You can share an AMI with specific AWS accounts without making the AMI public. All you need are the AWS account IDs.
AMIs are a regional resource. Therefore, sharing an AMI makes it available in that region. To make an AMI available in a different region, copy the AMI to the region and then share it. For more information, see Copying an AMI.
Note
If you are sharing an AMI containing a snapshot of an encrypted volume, see Sharing an Amazon EBS Snapshot for restrictions that apply.
Sharing an AMI (Console)
To grant explicit launch permissions using the console
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- In the navigation pane, choose AMIs.
- Select your AMI in the list, and then choose Actions, Modify Image Permissions.
- Specify the AWS account number of the user with whom you want to share the AMI in the AWS Account Number field, then choose Add Permission.To share this AMI with multiple users, repeat this step until you have added all the required users.
- To allow create volume permissions for snapshots, select Add “create volume” permissions to the following associated snapshots when creating permissions.
Note
You do not need to share the Amazon EBS snapshots that an AMI references in order to share the AMI. Only the AMI itself needs to be shared; the system automatically provides the instance access to the referenced Amazon EBS snapshots for the launch.
- Choose Save when you are done.
- (Optional) To view the AWS account IDs with which you have shared the AMI, select the AMI in the list, and choose the Permissions tab. To find AMIs that are shared with you, see Finding Shared AMIs.
Sharing an AMI (AWS CLI)
Use the modify-image-attribute command (AWS CLI) to share an AMI as shown in the following examples.
To grant explicit launch permissions
The following command grants launch permissions for the specified AMI to the specified AWS account.
1 2 3 |
<strong class="userinput"><code class=""><span class="">aws</span> ec2 modify-image-attribute --image-id <em class="replaceable">ami-<span class="">12345678</span></em> --launch-permission <span class="">"{\"Add\":[{\"UserId\": \"123456789012\"}]}"</span></code></strong> |
The following command grants create volume permission for a snapshot.
1 2 3 |
<strong class="userinput"><code class="">aws ec2 modify-snapshot-attribute --snapshot-id <em class="replaceable">snap-<span class="">1234567890</span>abcdef0</em> --attribute createVolumePermission --operation-type <span class="">add</span><span class=""> --user-ids </span><em class="replaceable"><span class="">123456789012</span></em></code></strong> |
To remove launch permissions for an account
The following command removes launch permissions for the specified AMI from the specified AWS account:
1 2 3 |
<strong class="userinput"><code class=""><span class="">aws</span> ec2 modify-image-attribute --image-id <em class="replaceable">ami-<span class="">12345678</span></em> --launch-permission <span class="">"{\"Remove\":[{\"UserId\": \"123456789012\"}]}"</span></code></strong> |
The following command removes create volume permission for a snapshot.
1 2 3 |
<strong class="userinput"><code class="">aws ec2 modify-snapshot-attribute --snapshot-id <em class="replaceable">snap<span class="">-1234567890</span>abcdef0</em> --attribute createVolumePermission --operation-<span class="">type</span> remove --user-ids <em class="replaceable"><span class="">123456789012</span></em></code></strong> |
To remove all launch permissions
The following command removes all public and explicit launch permissions from the specified AMI. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command.
1 2 |
<strong class="userinput"><code class="">aws ec2 <span class="">reset</span>-image-<span class="">attribute</span> <span class="">--image-id </span><em class="replaceable"><span class="">ami-12345678</span></em><span class=""> --attribute launchPermission</span></code></strong> |