Share EC2 Image Builder resources
EC2 Image Builder integrates with Amazon Resource Access Manager (Amazon RAM) to allow you to share certain resources with any Amazon Web Services account or through Amazon Organizations. EC2 Image Builder resources that can be shared are:
-
Components
-
Images
-
Recipes
This section provides information to help you share these EC2 Image Builder resources.
Section contents
- Working with shared components, images, and recipes in EC2 Image Builder
- Prerequisites for sharing components, images, and recipes
- Related services
- Sharing across Regions
- Sharing a component, image, or recipe
- Unsharing a shared component, image, or recipe
- Identifying a shared component, image, or recipe
- Shared component, image, and recipe permissions
- Billing and metering
- Resource limits
Working with shared components, images, and recipes in EC2 Image Builder
Component, image, and recipe sharing enables resource owners to share software configurations with other Amazon Web Services accounts or within an Amazon organization. You can manage resource sharing centrally, and define a set of accounts with which the configuration can be shared.
In this model, the Amazon Web Services account that owns the component, image, or recipe (owners) shares it with other Amazon Web Services accounts (consumers). Consumers can associate a shared component with their image pipelines to automatically consume updates to the shared component, image, or recipe.
A component, image, or recipe owner can share these resources with:
-
Specific Amazon Web Services accounts inside or outside of its organization in Amazon Organizations.
-
An organizational unit (OU) inside of its organization in Amazon Organizations.
-
Its entire organization in Amazon Organizations.
-
Amazon Organizations or OUs outside of its organization.
Prerequisites for sharing components, images, and recipes
To share an Image Builder component, image, or recipe:
-
You must own the component, image, or recipe in your Amazon Web Services account. You cannot share resources that have been shared with you.
-
The Amazon Key Management Service (Amazon KMS) key associated with encrypted resources must be explicitly shared with the target accounts, organizations, or OUs.
-
If you distribute an image encrypted with Amazon KMS across accounts in different Regions, you must create a KMS key and alias in each target Region. Additionally, the people who will be launching instances in those Regions will need access to the KMS key specified via the Key Policy.
The following resources that Image Builder creates from your pipeline build are not considered Image Builder resources – rather, they are external resources that Image Builder distributes in your account, and to the Amazon Web Services Regions, accounts, and organizations or organizational units (OUs) that you specify in your distribution configuration.
-
Amazon Machine Images (AMIs)
-
Container images that reside in Amazon ECR
For more information about distribution settings for your AMI, see Create and update AMI distribution configurations. For more information about distribution settings for your container image in Amazon ECR, see Create and update distribution settings for container images.
For more information about sharing your AMI, see Shared AMIs.
Related services
Amazon Resource Access Manager
Component, image, and recipe sharing integrate with Amazon Resource Access Manager (Amazon RAM). Amazon RAM is a service that enables you to share your Amazon resources with any Amazon account or through Amazon Organizations. With Amazon RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share and the consumers with whom to share them. Consumers can be individual Amazon Web Services accounts, organizational units, or an entire organization in Amazon Organizations.
Sharing across Regions
Shared components, images, and recipes can be shared only in a specified Amazon Region. When you share these resources, they will not replicate across Regions.
Sharing a component, image, or recipe
To share an Image Builder component, image, or recipe, you must add it to a resource share. A resource share is an Amazon RAM resource that lets you share your resources across Amazon accounts. A resource share specifies the resources to share and the consumers with whom they are shared. To add the component, image, or recipe to a new resource share, you must first create the resource share using the Amazon RAM console.
If you are part of an organization in Amazon Organizations and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared component, image, or recipe. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared resource after accepting the invitation.
The following options are available for sharing your resources:.
Option 1: Create a RAM resource share
When you create a RAM resource share, you can share a component, image, or recipe that you own in a single step. Use one of the following methods to create your resource share:
-
Console
To create your resource share using the Amazon RAM console, see Share Amazon resources owned by you in the Amazon RAM User Guide.
-
Amazon CLI
To create your resource share using the Amazon RAM command line interface, run the create-resource-share command in the Amazon CLI.
Option 2: Apply a resource policy and promote to a RAM resource share
The second option for sharing your resources involves two steps, running commands in the Amazon CLI for both. The first step uses Image Builder commands in the Amazon CLI to apply resource-based policies to the shared resource. The second step promotes the resource to a RAM resource share using the promote-resource-share-created-from-policy Amazon RAM command in the Amazon CLI to ensure that the resource is visible to all principals with whom you've shared it.
-
Apply the resource policy
To successfully apply the resource policy, you must ensure that the account with which you are sharing has permission to access any underlying resources.
Choose the tab that matches your resource type for the applicable command.
Note
To set the correct policies for sharing and unsharing a resource, the resource owner must have
imagebuilder:put*
permissions. -
Promote as a RAM resource share
To ensure that the resource is visible to all principals with whom you've shared it, run the promote-resource-share-created-from-policy Amazon RAM command in the Amazon CLI.
Unsharing a shared component, image, or recipe
To unshare a shared component, image, or recipe that you own, you must remove it from the resource share. You can do this using the Amazon Resource Access Manager console or the Amazon CLI.
Note
To unshare a component, image, or recipe, the consumer cannot have any dependencies on them. The consumer must remove any dependencies on the shared resources before the owner can unshare them.
To unshare a shared component, image, or recipe that you own using the Amazon Resource Access Manager console
See Updating a Resource Share in the Amazon RAM User Guide.
To unshare a shared component, image, or recipe that you own using the Amazon CLI
Use the disassociate-resource-share command to stop sharing the resource.
Identifying a shared component, image, or recipe
Owners and consumers can identify shared components, images, and image recipes using Image Builder commands in the Amazon CLI.
Identify a shared component
Run the list-components
Identify a shared image
Run the list-images
Identify a shared container image
Run the
list-images
Identify a shared image recipe
Run the
list-image-recipes
Identify a shared container recipe
Run the list-container-recipes
Shared component, image, and recipe permissions
Permissions for owners
Owners cannot delete a shared component, image, or image recipe until it is no longer shared. An owner cannot unshare these resources until none of the consumers depend on them.
Permissions for consumers
Consumers can read a component, image, or image recipe, but cannot modify them in any way. They cannot view or modify these resources if they are owned by other consumers or the owner of the resource. Consumers can use shared components and images in image recipes to create custom images. Consumers can use shared image recipes to create their own custom images.
Billing and metering
There is no charge to use EC2 Image Builder.
Resource limits
Shared components, images, and image recipes count toward the corresponding resource limits of the owner only. The resource limits of the consumers are not affected by the resources that have been shared with them.