# Amazon EC2 Mac instances
EC2 Mac instances are ideal for developing, building, testing, and signing applications for Apple platforms, such as iPhone, iPad, Mac, Vision Pro, Apple Watch, Apple TV, and Safari. You can connect to your Mac instance using SSH or Apple Remote Desktop (ARD).
**Note**
The **unit of billing** is the **dedicated host**. The instances running on that host have no additional charge.
Amazon EC2 Mac instances natively support the macOS operating system.
+ **EC2 x86 Mac instances** (`mac1.metal`) are built on 2018 Mac mini hardware powered by 3.2 GHz Intel eighth-generation (Coffee Lake) Core i7 processors, 6 physical and 12 logical cores, and 32 GiB of memory.
+ **EC2 M1 Mac instances** (`mac2.metal`) are built on 2020 Mac mini hardware powered by Apple silicon M1 processor, 8 CPU cores, 8 GPU cores, 16 GiB of memory, and the 16-core Apple Neural Engine.
+ **EC2 M1 Ultra Mac instances** (`mac2-m1ultra.metal`) are built on 2022 Mac Studio hardware powered by Apple silicon M1 Ultra processor, 20 CPU cores, 64 GPU cores, 128 GiB of memory, and the 32-core Apple Neural Engine.
+ **EC2 M2 Mac instances** (`mac2-m2.metal`) are built on 2023 Mac mini hardware powered by Apple silicon M2 processor, 8 CPU cores, 10 GPU cores, 24 GiB of memory, and the 16-core Apple Neural Engine.
+ **EC2 M2 Pro Mac instances** (`mac2-m2pro.metal`) are built on 2023 Mac mini hardware powered by Apple silicon M2 Pro processor, 12 CPU cores, 19 GPU cores, 32 GiB of memory, and the 16-core Apple Neural Engine.
+ **EC2 M4 Mac instances** (`mac-m4.metal`) are built on 2024 Mac mini hardware powered by Apple silicon M4 processor, 10 CPU cores, 10 GPU cores, 24 GiB of memory, and the 16-core Apple Neural Engine.
+ **EC2 M4 Pro Mac Mac instances** (`mac-m4pro.metal`) are built on 2024 Mac mini hardware powered by Apple silicon M4 Pro processor, 14 CPU cores, 20 GPU cores, 48 GiB of memory, and the 16-core Apple Neural Engine.
Amazon EC2 Mac Dedicated Hosts support [Dedicated Host auto recovery](dedicated-hosts-recovery.md) and [reboot-based host maintenance](dedicated-hosts-maintenance.md).
**Topics**
+ [
## Considerations
](#mac-instance-considerations)
+ [
## Instance readiness
](#mac-instance-readiness)
+ [
## EC2 macOS AMIs
](#ec2-macos-images)
+ [
## EC2 macOS Init
](#ec2-macos-init)
+ [
## Amazon EC2 System Monitor for macOS
](#mac-instance-system-monitor)
+ [
## Related resources
](#related-resources)
+ [
# Launch a Mac instance using the AWS Management Console or the AWS CLI
](mac-instance-launch.md)
+ [
# Connect to your Mac instance using SSH or a GUI
](connect-to-mac-instance.md)
+ [
# Update the operating system and software on Amazon EC2 Mac instances
](mac-instance-updates.md)
+ [
# Increase the size of an EBS volume on your Mac instance
](mac-instance-increase-volume.md)
+ [
# Stop or terminate your Amazon EC2 Mac instance
](mac-instance-stop.md)
+ [
# Configure System Integrity Protection for Amazon EC2 Mac instances
](mac-sip-settings.md)
+ [
# Find supported macOS versions for your Amazon EC2 Mac Dedicated Host
](macos-firmware-visibility.md)
+ [
# Subscribe to macOS AMI notifications
](macos-subscribe-notifications.md)
+ [
# Retrieve macOS AMI IDs using AWS Systems Manager Parameter Store API
](macos-ami-ids-parameter-store.md)
+ [
# Amazon EC2 macOS AMIs release notes
](macos-ami-overview.md)
## Considerations
The following considerations apply to Mac instances:
+ Mac instances are available only as bare metal instances on [Dedicated Hosts](dedicated-hosts-overview.md), with a minimum allocation period of 24 hours before you can release the Dedicated Host. You can launch one Mac instance per Dedicated Host. You can share the Dedicated Host with the AWS accounts or organizational units within your AWS organization, or the entire AWS organization.
+ Mac instances are available in different AWS Regions. For a list of Mac instance availability in each of the AWS Regions, see [Amazon EC2 instance types by Region](https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-instance-regions.html).
+ Mac instances are available only as On-Demand Instances. They are not available as Spot Instances or Reserved Instances. You can save money on Mac instances by purchasing a [Savings Plan](https://docs.aws.amazon.com/savingsplans/latest/userguide/).
+ The compatibility of different Mac instance types with specific macOS Amazon Machine Images (AMIs) varies. For more information, see [Amazon EC2 macOS AMIs release notes](macos-ami-overview.md).
+ EBS hotplug is supported.
+ AWS does not manage or support the internal SSD on the Apple hardware. We strongly recommend that you use Amazon EBS volumes instead. EBS volumes provide the same elasticity, availability, and durability benefits on Mac instances as they do on any other EC2 instance.
+ We recommend using an Amazon EBS volume with 10,000 IOPS and 400 MiB/s throughput with Mac instances for optimal performance. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html) in the *Amazon EBS User Guide*.
+ [Mac instances support Amazon EC2 Auto Scaling.](https://aws.amazon.com/blogs/compute/implementing-autoscaling-for-ec2-mac-instances/)
+ On x86 Mac instances, automatic software updates are disabled. We recommend that you apply updates and test them on your instance before you put the instance into production. For more information, see [Update the operating system and software on Amazon EC2 Mac instances](mac-instance-updates.md).
+ When you stop or terminate a Mac instance, a scrubbing workflow is performed on the Dedicated Host. For more information, see [Stop or terminate your Amazon EC2 Mac instance](mac-instance-stop.md).
+
**Important**
Apple Intelligence features are not available when booting Mac hardware from an external volume. As EC2 Mac instances boot from external EBS volumes by default, they do not support Apple Intelligence features.
+
**Warning**
Do not use FileVault. If you enable FileVault, the host fails to boot because the partitions are locked. If data encryption is required, use Amazon EBS encryption to avoid boot issues and performance impact. With Amazon EBS encryption, encryption operations occur on the host servers, ensuring the security of both data-at-rest and data-in-transit between the instances and their attached EBS storage. For more information, see [Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html) in the *Amazon EBS User Guide*.
