Manage the block public access setting for AMIs - Amazon Elastic Compute Cloud

Manage the block public access setting for AMIs

You can manage the block public access setting for your AMIs to control whether they can be publicly shared. You can enable, disable, or view the current block public access state for your AMIs using the Amazon EC2 console or the AWS CLI.

View the block public access state for AMIs

To see whether the public sharing of your AMIs is blocked in your account, you can view the state for block public access for AMIs. You must view the state in each AWS Region in which you want to see whether the public sharing of your AMIs is blocked.

Required permissions

To get the current block public access setting for AMIs, you must have the GetImageBlockPublicAccessState IAM permission.

Console
To view the block public access state for AMIs in the specified Region
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar (at the top of the screen), select the Region in which to view the block public access state for AMIs.

  3. If the dashboard is not displayed, in the navigation pane, choose EC2 Dashboard.

  4. Under Account attributes, choose Data protection and security.

  5. Under Block public access for AMIs, check the Public access field. The value is either New public sharing blocked or New public sharing allowed.

AWS CLI
To get the block public access state for AMIs

Use the get-image-block-public-access-state command.

  • For a specific Region

    aws ec2 get-image-block-public-access-state --region us-east-1

    Expected output – The value is either block-new-sharing or unblocked.

    The ManagedBy field indicates the entity that configured the setting. In this example, account indicates that the setting was configured directly in the account. A value of declarative-policy would mean the setting was configured by a declarative policy. For more information, see Declarative policies in the AWS Organizations User Guide.

    { "ImageBlockPublicAccessState": "block-new-sharing", "ManagedBy": "account" }
  • For all Regions in your account

    echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 get-image-block-public-access-state \ --region $region \ --output text) echo -e "$region \t $output" ); done

    Expected output – The value is either block-new-sharing or unblocked.

    Region Public Access State -------------- ---------------------- ap-south-1 block-new-sharing eu-north-1 unblocked eu-west-3 block-new-sharing ...
PowerShell
To get the block public access state for AMIs

Use the Get-EC2ImageBlockPublicAccessState Cmdlet.

  • For a specific Region

    Get-EC2ImageBlockPublicAccessState -Region us-east-1

    Expected output

    block-new-sharing
  • For all Regions in your account

    (Get-EC2Region).RegionName | ` ForEach-Object { [PSCustomObject]@{ Region = $_ PublicAccessState = (Get-EC2ImageBlockPublicAccessState -Region $_) } } | ` Format-Table -AutoSize

    Expected output

    Region PublicAccessState ------ ----------------- ap-south-1 block-new-sharing eu-north-1 block-new-sharing eu-west-3 block-new-sharing …

Enable block public access for AMIs

To prevent the public sharing of your AMIs, enable block public access for AMIs at the account level. You must enable block public access for AMIs in each AWS Region in which you want to prevent the public sharing of your AMIs. If you already have public AMIs, they will remain publicly available.

Required permissions

To enable the block public access setting for AMIs, you must have the EnableImageBlockPublicAccess IAM permission.

Console
To enable block public access for AMIs in the specified Region
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar (at the top of the screen), select the Region in which to enable block public access for AMIs.

  3. If the dashboard is not displayed, in the navigation pane, choose EC2 Dashboard.

  4. Under Account attributes, choose Data protection and security.

  5. Under Block public access for AMIs, choose Manage.

  6. Select the Block new public sharing checkbox, and then choose Update.

    Note

    The API can take up to 10 minutes to configure this setting. During this time, the value will be New public sharing allowed. When the API has completed the configuration, the value will automatically change to New public sharing blocked.

AWS CLI
To enable block public access for AMIs

Use the enable-image-block-public-access command.

  • For a specific Region

    aws ec2 enable-image-block-public-access \ --region us-east-1 \ --image-block-public-access-state block-new-sharing

    Expected output

    { "ImageBlockPublicAccessState": "block-new-sharing" }
  • For all Regions in your account

    echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 enable-image-block-public-access \ --region $region \ --image-block-public-access-state block-new-sharing \ --output text) echo -e "$region \t $output" ); done

    Expected output

    Region Public Access State -------------- ---------------------- ap-south-1 block-new-sharing eu-north-1 block-new-sharing eu-west-3 block-new-sharing ...
Note

The API can take up to 10 minutes to configure this setting. During this time, if you run the get-image-block-public-access-state command, the response will be unblocked. When the API has completed the configuration, the response will be block-new-sharing.

PowerShell
To enable block public access for AMIs

Use the Enable-EC2ImageBlockPublicAccess command.

  • For a specific Region

    Enable-EC2ImageBlockPublicAccess ` -Region us-east-1 ` -ImageBlockPublicAccessState block-new-sharing

    Expected output

    Value ----- block-new-sharing
  • For all Regions in your account

    (Get-EC2Region).RegionName | ` ForEach-Object { [PSCustomObject]@{ Region = $_ PublicAccessState = ( Enable-EC2ImageBlockPublicAccess ` -Region $_ ` -ImageBlockPublicAccessState block-new-sharing) } } | ` Format-Table -AutoSize

    Expected output

    Region PublicAccessState ------ ----------------- ap-south-1 block-new-sharing eu-north-1 block-new-sharing eu-west-3 block-new-sharing …

Disable block public access for AMIs

To allow the users in your account to publicly share your AMIs, disable block public access at the account level. You must disable block public access for AMIs in each AWS Region in which you want to allow the public sharing of your AMIs.

Required permissions

To disable the block public access setting for AMIs, you must have the DisableImageBlockPublicAccess IAM permission.

Console
To disable block public access for AMIs in the specified Region
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar (at the top of the screen), select the Region in which to disable block public access for AMIs.

  3. If the dashboard is not displayed, in the navigation pane, choose EC2 Dashboard.

  4. Under Account attributes, choose Data protection and security.

  5. Under Block public access for AMIs, choose Manage.

  6. Clear the Block new public sharing checkbox, and then choose Update.

  7. Enter confirm when prompted for confirmation, and then choose Allow public sharing.

    Note

    The API can take up to 10 minutes to configure this setting. During this time, the value will be New public sharing blocked. When the API has completed the configuration, the value will automatically change to New public sharing allowed.

AWS CLI
To disable block public access for AMIs

Use the disable-image-block-public-access command.

  • For a specific Region

    aws ec2 disable-image-block-public-access --region us-east-1

    Expected output

    { "ImageBlockPublicAccessState": "unblocked" }
  • For all Regions in your account

    echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 disable-image-block-public-access \ --region $region \ --output text) echo -e "$region \t $output" ); done

    Expected output

    Region Public Access State -------------- ---------------------- ap-south-1 unblocked eu-north-1 unblocked eu-west-3 unblocked ...
Note

The API can take up to 10 minutes to configure this setting. During this time, if you run the get-image-block-public-access-state command, the response will be block-new-sharing. When the API has completed the configuration, the response will be unblocked.

PowerShell
To disable block public access for AMIs

Use the Disable-EC2ImageBlockPublicAccess Cmdlet.

  • For a specific Region

    Disable-EC2ImageBlockPublicAccess -Region us-east-1

    Expected output

    Value ----- unblocked
  • For all Regions in your account

    (Get-EC2Region).RegionName | ` ForEach-Object { [PSCustomObject]@{ Region = $_ PublicAccessState = (Disable-EC2ImageBlockPublicAccess -Region $_) } } | ` Format-Table -AutoSize

    Expected output

    Region PublicAccessState ------ ----------------- ap-south-1 unblocked eu-north-1 unblocked eu-west-3 unblocked …