Understand block public access for AMIs - Amazon Elastic Compute Cloud

Understand block public access for AMIs

To prevent the public sharing of your AMIs, you can enable block public access for AMIs. This setting is enabled at the account level, but you need to enable it in each AWS Region in which you want to prevent the public sharing of your AMIs.

When block public access is enabled, any attempt to make an AMI public is automatically blocked. However, if you already have public AMIs, they remain publicly available.

To publicly share AMIs, you must disable block public access. When you’re done sharing, it's best practice to re-enable block public access to prevent any unintended public sharing of your AMIs.

You can restrict IAM permissions to an administrator user so that only they can enable or disable block public access for AMIs.

Default settings

The Block public access for AMIs setting is either enabled or disabled by default depending on whether your account is new or existing, and whether you have public AMIs. The following table lists the default settings:

AWS account Block public access for AMIs default setting
New accounts Enabled

Existing accounts with no public AMIs ¹

Enabled

Existing accounts with one or more public AMIs

Disabled

¹ If your account had one or more public AMIs on or after July 15, 2023, Block public access for AMIs is disabled by default for your account, even if you subsequently made all the AMIs private.