## Instance readiness
After you launch a Mac instance, you'll need to wait until the instance is ready before you can connect to it. For an AWS vended AMI with a x86 Mac instance or a Apple silicon Mac instance, the launch time can range from approximately 6 minutes to 20 minutes. Depending on the chosen Amazon EBS volume sizes, the inclusion of additional scripts to *user data*, or additional loaded software on a custom macOS AMI, the launch time might increase.
You can use a small shell script, like the one below, to poll the describe-instance-status API to know when the instance is ready to be connected to. In the following command, replace the example instance ID with your own.
```
for i in $(seq 1 200); do aws ec2 describe-instance-status --instance-ids=i-1234567890abcdef0 \
--query='InstanceStatuses[0].InstanceStatus.Status'; sleep 5; done;
```
## EC2 macOS AMIs
Amazon EC2 macOS is designed to provide a stable, secure, and high-performance environment for developer workloads running on Amazon EC2 Mac instances. EC2 macOS AMIs includes packages that enable easy integration with AWS, such as launch configuration tools and popular AWS libraries and tools.
For more information about EC2 macOS AMIs, see [Amazon EC2 macOS AMIs release notes](macos-ami-overview.md).
AWS provides updated EC2 macOS AMIs on a regular basis that include updates to packages owned by AWS and the latest fully-tested macOS version. Additionally, AWS provides updated AMIs with the latest minor version updates or major version updates as soon as they can be fully tested and vetted. If you do not need to preserve data or customizations to your Mac instances, you can get the latest updates by launching a new instance using the current AMI and then terminating the previous instance. Otherwise, you can choose which updates to apply to your Mac instances.
For information about how to subscribe to macOS AMI notifications, see [Subscribe to macOS AMI notifications](macos-subscribe-notifications.md).
## EC2 macOS Init
EC2 macOS Init is used to initialize EC2 Mac instances at launch. It uses priority groups to run logical groups of tasks at the same time.
The launchd plist file is `/Library/LaunchDaemons/com.amazon.ec2.macos-init.plist`. The files for EC2 macOS Init are located in `/usr/local/aws/ec2-macos-init`.
For more information, see [https://github.com/aws/ec2-macos-init](https://github.com/aws/ec2-macos-init).
## Amazon EC2 System Monitor for macOS
Amazon EC2 System Monitor for macOS provides CPU utilization metrics to Amazon CloudWatch. It sends these metrics to CloudWatch over a custom serial device in 1-minute periods. You can enable or disable this agent as follows. It is enabled by default.
```
sudo setup-ec2monitoring [enable | disable]
```
**Note**
Amazon EC2 System Monitor for macOS is not currently supported on Apple silicon Mac instances.
## Related resources
For information about pricing, see [Pricing](https://aws.amazon.com/ec2/instance-types/mac/#Pricing).
For more information about Mac instances, see [Amazon EC2 Mac Instances](https://aws.amazon.com/ec2/instance-types/mac/).
For more information about hardware specifications and network performance of Mac instances, see [General purpose instances](https://docs.aws.amazon.com/ec2/latest/instancetypes/gp.html).
# Launch a Mac instance using the AWS Management Console or the AWS CLI
EC2 Mac instances require a [Dedicated Host](dedicated-hosts-overview.md). You first need to allocate a host to your account, and then launch the instance onto the host.
You can launch a Mac instance using the AWS Management Console or the AWS CLI.
## Launch a Mac instance using the console
**To launch a Mac instance onto a Dedicated Host**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. Allocate the Dedicated Host, as follows:
1. In the navigation pane, choose **Dedicated Hosts**.
1. Choose **Allocate Dedicated Host** and then do the following:
1. For **Instance family**, choose a **Mac** Instance family. If the instance family doesn’t appear in the list, it’s not supported in the currently selected Region.
1. For **Instance type**, choose the instance type based on the selected instance family chosen.
1. For **Availability Zone**, choose the Availability Zone for the Dedicated Host.
1. For **Quantity**, keep **1**.
1. Choose **Allocate**.
1. Launch the instance on the host, as follows:
1. Select the Dedicated Host that you created and then do the following:
1. Choose **Actions**, **Launch instance(s) onto host**.
1. Under **Application and OS Images (Amazon Machine Image)**, select a macOS AMI.
1. Under **Instance type**, select the Mac instance type.
1. Under **Advanced details**, verify that **Tenancy**, **Tenancy host by**, and **Tenancy host ID** are preconfigured based on the Dedicated Host you created. Update **Tenancy affinity** as needed.
1. Complete the wizard, specifying EBS volumes, security groups, and key pairs as needed.
1. In the **Summary** panel, choose **Launch instance**.
1. A confirmation page lets you know that your instance is launching. Choose **View all instances** to close the confirmation page and return to the console. The initial state of an instance is `pending`. The instance is ready when its state changes to `running` and it passes status checks.
## Launch a Mac instance using the AWS CLI
**Allocate the Dedicated Host**
Use the following [allocate-hosts](https://docs.aws.amazon.com/cli/latest/reference/ec2/allocate-hosts.html) command to allocate a Dedicated Host for your Mac instance, replacing the `instance-type` with a valid mac instance type, and the `region` and `availability-zone` with the appropriate ones for your environment.
```
aws ec2 allocate-hosts --region us-east-1 --instance-type mac1.metal --availability-zone us-east-1b --auto-placement "on" --quantity 1
```
**Launch the instance on the host**
Use the following [run-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html) command to launch a Mac instance, again replacing the `instance-type` with a valid mac instance type, and the `region` and `availability-zone` with the ones used previously.
```
aws ec2 run-instances --region us-east-1 --instance-type mac1.metal --placement Tenancy=host --image-id ami_id --key-name my-key-pair
```
The initial state of an instance is `pending`. The instance is ready when its state changes to `running` and it passes status checks. Use the following [describe-instance-status](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-status.html) command to display status information for your instance.
```
aws ec2 describe-instance-status --instance-ids i-017f8354e2dc69c4f
```
The following is example output for an instance that is running and has passed status checks.
```
{
"InstanceStatuses": [
{
"AvailabilityZone": "us-east-1b",
"InstanceId": "i-017f8354e2dc69c4f",
"InstanceState": {
"Code": 16,
"Name": "running"
},
"InstanceStatus": {
"Details": [
{
"Name": "reachability",
"Status": "passed"
}
],
"Status": "ok"
},
"SystemStatus": {
"Details": [
{
"Name": "reachability",
"Status": "passed"
}
],
"Status": "ok"
}
}
]
}
```
# Connect to your Mac instance using SSH or a GUI
You can connect to your Mac instance using SSH or a graphical user interface (GUI).
Multiple users can access the OS simultaneously. Typically there is a 1:1 user:GUI session, due to the built-in Screen Sharing service on port 5900. Using SSH within macOS supports multiple sessions up until the "Max Sessions" limit in the `sshd_config` file.
## Connect to your instance using SSH
Amazon EC2 Mac instances do not allow remote root SSH by default. The ec2-user account is configured to log in remotely using SSH. The ec2-user account also has **sudo** privileges. After you connect to your instance, you can add other users.
