Share an AMI with specific Amazon accounts
You can share an AMI with specific Amazon Web Services accounts without making the AMI public. All you need are the Amazon Web Services account IDs.
An Amazon Web Services account ID is a 12-digit number, such as 012345678901
, that uniquely
identifies an Amazon Web Services account. For more information, see Viewing Amazon Web Services account
identifiers in the Amazon Account Management Reference
Guide.
Considerations
Consider the following when sharing AMIs with specific Amazon Web Services accounts.
-
Ownership – To share an AMI, your Amazon Web Services account must own the AMI.
-
Sharing limits – For the maximum number of entities to which an AMI can be shared within a Region, see the Amazon EC2 service quotas.
-
Tags – You can't share user-defined tags (tags that you attach to an AMI). When you share an AMI, your user-defined tags are not available to any Amazon Web Services account that the AMI is shared with.
-
Encryption and keys – You can share AMIs that are backed by unencrypted and encrypted snapshots.
-
The encrypted snapshots must be encrypted with a KMS key. You can’t share AMIs that are backed by snapshots that are encrypted with the default Amazon managed key. For more information, see Share an Amazon EBS snapshot.
-
If you share an AMI that is backed by encrypted snapshots, you must allow the Amazon Web Services accounts to use the KMS keys that were used to encrypt the snapshots. . To set up the key policy that you need to launch Auto Scaling instances when you use a customer managed key for encryption, see Required Amazon KMS key policy for use with encrypted volumes in the Amazon EC2 Auto Scaling User Guide.
-
-
Region – AMIs are a Regional resource. When you share an AMI, it is only available in that Region. To make an AMI available in a different Region, copy the AMI to the Region and then share it. For more information, see Copy an AMI.
-
Usage – When you share an AMI, users can only launch instances from the AMI. They can’t delete, share, or modify it. However, after they have launched an instance using your AMI, they can then create an AMI from their instance.
-
Copying shared AMIs – If users in another account want to copy a shared AMI, you must grant them read permissions for the storage that backs the AMI. For more information, see Cross-account copying.
-
Billing – You are not billed when your AMI is used by other Amazon Web Services accounts to launch instances. The accounts that launch instances using the AMI are billed for the instances that they launch.
Share an AMI (console)
Share an AMI (Tools for Windows PowerShell)
Use the Edit-EC2ImageAttribute command (Tools for Windows PowerShell) to share an AMI as shown in the following examples.
To grant explicit launch permissions
The following command grants launch permissions for the specified AMI to the specified
Amazon Web Services account. In the following example, replace the example AMI ID with a valid
AMI ID, and replace
with the
12-digit Amazon Web Services account ID.account-id
PS C:\>
Edit-EC2ImageAttribute -ImageId
ami-0abcdef1234567890
-Attribute launchPermission -OperationType add -UserId "account-id
"
Note
You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.
To remove launch permissions for an account
The following command removes launch permissions for the specified AMI from the specified
Amazon Web Services account. In the following example, replace the example AMI ID with a valid
AMI ID, and replace
with the
12-digit Amazon Web Services account ID.account-id
PS C:\>
Edit-EC2ImageAttribute -ImageId
ami-0abcdef1234567890
-Attribute launchPermission -OperationType remove -UserId "account-id
"
To remove all launch permissions
The following command removes all public and explicit launch permissions from the specified AMI. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command. In the following example, replace the example AMI ID with a valid AMI ID.
PS C:\>
Reset-EC2ImageAttribute -ImageId
ami-0abcdef1234567890
-Attribute launchPermission
Share an AMI (Amazon CLI)
Use the modify-image-attribute command (Amazon CLI) to share an AMI as shown in the following examples.
To grant explicit launch permissions
The following command grants launch permissions for the specified AMI to the specified
Amazon Web Services account. In the following example, replace the example AMI ID with a valid
AMI ID, and replace
with the
12-digit Amazon Web Services account ID.account-id
aws ec2 modify-image-attribute \ --image-id
ami-0abcdef1234567890
\ --launch-permission "Add=[{UserId=account-id
}]"
Note
You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch. However, you do need to share any KMS keys used to encrypt snapshots that the AMI references. For more information, see Share an Amazon EBS snapshot.
To remove launch permissions for an account
The following command removes launch permissions for the specified AMI from the specified
Amazon Web Services account. In the following example, replace the example AMI ID with a valid
AMI ID, and replace
with the
12-digit Amazon Web Services account ID.account-id
aws ec2 modify-image-attribute \ --image-id
ami-0abcdef1234567890
\ --launch-permission "Remove=[{UserId=account-id
}]"
To remove all launch permissions
The following command removes all public and explicit launch permissions from the specified AMI. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command. In the following example, replace the example AMI ID with a valid AMI ID.
aws ec2 reset-image-attribute \ --image-id
ami-0abcdef1234567890
\ --attribute launchPermission