Manage the block public access setting for
AMIs
You can manage the block public access setting for your AMIs to control whether
they can be publicly shared. You can enable, disable, or view the current block
public access state for your AMIs using the Amazon EC2 console or the AWS CLI.
View the block public access state for
AMIs
To see whether the public sharing of your AMIs is blocked in your account, you can view
the state for block public access for AMIs. You must view the state in each
AWS Region in which you want to see whether the public sharing of your AMIs is
blocked.
Required permissions
To get the current block public access setting for AMIs, you must have the
GetImageBlockPublicAccessState
IAM permission.
- Console
-
To view the block public access state for AMIs in the specified Region
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
From the navigation bar (at the top of the screen), select the Region in which to
view the block public access state for AMIs.
-
If the dashboard is not displayed, in the navigation pane,
choose EC2 Dashboard.
-
Under Account attributes, choose
Data protection and
security.
-
Under Block public access for AMIs, check the Public
access field. The value is either
New public sharing blocked or
New public sharing allowed.
- AWS CLI
-
To get the block public access state for AMIs
Use the
get-image-block-public-access-state command.
-
For a specific Region
aws ec2 get-image-block-public-access-state --region us-east-1
Expected output – The value is either block-new-sharing
or
unblocked
.
The ManagedBy
field indicates the entity that
configured the setting. In this example,
account
indicates that the setting was
configured directly in the account. A value of
declarative-policy
would mean the setting
was configured by a declarative policy. For more
information, see Declarative policies in the AWS Organizations User Guide.
{
"ImageBlockPublicAccessState": "block-new-sharing",
"ManagedBy": "account"
}
-
For all Regions in your account
echo -e "Region \t Public Access State" ; \
echo -e "-------------- \t ----------------------" ; \
for region in $(
aws ec2 describe-regions \
--region us-east-1 \
--query "Regions[*].[RegionName]" \
--output text
);
do (output=$(
aws ec2 get-image-block-public-access-state \
--region $region \
--output text)
echo -e "$region \t $output"
);
done
Expected output – The value is either block-new-sharing
or
unblocked
.
Region Public Access State
-------------- ----------------------
ap-south-1 block-new-sharing
eu-north-1 unblocked
eu-west-3 block-new-sharing
...
- PowerShell
-
To get the block public access state for AMIs
Use the Get-EC2ImageBlockPublicAccessState Cmdlet.
-
For a specific Region
Get-EC2ImageBlockPublicAccessState -Region us-east-1
Expected output
block-new-sharing
For all Regions in your account
(Get-EC2Region).RegionName | `
ForEach-Object {
[PSCustomObject]@{
Region = $_
PublicAccessState = (Get-EC2ImageBlockPublicAccessState -Region $_)
}
} | `
Format-Table -AutoSize
Expected output
Region PublicAccessState
------ -----------------
ap-south-1 block-new-sharing
eu-north-1 block-new-sharing
eu-west-3 block-new-sharing
…
Enable block public access for
AMIs
To prevent the public sharing of your AMIs, enable block public access for AMIs at the
account level. You must enable block public access for AMIs in each AWS Region
in which you want to prevent the public sharing of your AMIs. If you already
have public AMIs, they will remain publicly available.
Required permissions
To enable the block public access setting for AMIs, you must have the
EnableImageBlockPublicAccess
IAM permission.
- Console
-
To enable block public access for AMIs in the specified Region
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
From the navigation bar (at the top of the screen), select the Region in which to
enable block public access for AMIs.
-
If the dashboard is not displayed, in the navigation pane,
choose EC2 Dashboard.
-
Under Account attributes, choose
Data protection and
security.
-
Under Block public access for AMIs,
choose Manage.
-
Select the Block new public sharing checkbox, and then choose
Update.
The API can take up to 10 minutes to configure this setting. During this time, the
value will be New public sharing
allowed. When the API has completed the
configuration, the value will automatically change to
New public sharing
blocked.
- AWS CLI
-
To enable block public access for AMIs
Use the enable-image-block-public-access command.