To support connecting to your instance using SSH, launch the instance using a key pair and a security group that allows SSH access, and ensure that the instance has internet connectivity. You provide the `.pem` file for the key pair when you connect to the instance.
Use the following procedure to connect to your Mac instance using an SSH client. If you receive an error while attempting to connect to your instance, see [Troubleshoot issues connecting to your Amazon EC2 Linux instance](TroubleshootingInstancesConnecting.md).
**To connect to your instance using SSH**
1. Verify that your local computer has an SSH client installed by entering **ssh** at the command line. If your computer doesn't recognize the command, search for an SSH client for your operating system and install it.
1. Get the public DNS name of your instance. Using the Amazon EC2 console, you can find the public DNS name on both the **Details** and the **Networking** tabs. Using the AWS CLI, you can find the public DNS name using the [describe-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html) command.
1. Locate the `.pem` file for the key pair that you specified when you launched the instance.
1. Connect to your instance using the following **ssh** command, specifying the public DNS name of the instance and the `.pem` file.
```
ssh -i /path/key-pair-name.pem ec2-user@instance-public-dns-name
```
Password authentication is disabled to prevent brute-force password attacks. Before you make changes to the SSH configuration, open `/usr/local/aws/ec2-macos-init/init.toml` and set `secureSSHDConfig` to `false`.
## Connect to your instance's graphical user interface (GUI)
Use the following procedure to connect to your instance's GUI using VNC, Apple Remote Desktop (ARD), or the Apple Screen Sharing application (included with macOS).
**Note**
macOS 10.14 and later only allows control if Screen Sharing is enabled through [System Preferences](https://support.apple.com/guide/remote-desktop/enable-remote-management-apd8b1c65bd/mac).
**To connect to your instance using ARD client or VNC client**
1. Verify that your local computer has an ARD client or a VNC client that supports ARD installed. On macOS, you can leverage the built-in Screen Sharing application. Otherwise, search for ARD for your operating system and install it.
1. From your local computer, [connect to your instance using SSH](#mac-instance-ssh).
1. Set up a password for the ec2-user account using the **passwd** command as follows.
```
[ec2-user ~]$ sudo passwd ec2-user
```
1. Install and start macOS Screen Sharing using the following command.
```
[ec2-user ~]$ sudo launchctl enable system/com.apple.screensharing
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
```
1. Disconnect from your instance by typing **exit** and pressing Enter.
1. From your computer, connect to your instance using the following **ssh** command. In addition to the options shown in the previous section, use the **-L** option to enable port forwarding and forward all traffic on local port 5900 to the ARD server on the instance.
```
ssh -L 5900:localhost:5900 -i /path/key-pair-name.pem ec2-user@instance-public-dns-name
```
1. From your local computer, use the ARD client or VNC client that supports ARD to connect to `localhost:5900`. For example, use the Screen Sharing application on macOS as follows:
1. Open **Finder** and select **Go**.
1. Select **Connect to Server**.
1. In the **Server Address** field, enter `vnc://localhost:5900`.
1. Log in as prompted, using **ec2-user** as the username and the password that you created for the ec2-user account.
## Modify macOS screen resolution on Mac instances
After you connect to your EC2 Mac instance using ARD or a VNC client that supports ARD, you can modify the screen resolution of your macOS environment using any of the publicly available macOS tools or utilities, such as [displayplacer](https://github.com/jakehilborn/displayplacer).
**To modify the screen resolution using displayplacer**
1. Install displayplacer.
```
[ec2-user ~]$ brew tap jakehilborn/jakehilborn && brew install displayplacer
```
1. Show the current screen information and possible screen resolutions.
```
[ec2-user ~]$ displayplacer list
```
1. Apply the desired screen resolution.
```
[ec2-user ~]$ displayplacer "id: res:x origin:(0,0) degree:0"
```
For example:
```
RES="2560x1600"
displayplacer "id:69784AF1-CD7D-B79B-E5D4-60D937407F68 res:${RES} scaling:off origin:(0,0) degree:0"
```
# Update the operating system and software on Amazon EC2 Mac instances
The following topic explains how to update the operating system and software on Apple silicon Mac instances (Mac2, Mac2-m1ultra, Mac2-m2, Mac2-m2pro, Mac-m4, and Mac-m4pro) and x86 Mac instances (Mac1).
**Warning**
Installation of beta or preview macOS versions is only available on Apple silicon Mac instances. Amazon EC2 doesn't qualify beta or preview macOS versions and doesn't ensure instances will remain functional after an update to a pre-production macOS version.
Attempting to install beta or preview macOS versions on Amazon EC2 x86 Mac instances will lead to degradation of your Amazon EC2 Mac Dedicated Host when you stop or terminate your instances, and will prevent you from starting or launching a new instance on that host.
**Note**
If you perform an in-place macOS update before AWS releases an official AMI, the update applies to the selected host only. If you have other hosts, or if you launch new hosts, you must perform the same update process on those hosts as well. Each macOS version requires a minimum firmware version on the underlying Apple Mac hardware. The in-place update only updates the firmware on the selected host and doesn't transfer to other existing or new hosts. To check which macOS versions are compatible with your Amazon EC2 Mac Dedicated Host, see [ Find supported macOS versions for your Amazon EC2 Mac Dedicated Host](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-firmware-visibility.html).
**Topics**
## Update software on Apple silicon Mac instances
### Prerequisites
Due to an update in the network driver configuration, ENA driver version 1.0.2 isn't compatible with macOS 13.3 and later. If you want to install any beta, preview, or production macOS version 13.3 or later and have not installed the latest ENA driver, use the following procedure to install a new version of the driver.
**To install a new version of the ENA driver**
1. In a Terminal window, connect to your Apple silicon Mac instance using [SSH](connect-to-mac-instance.md#mac-instance-ssh).
1. Update Homebrew and download the ENA application into the `Applications` file using the following command.
```
[ec2-user ~]$ brew update
```
```
[ec2-user ~]$ brew install amazon-ena-ethernet-dext
```
1. Disconnect from your instance by typing **exit** and pressing return.
1. Use the VNC client to activate the ENA application.
1. Setup the VNC client using [Connect to your instance's graphical user interface (GUI)](connect-to-mac-instance.md#mac-instance-vnc).
1. Once you have connected to your instance using the Screen Sharing application, go to the **Applications** folder and open the ENA application.
1. Choose **Activate**
1. To confirm the driver was activated correctly, run the following command in the Terminal window. The output of the command shows that the old driver is in the terminating state and the new driver is in the activated state.
```
systemextensionsctl list;
```
1. After you restart the instance, only the new driver will be present.
### Perform the software update
On Apple silicon Mac instances, you must complete several steps to perform an in-place operating system update. This includes delegating ownership of the Amazon EBS root volume to the EBS root volume administrative user. You can choose to do this either automatically using an Amazon EC2 API, or you can do it manually by running the commands on your instance.
