Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs
To control the discovery and use of Amazon Machine Images (AMIs) by users in your AWS account, you can use the Allowed AMIs feature. This feature allows you to specify criteria that AMIs must meet to be visible and available within your account. When the criteria are enabled, users launching instances will only see and have access to AMIs that comply with the specified criteria. For example, you can specify a list of trusted AMI providers as the criteria, and only AMIs from these providers will be visible and available for use.
Before enabling the Allowed AMIs settings, you can enable audit mode to preview which AMIs will or won't be visible and available for use. This lets you refine the criteria as needed to ensure that only the intended AMIs are visible and available to users in your account. Additionally, you can run the describe-instance-image-metadata command and filter the response to identify any instances that were launched with AMIs that don't meet the specified criteria. This information can guide your decision to either update your launch configurations to use compliant AMIs (for example, specifying a different AMI in a launch template) or adjust your criteria to allow these AMIs.
You specify the Allowed AMIs settings at the account level, either directly in the account or by using a declarative policy. These settings must be configured in each AWS Region where you want to control the discovery and use of AMIs. Using a declarative policy allows you to apply the settings across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the settings directly within an account. This topic describes how to configure the settings directly within an account. For information about using declarative policies, see Declarative policies in the AWS Organizations User Guide.
Note
The Allowed AMIs feature only controls the discovery and use of public AMIs or AMIs shared with your account. It does not restrict the AMIs owned by your account. Regardless of the criteria you set, the AMIs created by your account will always be discoverable and usable by users in your account.
Key benefits of Allowed AMIs
-
Compliance and security: Users can only discover and use AMIs that meet the specified criteria, reducing the risk of non-compliant AMI usage.
-
Efficient management: By reducing the number of allowed AMIs, managing the remaining ones becomes easier and more efficient.
-
Centralized account-level implementation: Configure the Allowed AMIs settings at the account level, either directly within the account or through a declarative policy. This provides a centralized and efficient way to control AMI usage across the entire account.
Contents
- How Allowed AMIs works
- Best practices for implementing Allowed AMIs
- Required IAM permissions
- Enable audit mode and specify criteria
- Enable Allowed AMIs
- Disable Allowed AMIs
- Update Allowed AMIs criteria
- Identify Allowed AMIs state and criteria
- Identify AMIs that meet the Allowed AMIs criteria
- Identify whether instances were launched with AMIs that aren't allowed
How Allowed AMIs works
You specify criteria that automatically filter and determine which AMIs can be discovered and used in your account. You specify the criteria in JSON configuration, and then enable the criteria by running the enable API operation.
JSON configuration for the Allowed AMIs criteria
The core configuration for Allowed AMIs is the JSON configuration that defines the criteria for allowed AMIs.
Currently, the only supported criteria are AMI providers. Valid values are aliases that are defined by AWS, and AWS account IDs, as follows:
-
amazon– An alias that identifies AMIs created by AWS -
aws-marketplace– An alias that identifies AMIs created by verified providers in the AWS Marketplace -
aws-backup-vault– An alias that identifies backup AMIs that reside in logically air-gapped AWS Backup vault accounts. If you use the AWS Backup logically air-gapped vault feature, ensure this alias is included as an AMI provider. -
AWS account IDs – One or more 12-digit AWS account IDs
-
none– Indicates that only AMIs created by your account can be discovered and used. Public or shared AMIs can't be discovered and used. If you specifynone, you can't specify an alias or account ID.
The AMI criteria are specified in JSON format. Here's an example that specifies two aliases and three AWS account IDs:
{ "imageCriteria": [ { "imageProviders": [ "amazon", "aws-marketplace", "123456789012", "112233445566", "009988776655" ] } ] }
Limits for the JSON configuration
-
imageCriteriaobjects: Maximum of 10imageCriteriaobjects can be specified in a single configuration. -
imageProvidersvalues: Maximum of 200 values across allimageCriteriaobjects.
Example of limits
Consider the following example to illustrate these limits, where different
imageProviders lists are used to group the AMI provider accounts:
{ "imageCriteria": [ { "imageProviders": ["amazon", "aws-marketplace"] }, { "imageProviders": ["123456789012", "112233445566", "121232343454"] }, { "imageProviders": ["998877665555", "987654321098"] } // Up to 7 more imageCriteria objects can be added // Up to 193 more imageProviders values can be added ] }
In this example:
-
There are 3
imageCriteriaobjects (up to 7 more can be added to reach the limit of 10). -
There are 7 total
imageProvidersvalues across all objects (up to 193 more can be added to reach the limit of 200).