-
For a specific Region
aws ec2 enable-image-block-public-access \
--region us-east-1
\
--image-block-public-access-state block-new-sharing
Expected output
{
"ImageBlockPublicAccessState": "block-new-sharing"
}
-
For all Regions in your account
echo -e "Region \t Public Access State" ; \
echo -e "-------------- \t ----------------------" ; \
for region in $(
aws ec2 describe-regions \
--region us-east-1 \
--query "Regions[*].[RegionName]" \
--output text
);
do (output=$(
aws ec2 enable-image-block-public-access \
--region $region \
--image-block-public-access-state block-new-sharing \
--output text)
echo -e "$region \t $output"
);
done
Expected output
Region Public Access State
-------------- ----------------------
ap-south-1 block-new-sharing
eu-north-1 block-new-sharing
eu-west-3 block-new-sharing
...
The API can take up to 10 minutes to configure this setting. During this time, if you
run the get-image-block-public-access-state command, the
response will be unblocked
. When the API has
completed the configuration, the response will be
block-new-sharing
.
- PowerShell
-
To enable block public access for AMIs
Use the Enable-EC2ImageBlockPublicAccess command.
-
For a specific Region
Enable-EC2ImageBlockPublicAccess `
-Region us-east-1
`
-ImageBlockPublicAccessState block-new-sharing
Expected output
Value
-----
block-new-sharing
For all Regions in your account
(Get-EC2Region).RegionName | `
ForEach-Object {
[PSCustomObject]@{
Region = $_
PublicAccessState = (
Enable-EC2ImageBlockPublicAccess `
-Region $_ `
-ImageBlockPublicAccessState block-new-sharing)
}
} | `
Format-Table -AutoSize
Expected output
Region PublicAccessState
------ -----------------
ap-south-1 block-new-sharing
eu-north-1 block-new-sharing
eu-west-3 block-new-sharing
…
Disable block public access for
AMIs
To allow the users in your account to publicly share your AMIs, disable block public
access at the account level. You must disable block public access for AMIs in
each AWS Region in which you want to allow the public sharing of your
AMIs.
Required permissions
To disable the block public access setting for AMIs, you must have the
DisableImageBlockPublicAccess
IAM permission.
- Console
-
To disable block public access for AMIs in the specified Region
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
From the navigation bar (at the top of the screen), select the Region in which to
disable block public access for AMIs.
-
If the dashboard is not displayed, in the navigation pane,
choose EC2 Dashboard.
-
Under Account attributes, choose
Data protection and
security.
-
Under Block public access for AMIs,
choose Manage.
-
Clear the Block new public sharing checkbox, and then choose
Update.
-
Enter confirm
when prompted for confirmation, and then choose
Allow public sharing.
The API can take up to 10 minutes to configure this setting. During this time, the
value will be New public sharing
blocked. When the API has completed the
configuration, the value will automatically change to
New public sharing
allowed.
- AWS CLI
-
To disable block public access for AMIs
Use the disable-image-block-public-access command.
-
For a specific Region
aws ec2 disable-image-block-public-access --region us-east-1
Expected output
{
"ImageBlockPublicAccessState": "unblocked"
}
-
For all Regions in your account
echo -e "Region \t Public Access State" ; \
echo -e "-------------- \t ----------------------" ; \
for region in $(
aws ec2 describe-regions \
--region us-east-1 \
--query "Regions[*].[RegionName]" \
--output text
);
do (output=$(
aws ec2 disable-image-block-public-access \
--region $region \
--output text)
echo -e "$region \t $output"
);
done
Expected output
Region Public Access State
-------------- ----------------------
ap-south-1 unblocked
eu-north-1 unblocked
eu-west-3 unblocked
...
The API can take up to 10 minutes to configure this setting. During this time, if you
run the get-image-block-public-access-state command, the
response will be block-new-sharing
. When the API
has completed the configuration, the response will be
unblocked
.
- PowerShell
-
To disable block public access for AMIs
Use the Disable-EC2ImageBlockPublicAccess Cmdlet.
-
For a specific Region
Disable-EC2ImageBlockPublicAccess -Region us-east-1
Expected output
Value
-----
unblocked
-
For all Regions in your account
(Get-EC2Region).RegionName | `
ForEach-Object {
[PSCustomObject]@{
Region = $_
PublicAccessState = (Disable-EC2ImageBlockPublicAccess -Region $_)
}
} | `
Format-Table -AutoSize
Expected output
Region PublicAccessState
------ -----------------
ap-south-1 unblocked
eu-north-1 unblocked
eu-west-3 unblocked
…