------
#### [ Automated volume ownership delegation (Recommended) ]
**Considerations**
+ It can take between 30 and 90 minutes for the volume ownership delegation task to complete. During this time, the instance is unreachable.
+ The following macOS versions are supported:
+ **Mac2 \$1 Mac2-m1ultra** — macOS Ventura (version 13.0 or later)
+ **Mac2-m2 \$1 Mac2-m2pro** — macOS Ventura (version 13.2 or later)
+ **Mac-m4 \$1 Mac-m4pro** — macOS Sequoia (version 15.6 or later)
+ Instances must have only one bootable volume, and each attached volume can have only one additional admin user.
**Step 1: Set a password and enable the secure token for the EBS root volume administrative user**
You must set a password and enable the secure token for the Amazon EBS root volume administrative user (`ec2-user`).
**Note**
The password and secure token are set the first time you connect to an Apple silicon Mac instance using the GUI. If you previously [ connected to the instance using the GUI](connect-to-mac-instance.md#mac-instance-vnc), you **do not** need to perform these steps.
1. [Connect to the instance using SSH](connect-to-mac-instance.md#mac-instance-ssh).
1. Set the password for the `ec2-user` user.
```
$ sudo /usr/bin/dscl . -passwd /Users/ec2-user
```
1. Enable the secure token for the `ec2-user` user. For `-oldPassword`, specify the same password from the previous step. For `-newPassword`, specify a different password. The following command assumes that you have your old and new passwords saved in `.txt` files.
```
$ sysadminctl -oldPassword `cat old_password.txt` -newPassword `cat new_password.txt`
```
1. Verify that the secure token is enabled.
```
$ sysadminctl -secureTokenStatus ec2-user
```
**Step 2: Delegate ownership of the Amazon EBS root volume to the EBS root volume administrative user**
To delegate ownership, you must create a volume ownership delegation task.
1. Use the [ create-delegate-mac-volume-ownership-task](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-delegate-mac-volume-ownership-task.html) command to create the task. For `--instance-id`, specify the ID of the instance. For `--mac-credentials`, specify the following credentials:
+ **Internal disk administrative user**
+ **Username** — Only the default administrative user (`aws-managed-user`) is supported and it is used by default. You can't specify a different administrative user.
+ **Password** — If you did not change the default password for `aws-managed-user`, specify the default password, which is *blank*. Otherwise, specify your password.
+ **Amazon EBS root volume administrative user**
+ **Username** — If you did not change the default administrative user, specify `ec2-user`. Otherwise, specify the username for your administrative user.
+ **Password** — Specify the password that you set for root volume admin user in Step 1 above.
```
aws ec2 create-delegate-mac-volume-ownership-task \
--instance-id i-1234567890abcdef0 \
--mac-credentials file://mac-credentials.json
```
The following is the contents of the `mac-credentials.json` file referenced in the preceding examples.
```
{
"internalDiskPassword":"internal-disk-admin_password",
"rootVolumeUsername":"root-volume-admin_username",
"rootVolumepassword":"root-volume-admin_password"
}
```
1. Wait for the volume ownership delegation task to complete and for the instance to return to a healthy state. Use the [ describe-mac-modification-tasks](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-mac-modification-tasks.html) command. For `--mac-modification-task-id`, specify the ID of the volume ownership delegation task from the previous step.
```
aws ec2 describe-mac-modification-tasks \
--mac-modification-task-id task-id
```
1. After the volume ownership delegation task completes, continue to Step 3.
**Step 3: Update the software**
After you have delegated ownership of the Amazon EBS root volume, follow the steps described in [Update software on x86 Mac instances](#x86-mac1) (below) to update the software.
------
#### [ Manual volume ownership delegation ]
As you work through this procedure, you create two passwords. One password is for the Amazon EBS root volume administrative user (`ec2-user`), and the other password is for the internal disk administrative user (`aws-managed-user`). Remember these passwords since you will use them as you work through the procedure.
**Note**
With this procedure on macOS Big Sur, you can only perform minor updates such as updating from macOS Big Sur 11.7.3 to macOS Big Sur 11.7.4. For macOS Monterey or above, you can perform major software updates.
**To access the internal disk**
1. From your local computer, in the Terminal, connect to your Apple silicon Mac instance using SSH with the following command. For more information, see [Connect to your instance using SSH](connect-to-mac-instance.md#mac-instance-ssh).
```
ssh -i /path/key-pair-name.pem ec2-user@instance-public-dns-name
```
1. Install and start macOS Screen Sharing using the following command.
```
[ec2-user ~]$ sudo launchctl enable system/com.apple.screensharing
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
```
1. Set a password for `ec2-user` with the following command. Remember the password as you will use it later.
```
[ec2-user ~]$ sudo /usr/bin/dscl . -passwd /Users/ec2-user
```
1. Disconnect from the instance by typing **exit** and pressing return.
1. From your local computer, in the Terminal, reconnect to your instance with an SSH tunnel to the VNC port using the following command.
```
ssh -i /path/key-pair-name.pem -L 5900:localhost:5900 ec2-user@instance-public-dns-name
```
**Note**
Do not exit this SSH session until the following VNC connection and GUI steps are completed. When the instance is restarted, the connection will close automatically.
1. From your local computer, connect to `localhost:5900` using the following steps:
1. Open **Finder** and select **Go**.
1. Select **Connect to Server**.
1. In the **Server Address** field, enter `vnc://localhost:5900`.
1. In the macOS window, connect to the remote session of the Apple silicon Mac instance as `ec2-user` with the password you created in [Step 3](#passwd-step).
1. Access the internal disk, named **InternalDisk**, using one of the following options.
1. For macOS Ventura or above: Open **System Settings**, select **General** in the left pane, then **Startup Disk** at the lower right of the pane.
1. For macOS Monterey or below: Open **System Preferences**, select **Startup Disk**, then unlock the pane by choosing the lock icon in the lower left of the window.
**Troubleshooting tip**
If you need to mount the internal disk, run the following command in the Terminal.
```
APFSVolumeName="InternalDisk" ; SSDContainer=$(diskutil list | grep "Physical Store disk0" -B 3 | grep "/dev/disk" | awk {'print $1'} ) ; diskutil apfs addVolume $SSDContainer APFS $APFSVolumeName
```
1. Choose the internal disk, named **InternalDisk**, and select **Restart**. Select **Restart** again when prompted.
**Important**
If the internal disk is named **Macintosh HD** instead of **InternalDisk**, your instance needs to be stopped and restarted so the dedicated host can be updated. For more information, see [Stop or terminate your Amazon EC2 Mac instance](mac-instance-stop.md).