In this example, AMIs are allowed from any of the specified AMI providers in all of the
ImageCriteria objects.
Allowed AMIs operations
The Allowed AMIs feature has three operational modes for managing the image criteria: Enabled, Disabled, and Audit mode. These allow you to enable or disable the image criteria, or review them as needed.
Enabled
When Allowed AMIs is enabled:
-
The
ImageCriteriaare applied. -
Only allowed AMIs are discoverable in the EC2 console and by APIs that use images (for example, that describe, copy, store, or perform other actions that use images).
-
Instances can only be launched using allowed AMIs.
Disabled
When Allowed AMIs is disabled:
-
The
ImageCriteriaare not applied. -
No restrictions are placed on AMI discoverability or usage.
Audit-mode
In Audit-mode:
-
The
ImageCriteriaare applied, but no restrictions are placed on AMI discoverability or usage. -
In the EC2 console, for each AMI, the Allowed image field displays either Yes or No to indicate whether the AMI will be discoverable and available to users in the account when Allowed AMIs is enabled.
-
In the command line, the response for the
describe-imageoperation includes"ImageAllowed": trueor"ImageAllowed": falseto indicate whether the AMI will be discoverable and available to users in the account when Allowed AMIs is enabled. -
In the EC2 console, the AMI Catalog displays Not allowed next to AMIs that won't be discoverable or available to users in the account when Allowed AMIs is enabled.
Best practices for implementing Allowed AMIs
When implementing Allowed AMIs, consider these best practices to ensure a smooth transition and minimize potential disruptions to your AWS environment.
-
Enable audit mode
Begin by enabling Allowed AMIs in audit mode. This mode allows you to see which AMIs would be affected by your criteria without actually restricting access, providing a risk-free evaluation period.
-
Set Allowed AMIs criteria
Carefully establish which AMI providers align with your organization's security policies, compliance requirements, and operational needs.
Note
We recommend specifying the
amazonalias to allow AMIs created by AWS, ensuring that AWS managed services you use can continue to launch EC2 instances in your account. -
Check for impact on expected business processes
Run the describe-instance-image-metadata command and filter the response to identify any instances that were launched with AMIs that don't meet the specified criteria. This information can guide your decision to either update your launch configurations to use compliant AMIs (for example, specifying a different AMI in a launch template) or adjust your criteria to allow these AMIs.
-
Enable Allowed AMIs
Once you've confirmed that the criteria will not adversely affect expected business processes, enable Allowed AMIs.
-
Monitor instance launches
Continue to monitor instance launches from AMIs across your applications and the AWS managed services you use, such as Amazon EMR, Amazon ECR, Amazon EKS, and AWS Elastic Beanstalk. Check for any unexpected issues and make necessary adjustments to the Allowed AMIs criteria.
Required IAM permissions
To use the Allowed AMIs feature, you need the following IAM permissions:
-
GetAllowedImagesSettings -
EnableAllowedImagesSettings -
DisableAllowedImagesSettings -
ReplaceImageCriteriaInAllowedImagesSettings
Enable audit mode and specify criteria
Use the following procedures to enable the audit mode for Allowed AMIs and specify the Allowed AMIs criteria in your account for the specified Region.
Enable Allowed AMIs
Use the following procedures to enable Allowed AMIs in your account for the specified Region.
Disable Allowed AMIs
Use the following procedures to disable Allowed AMIs in your account for the specified Region.
Update Allowed AMIs criteria
Use the following procedures to update the Allowed AMIs criteria in your account for the specified Region.
Identify Allowed AMIs state and criteria
Use the following procedures to identify the current state of the Allowed AMIs setting and the Allowed AMIs criteria.
Identify AMIs that meet the Allowed AMIs criteria
Use the following procedures to identify the AMIs that are allowed or not allowed for the account.
Note
The following can only be done when Allowed AMIs is in audit mode.
Identify whether instances were launched with AMIs that aren't allowed
Use the following procedures to identify the instances that were launched with an AMI that does not meet the Allowed AMIs criteria.
