon Account Number field, then choose Add Permission.

    To share this AMI with multiple users, repeat this step until you have added all the required users.

    Note

    You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.

  5. Choose Save when you are done.

  6. (Optional) To view the Amazon Web Services account IDs with which you have shared the AMI, select the AMI in the list, and choose the Permissions tab. To find AMIs that are shared with you, see Find shared AMIs.

Share an AMI (Tools for Windows PowerShell)

Use the Edit-EC2ImageAttribute command (Tools for Windows PowerShell) to share an AMI as shown in the following examples.

To grant explicit launch permissions

The following command grants launch permissions for the specified AMI to the specified Amazon Web Services account. In the following example, replace the example AMI ID with a valid AMI ID, and replace account-id with the 12-digit Amazon Web Services account ID.

PS C:\> Edit-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission -OperationType add -UserId "account-id"
Note

You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.

To remove launch permissions for an account

The following command removes launch permissions for the specified AMI from the specified Amazon Web Services account. In the following example, replace the example AMI ID with a valid AMI ID, and replace account-id with the 12-digit Amazon Web Services account ID.

PS C:\> Edit-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission -OperationType remove -UserId "account-id"
To remove all launch permissions

The following command removes all public and explicit launch permissions from the specified AMI. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command. In the following example, replace the example AMI ID with a valid AMI ID.

PS C:\> Reset-EC2ImageAttribute -ImageId ami-0abcdef1234567890 -Attribute launchPermission

Share an AMI (Amazon CLI)

Use the modify-image-attribute command (Amazon CLI) to share an AMI as shown in the following examples.

To grant explicit launch permissions

The following command grants launch permissions for the specified AMI to the specified Amazon Web Services account. In the following example, replace the example AMI ID with a valid AMI ID, and replace account-id with the 12-digit Amazon Web Services account ID.

aws ec2 modify-image-attribute \
    --image-id ami-0abcdef1234567890 \
    --launch-permission "Add=[{UserId=account-id}]"
Note

You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.

To remove launch permissions for an account

The following command removes launch permissions for the specified AMI from the specified Amazon Web Services account. In the following example, replace the example AMI ID with a valid AMI ID, and replace account-id with the 12-digit Amazon Web Services account ID.

aws ec2 modify-image-attribute \
    --image-id ami-0abcdef1234567890 \
    --launch-permission "Remove=[{UserId=account-id}]"
To remove all launch permissions

The following command removes all public and explicit launch permissions from the specified AMI. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command. In the following example, replace the example AMI ID with a valid AMI ID.

aws ec2 reset-image-attribute \
    --image-id ami-0abcdef1234567890 \
    --attribute launchPermission