Use the following procedure to delegate ownership to the administrative user. When you reconnect to your instance with SSH, you boot from the internal disk using the special administrative user (`aws-managed-user`). The initial password for `aws-managed-user` is blank, so you need to overwrite it on your first connection. Then, you need to repeat the steps to install and start macOS Screen Sharing since the boot volume has changed.
**To delegate ownership to the administrator on an Amazon EBS volume**
1. From your local computer, in the Terminal, connect to your Apple silicon Mac instance using the following command.
```
ssh -i /path/key-pair-name.pem aws-managed-user@instance-public-dns-name
```
1. When you receive the warning `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`, use one of the following commands to resolve this issue.
1. Clear out the known hosts using the following command. Then, repeat the previous step.
```
rm ~/.ssh/known_hosts
```
1. Add the following to the SSH command in the previous step.
```
-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
```
1. Set the password for `aws-managed-user` with the following command. The `aws-managed-user` initial password is blank, so you need to overwrite it on your first connection.
1.
```
[aws-managed-user ~]$ sudo /usr/bin/dscl . -passwd /Users/aws-managed-user password
```
1. When you receive the prompt, `Permission denied. Please enter user's old password:`, press enter.
**Troubleshooting tip**
If you get the error `passwd: DS error: eDSAuthFailed`, use the following command.
```
[aws-managed-user ~]$ sudo passwd aws-managed-user
```
1. Install and start macOS Screen Sharing using the following command.
```
[aws-managed-user ~]$ sudo launchctl enable system/com.apple.screensharing
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
```
1. Disconnect from the instance by typing **exit** and pressing return.
1. From your local computer, in the Terminal, reconnect to your instance with an SSH tunnel to the VNC port using the following command.
```
ssh -i /path/key-pair-name.pem -L 5900:localhost:5900 aws-managed-user@instance-public-dns-name
```
1. From your local computer, connect to `localhost:5900` using the following steps:
1. Open **Finder** and select **Go**.
1. Select **Connect to Server**.
1. In the **Server Address** field, enter `vnc://localhost:5900`.
1. In the macOS window, connect to the remote session of the Apple silicon Mac instance as `aws-managed-user` with the password you created in [Step 3](#amu-passwd).
**Note**
When prompted to sign in with your Apple ID, select **Set Up Later**.
1. Access the Amazon EBS volume using one of the following options.
1. For macOS Ventura or later: Open **System Settings**, select **General** in the left pane, then **Startup Disk** at the lower right of the pane.
1. For macOS Monterey or earlier: Open **System Preferences**, select **Startup Disk**, then unlock the pane using the lock icon in the lower left of the window.
**Note**
Until the reboot takes place, when prompted for an administrator password, use the password you set above for `aws-managed-user`. This password might be different from the one you set for `ec2-user` or the default administrator account on your instance. The following instructions specify when to use your instance's administrator password.
1. Select the Amazon EBS volume (the volume not named **InternalDisk** in the **Startup Disk** window) and choose **Restart**.
**Note**
If you have multiple bootable Amazon EBS volumes attached to your Apple silicon Mac instance, be sure to use a unique name for each volume.
1. Confirm the restart, then choose **Authorize Users** when prompted.
1. On the **Authorize user on this volume** pane, verify that the administrative user (`ec2-user` by default) is selected, then select **Authorize**.
1. Enter the `ec2-user` password you created in [Step 3](#passwd-step) of the previous procedure, then select **Continue**.
1. Enter the password for the special administrative user (`aws-managed-user`) when prompted.
1. From your local computer, in the Terminal, reconnect to your instance using SSH with username `ec2-user`.
**Troubleshooting tip**
If you get the warning `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`, run the following command and reconnect to your instance using SSH.
```
rm ~/.ssh/known_hosts
```
1. To perform the software update, use the commands under [Update software on x86 Mac instances](#x86-mac1).
------
## Update software on x86 Mac instances
On x86 Mac instances, you can install operating system updates from Apple using the `softwareupdate` command.
**To install operating system updates from Apple on x86 Mac instances**
1. List the packages with available updates using the following command.
```
[ec2-user ~]$ softwareupdate --list
```
1. Install all updates or only specific updates. To install specific updates, use the following command.
```
[ec2-user ~]$ sudo softwareupdate --install label
```
To install all updates instead, use the following command.
```
[ec2-user ~]$ sudo softwareupdate --install --all --restart
```
System administrators can use AWS Systems Manager to roll out pre-approved operating system updates on x86 Mac instances. For more information, see the [AWS Systems Manager User Guide](https://docs.aws.amazon.com/systems-manager/latest/userguide/).
You can use Homebrew to install updates to packages in the EC2 macOS AMIs, so that you have the latest version of these packages on your instances. You can also use Homebrew to install and run common macOS applications on Amazon EC2 macOS. For more information, see the [Homebrew Documentation](https://docs.brew.sh/).
**To install updates using Homebrew**
1. Update Homebrew using the following command.
```
[ec2-user ~]$ brew update
```
1. List the packages with available updates using the following command.
```
[ec2-user ~]$ brew outdated
```
1. Install all updates or only specific updates. To install specific updates, use the following command.
```
[ec2-user ~]$ brew upgrade package name
```
To install all updates instead, use the following command.
```
[ec2-user ~]$ brew upgrade
```
# Increase the size of an EBS volume on your Mac instance
You can increase the size of your Amazon EBS volumes on your Mac instance. For more information, see [Amazon EBS Elastic Volumes](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modify-volume.html) in the *Amazon EBS User Guide*.
After you increase the size of the volume, you must increase the size of your APFS container as follows.
**Make increased disk space available for use**
1. Determine if a restart is required. If you resized an existing EBS volume on a running Mac instance, you must [reboot](ec2-instance-reboot.md) the instance to make the new size available. If disk space modification was done during launch time, a reboot will not be required.
View current status of disk sizes:
```
[ec2-user ~]$ diskutil list external physical
/dev/disk0 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *322.1 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_APFS Container disk2 321.9 GB disk0s2
```
1. Copy and paste the following command.
```
[ec2-user ~]$ PDISK=$(diskutil list physical external | head -n1 | cut -d" " -f1)
APFSCONT=$(diskutil list physical external | grep "Apple_APFS" | tr -s " " | cut -d" " -f8)
yes | sudo diskutil repairDisk $PDISK
```
1. Copy and paste the following command.
```
[ec2-user ~]$ sudo diskutil apfs resizeContainer $APFSCONT 0
```
# Stop or terminate your Amazon EC2 Mac instance
When you stop a Mac instance, the instance remains in the `stopping` state for about 15 minutes before it enters the `stopped` state.
When you stop or terminate a Mac instance, Amazon EC2 performs a scrubbing workflow on the underlying Dedicated Host to erase the internal SSD, to clear the persistent NVRAM variables, and to update to the latest device firmware. This ensures that Mac instances provide the same security and data privacy as other EC2 Nitro instances. It also allows you to run the latest macOS AMIs. During the scrubbing workflow, the Dedicated Host temporarily enters the pending state. On x86 Mac instances, the scrubbing workflow might take up to 50 minutes to complete. If Amazon EC2 needs to update the device firmware, the workflow might take up to 3 hours to complete. On Apple silicon Mac instances, the scrubbing workflow might take up to 4.5 hours to complete.
You can't start the stopped Mac instance or launch a new Mac instance until after the scrubbing workflow completes, at which point the Dedicated Host enters the `available` state.
Metering and billing is paused when the Dedicated Host enters the `pending` state. You are not charged for the duration of the scrubbing workflow.
## Release the Dedicated Host for your Mac instance
When you are finished with your Mac instance, you can release the Dedicated Host. Before you can release the Dedicated Host, you must stop or terminate the Mac instance. You cannot release the host until the allocation period exceeds the 24-hour minimum.
**To release the Dedicated Host**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Instances**.
1. Select the instance and choose **Instance state**, then choose either **Stop instance** or **Terminate instance**.
1. In the navigation pane, choose **Dedicated Hosts**.
1. Select the Dedicated Host and choose **Actions**, **Release host**.
1. When prompted for confirmation, choose **Release**.
# Configure System Integrity Protection for Amazon EC2 Mac instances
You can configure System Integrity Protection (SIP) settings for x86 Mac instances and Apple silicon Mac instances. SIP is a critical macOS security feature that helps to prevent unauthorized code execution and system-level modifications. For more information, see [About System Integrity Protection](https://support.apple.com/en-us/102149).
You can either enable or disable SIP completely, or you can selectively enable or disable specific SIP settings. It is recommended that you disable SIP only temporarily to perform necessary tasks, and then reenable it as soon as possible. Leaving SIP disabled could leave your instance vulnerable to malicious code.
SIP configuration is supported in all AWS Regions where Amazon EC2 Mac instances are supported.
**Topics**
+ [
## Considerations
](#mac-sip-considerations)
+ [
## Default SIP configurations
](#mac-sip-defaults)
+ [
## Check your SIP configuration
](#mac-sip-check-settings)
+ [
## Prerequisites for Apple silicon Mac instances
](#mac-sip-prereqs)
+ [
## Configure SIP settings
](#mac-sip-configure)
+ [
## Check SIP configuration task status
](#mac-sip-state)
## Considerations
+ The following Amazon EC2 Mac instance types and macOS versions are supported:
+ **Mac1 \$1 Mac2 \$1 Mac2-m1ultra** — macOS Ventura (version 13.0 or later)
+ **Mac2-m2 \$1 Mac2-m2pro** — macOS Ventura (version 13.2 or later)
+ **Mac-m4 \$1 Mac-m4pro** — macOS Sequoia (version 15.6 or later)
**Note**
Beta and preview versions of macOS are not supported.
+ You can specify a custom SIP configuration to selectively enable or disable individual SIP settings. If you implement a custom configuration, [connect to the instance and verify the settings](#mac-sip-check-settings) to ensure that your requirements are properly implemented and functioning as intended.
SIP configurations might change with macOS updates. We recommend that you review custom SIP settings after any macOS version upgrade to ensure continued compatibility and proper functionality of your security configurations.
+ For x86 Mac instances, SIP settings are applied at the instance level. Any root volume attached to the instance will automatically inherit the configured SIP settings.
For Apple silicon Mac instances, SIP settings are applied at the volume level. Root volumes attached to the instance do not inherit the SIP settings. If you attach another root volume, you must reconfigure the SIP settings to the required state.
+ It can take up to 90 mins for SIP configuration tasks to complete. The instance remains unreachable while the SIP configuration task in progress.
+ SIP configurations do not transfer to snapshots or AMIs that you subsequently create from the instance.
+ Apple silicon Mac instances must have only one bootable volume, and each attached volume can have only one additional admin user.
## Default SIP configurations
The following table lists the default SIP configuration for x86 Mac instances and Apple silicon Mac instances.
| | Apple silicon Mac instances | x86 Mac instances |
| --- | --- | --- |
| Apple Internal | Enabled | Disabled |
| Filesystem Protections | Enabled | Disabled |
| Base System | Enabled | Enabled |
| Debugging Restrictions | Enabled | Enabled |
| Dtrace Restrictions | Enabled | Enabled |
| Kext Signing | Enabled | Enabled |
| Nvram Protections | Enabled | Enabled |
## Check your SIP configuration
We recommend that you check your SIP configuration before and after making changes to ensure that it is configured as expected.
**To check the SIP configuration for an Amazon EC2 Mac instance**
[Connect to the instance using SSH](connect-to-mac-instance.md#mac-instance-ssh), and then run the following command at the command line.
```
$ csrutil status
```
The following is example output.
```
System Integrity Protection status: enabled.
Configuration:
Apple Internal: enabled
Kext Signing: disabled
Filesystem Protections: enabled
Debugging Restrictions: enabled
DTrace Restrictions: enabled
NVRAM Protections: enabled
BaseSystem Verification: disabled
```
## Prerequisites for Apple silicon Mac instances
Before you can configure the SIP settings for Apple silicon Mac instances, you must set a password and enable the secure token for the Amazon EBS root volume administrative user (`ec2-user`).
**Note**
The password and secure token are set the first time you connect to an Apple silicon Mac instance using the GUI. If you previously [ connected to the instance using the GUI](connect-to-mac-instance.md#mac-instance-vnc), or if you are using an x86 Mac instance, you **do not** need to perform these steps.
**Note**
All macOS usernames and passwords used for macOS authentication are required to be between 4 and 16 characters for use with SIP settings API calls.
**To set a password and enable the secure token for the EBS root volume administrative user**
1. [Connect to the instance using SSH](connect-to-mac-instance.md#mac-instance-ssh).
1. Set the password for the `ec2-user` user.
```
$ sudo /usr/bin/dscl . -passwd /Users/ec2-user
```
1. Enable the secure token for the `ec2-user` user. For `-oldPassword`, specify the same password from the previous step. For `-newPassword`, specify a different password. The following command assumes that you have your old and new passwords saved in `.txt` files.
```
$ sysadminctl -oldPassword `cat old_password.txt` -newPassword `cat new_password.txt`
```
1. Verify that the secure token is enabled.
```
$ sysadminctl -secureTokenStatus ec2-user
```
## Configure SIP settings
When you configure the SIP settings for your instance, you can either enable or disable all SIP settings, or you can specify a custom configuration that selectively enables or disables specific SIP settings.
**Note**
If you implement a custom configuration, [ connect to the instance and verify the settings](#mac-sip-check-settings) to ensure that your requirements are properly implemented and functioning as intended.
SIP configurations might change with macOS updates. We recommend that you review custom SIP settings after any macOS version upgrade to ensure continued compatibility and proper functionality of your security configurations.
To configure the SIP settings for your instance, you must create a SIP configuration task. The SIP configuration task specifies the SIP settings for your instance.
When you create a SIP configuration for an Apple silicon Mac instance, you must specify the following credentials:
+ **Internal disk administrative user**
+ Username — Only the default administrative user (`aws-managed-user`) is supported and it is used by default. You can't specify a different administrative user.
+ Password — If you did not change the default password for `aws-managed-user`, specify the default password, which is *blank*. Otherwise, specify your password.
+ **Amazon EBS root volume administrative user**
+ Username — If you did not change the default administrative user, specify `ec2-user`. Otherwise, specify the username for your administrative user.
+ Password — You must always specify the password.
Use the following methods to create a SIP configuration task.
------
#### [ Console ]
**To create a SIP configuration task using the console**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation panel, choose **Instances** and then select the Amazon EC2 Mac instance.
1. In the **Security** tab, choose **Modify Mac, Modify System Integrity Protection**.
1. To enable all SIP settings, select **Enable SIP**. To disable all SIP settings, clear **Enable SIP**.
1. To specify a custom configuration that selectively enables or disables specific SIP settings, select **Specify a custom SIP configuration**, and then select the SIP settings to enable, or clear the SIP settings to disable.
1. Specify the credentials for the root volume user and internal disk owner.
1. Choose **Create SIP modification task**.
------
#### [ AWS CLI ]
**To create a SIP configuration task using the AWS CLI**
Use the [ create-mac-system-integrity-protection-modification-task](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-mac-system-integrity-protection-modification-task.html) command.
**Enable or disable all SIP settings**
To completely enable or disable all SIP settings, use only the `--mac-system-integrity-protection-status` parameter.
The following example command enables all SIP settings.
```
aws ec2 create-mac-system-integrity-protection-modification-task \
--instance-id i-0abcdef9876543210 \
--mac-system-integrity-protection-status enabled \
--mac-credentials file://mac-credentials.json
```
**Specify a custom SIP configuration**
To specify a custom SIP configuration that selectively enables or disable specific SIP settings, specify the `--mac-system-integrity-protection-status` and `--mac-system-integrity-protection-configuration` parameters. In this case, use `mac-system-integrity-protection-status` to specify the overall SIP status, and use `mac-system-integrity-protection-configuration` to selectively enable or disable individual SIP settings.
The following example command creates a SIP configuration task to enable all SIP settings, except `NvramProtections` and `FilesystemProtections`.
```
aws ec2 create-mac-system-integrity-protection-modification-task \
--instance-id i-0abcdef9876543210 \
--mac-system-integrity-protection-status enabled \
--mac-system-integrity-protection-configuration "NvramProtections=disabled, FilesystemProtections=disabled" \
--mac-credentials file://mac-credentials.json
```
The following example command creates a SIP configuration task to disable all SIP settings, except `DtraceRestrictions`.
```
aws ec2 create-mac-system-integrity-protection-modification-task \
--instance-id i-0abcdef9876543210 \
--mac-system-integrity-protection-status disabled \
--mac-system-integrity-protection-configuration "DtraceRestrictions=enabled" \
--mac-credentials file://mac-credentials.json
```
**Contents of the `mac-credentials.json` file**
The following is the contents of the `mac-credentials.json` file referenced in the preceding examples.
```
{
"internalDiskPassword":"internal-disk-admin_password",
"rootVolumeUsername":"root-volume-admin_username",
"rootVolumepassword":"root-volume-admin_password"
}
```
------
## Check SIP configuration task status
Use one of the following methods to check the state of SIP configuration tasks.
------
#### [ Console ]
**To view SIP configuration tasks using the console**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation panel, choose **Instances** and then select the Amazon EC2 Mac instance.
1. In the **Security** tab, scroll down to the **Mac modification tasks** section.
------
#### [ AWS CLI ]
**To check the state of SIP configuration tasks using the AWS CLI**
Use the [ describe-mac-modification-tasks](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-mac-modification-tasks.html) command.
------
# Find supported macOS versions for your Amazon EC2 Mac Dedicated Host
You can view the latest macOS versions supported by your Amazon EC2 Mac Dedicated Host. With this functionality, you can validate whether your Dedicated Host can support instance launches with your preferred macOS versions.
Each macOS version requires a minimum firmware version on the underlying Apple Mac to successfully boot. The Apple Mac firmware version can become outdated if an allocated Mac Dedicated Host has remained idle for an extended period of time or if it has a long running instance on it.
To ensure supportability for the latest macOS versions, you can stop or terminate instances on your allocated Mac Dedicated Host. This triggers the host scrubbing workflow and updates the firmware on the underlying Apple Mac to support the latest macOS versions. A Dedicated Host with a long running instance will automatically be updated when you stop or terminate a running instance.
For more information about the scrubbing workflow, see [Stop or terminate your Amazon EC2 Mac instance](mac-instance-stop.md).
For more information about launching Mac instances, see [Launch a Mac instance using the AWS Management Console or the AWS CLI](mac-instance-launch.md).
You can view information about the latest macOS versions supported on your allocated Dedicated Host using the Amazon EC2 console or the AWS CLI.
------
#### [ Console ]
**To view Dedicated Host firmware information using the console**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Dedicated Hosts**.
1. On the **Dedicated Hosts details** page, under **Latest supported macOS versions**, you can see the latest macOS versions that the host can support.
------
#### [ AWS CLI ]
**To view Dedicated Host firmware information using the AWS CLI**
Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-mac-hosts.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-mac-hosts.html) command, replacing `region` with the appropriate AWS Region.
```
$ aws ec2 describe-mac-hosts --region us-east-1
{
"MacHosts": [
{
"HostId": "h-07879acf49EXAMPLE",
"MacOSLatestSupportedVersions": [
"14.3",
"13.6.4",
"12.7.3"
]
}
]
}
```
------
# Subscribe to macOS AMI notifications
To be notified when new AMIs are released or when bridgeOS has been updated, subscribe for notifications using Amazon SNS.
For more information about EC2 macOS AMIs, see [Amazon EC2 macOS AMIs release notes](macos-ami-overview.md).
**To subscribe to macOS AMI notifications**
1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home).
1. In the navigation bar, change the Region to **US East (N. Virginia)**, if necessary. You must use this Region because the SNS notifications that you are subscribing to were created in this Region.
1. In the navigation pane, choose **Subscriptions**.
1. Choose **Create subscription**.
1. For the **Create subscription** dialog box, do the following:
1. For **Topic ARN**, copy and paste one of the following Amazon Resource Names (ARNs):
+ **arn:aws:sns:us-east-1:898855652048:amazon-ec2-macos-ami-updates**
+ **arn:aws:sns:us-east-1:898855652048:amazon-ec2-bridgeos-updates**
1. For **Protocol**, choose one of the following:
+ **Email:**
For **Endpoint**, type an email address that you can use to receive the notifications. After you create your subscription you'll receive a confirmation message with the subject line `AWS Notification - Subscription Confirmation`. Open the email and choose **Confirm subscription** to complete your subscription
+ **SMS:**
For **Endpoint**, type a phone number that you can use to receive the notifications.
+ **AWS Lambda, Amazon SQS, Amazon Data Firehose** (*Notifications come in JSON format*):
For **Endpoint**, enter the ARN for the Lambda function, SQS queue, or Firehose stream you can use to receive the notifications.
1. Choose **Create subscription**.
Whenever macOS AMIs are released, we send notifications to the subscribers of the `amazon-ec2-macos-ami-updates` topic. Whenever bridgeOS is updated, we send notifications to the subscribers of the `amazon-ec2-bridgeos-updates` topic. If you no longer want to receive these notifications, use the following procedure to unsubscribe.
**To unsubscribe from macOS AMI notifications**
1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home).
1. In the navigation bar, change the Region to **US East (N. Virginia)**, if necessary. You must use this Region because the SNS notifications were created in this Region.
1. In the navigation pane, choose **Subscriptions**.
1. Select the subscriptions and then choose **Actions**, **Delete subscriptions** When prompted for confirmation, choose **Delete**.
# Retrieve macOS AMI IDs using AWS Systems Manager Parameter Store API
You must specify an AMI when you launch an instance. An AMI is specific to an AWS Region, operating system, and processor architecture. You can view all of the macOS AMIs in an AWS Region and retrieve the latest macOS AMI by querying the AWS Systems Manager Parameter Store API. Using these public parameters, you don't need to manually look up macOS AMI IDs. Public parameters are available for both x86 and ARM64 macOS AMIs, and can be integrated with your existing AWS CloudFormation templates.
**Required permissions**
To perform this action, the [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) must have permissions to call the `ssm:GetParameter` API action.
**To view a list of all macOS AMIs in the current AWS Region using the AWS CLI**
Use the following [get-parameters-by-path](https://docs.aws.amazon.com/cli/latest/reference/ssm/get-parameters-by-path.html) command to view a list of all macOS AMIs in the current Region.
```
aws ssm get-parameters-by-path --path /aws/service/ec2-macos --recursive --query "Parameters[].Name"
```
**To retrieve the AMI ID of the latest major macOS AMI using the AWS CLI**
Use the following [get-parameter](https://docs.aws.amazon.com/cli/latest/reference/ssm/get-parameter.html) command with the sub-parameter `image_id`. In the following example, replace `sonoma` with a macOS supported major version, `x86_64_mac` with the processor, and `region-code` with a supported AWS Region for which you want the latest macOS AMI ID.
```
aws ssm get-parameter --name /aws/service/ec2-macos/sonoma/x86_64_mac/latest/image_id --region region-code
```
For more information, see [Calling AMI public parameters for macOS](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-public-parameters-ami.html#public-parameters-ami-macos) in the *AWS Systems Manager User Guide*.
# Amazon EC2 macOS AMIs release notes
The following information provides details about the packages included by default in the EC2 macOS AMIs and summarizes the changes for each EC2 macOS AMI release.
For information about how to subscribe to macOS AMI notifications, see [Subscribe to macOS AMI notifications](macos-subscribe-notifications.md).
Mac instances can run one of the following operating systems:
+ macOS Mojave (version 10.14) (x86 Mac instances only)
+ macOS Catalina (version 10.15) (x86 Mac instances only)
+ macOS Big Sur (version 11) (x86 and M1 Mac instances)
+ macOS Monterey (version 12) (x86 and M1 Mac instances)
+ macOS Ventura (version 13) (all Mac instances, M2 and M2 Pro Mac instances support macOS Ventura version 13.2 or later)
+ macOS Sonoma (version 14) (all Mac instances)
+ macOS Sequoia (version 15) (all Mac instances)
**Note**
M4 and M4 Pro Mac instances support macOS Sequoia version 15.6 or later.
## Approve Local Network Privacy policies for macOS Sequoia
macOS Sequoia (version 15) has a new Local Network Privacy feature that impacts users of local IP-based services, including Amazon EC2 Instance Metadata Service (IMDS).
**Important**
To make sure that you have uninterrupted access to local IP-based services, use the following steps to approve the Local Network Privacy policies.
**To approve Local Network Privacy policies**
1. [Connect to your instance's graphical user interface (GUI)](connect-to-mac-instance.md#mac-instance-vnc).
1. Follow the prompts on the screen to approve the Local Network Privacy policies.
1. After you have approved the policies, create an AMI of your EC2 Mac instance. For more information, see [Create an Amazon EBS-backed AMI](creating-an-ami-ebs.md).
Any EC2 Mac instances that are launched from the newly created AMI will retain the Local Network Privacy permissions.
## Default packages included in Amazon EC2 macOS AMIs
The following table describes packages that are included by default in the EC2 macOS AMIs.
| Packages | Release notes |
| --- | --- |
| EC2 macOS Init | [https://github.com/aws/ec2-macos-init/tags](https://github.com/aws/ec2-macos-init/tags) |
| EC2 macOS Utils | [https://github.com/aws/ec2-macos-utils/tags](https://github.com/aws/ec2-macos-utils/tags) |
| Amazon SSM Agent | [https://github.com/aws/amazon-ssm-agent/releases](https://github.com/aws/amazon-ssm-agent/releases) |
| AWS Command Line Interface (AWS CLI) version 2 | [https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) |
| Command Line Tools for Xcode | [https://developer.apple.com/documentation/xcode-release-notes](https://developer.apple.com/documentation/xcode-release-notes) |
| Homebrew | [https://github.com/Homebrew/brew/releases](https://github.com/Homebrew/brew/releases) |
| EC2 Instance Connect | [https://github.com/aws/aws-ec2-instance-connect-config/releases](https://github.com/aws/aws-ec2-instance-connect-config/releases) |
| Safari | [https://developer.apple.com/documentation/safari-release-notes](https://developer.apple.com/documentation/safari-release-notes) |
## Amazon EC2 macOS AMI updates
The following table describes changes included in the EC2 macOS AMI releases. Note that some changes apply to all EC2 macOS AMIs, whereas others apply to only a subset of these AMIs.
### EC2 macOS AMI updates
| Release | Changes |
| --- | --- |
| 2026.04.16 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2026.03.17 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2026.03.03 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.12.26 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.12.17 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.11.18 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.09.04 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.08.05 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.06.27 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.05.21 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.05.05 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.03.18 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2025.01.24 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2024.12.20 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2024.10.28 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2024.08.20 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2024.06.07 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |
| 2024.04.12 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/macos-ami-overview.html) |