Introduction to Sharing AMIs

Articles & Tutorials>Introduction to Sharing AMIs
This tutorial provides an introduction to sharing your AMIs with other AWS developers.


Submitted By: Attila@AWS
Created On: December 5, 2006 3:51 PM GMT
Last Updated: June 4, 2007 4:27 PM GMT
Note: This feature is supported from API version 2006-10-01 and its supporting command-line tools.


Sharing AMIs allows you to make your AMIs public, or grant specific users permission to launch your AMIs. In this tutorial, we'll go through:

  • Making an AMI public
  • Sharing an AMI with a specific user
  • How others might discover and launch shared AMIs
  • Making a shared AMI's private again
  • Advertising your shared AMI

Before we begin, there are a few important notes for sharing AMIs:

  • There are security implications with sharing AMIs. Please make sure you have read and understood the relevant sections in the Developer Guide:

    • Sharing AMIs
    • Using Shared AMIs 
  • You have complete control over who is allowed to launch your AMIs.

  • The person launching an AMI is billed for resources used and not the owner of the AMI.


To follow this guide you will need at least one AMI that is fit for public consumption.

Sharing AMIs

We are going to use two example AMIs to illustrate sharing AMIs. One, an Ubuntu base image, will be made public, and the other, a web server for Bob, will be shared with Bob only. AMIs are listed with ec2-describe-images. The flag -o self is used to list only images we own.

$ ec2-describe-images -o self
IMAGE ami-4ca2529b my-bucket/ubuntu-base.manifest.xml 495219933132 available private
IMAGE ami-5da964c3 my-bucket/bobs-webserver.manifest.xml 495219933132 available private

Launch permissions for an image are set by modifying an AMIs launch permission attribute. To make the Ubuntu image public, we add all to the launch permission attribute.

$ ec2-modify-image-attribute ami-4ca2529b --launch-permission --add all
launchPermission ami-4ca2529b ADD group all

We want to give Bob access to his web server. We do this by adding only his AWS account ID to the launch permission attribute. In this example, we use the short hand forms of --launch-permission and --add.

$ ec2-modify-image-attribute ami-5da964c3 -l -a 349782352074
launchPermission ami-5da964c3 ADD userId 349782352074

Launch permissions on an AMI can be checked at any time by running ec2-describe-image-attribute.

$ ec2-describe-image-attribute ami-4ca2529b -l
launchPermission ami-4ca2529b group all

Using Shared AMIs

For this section we look at what Bob does. He wants to launch his web server and create his own Ubuntu-based image without going through the steps of creating the initial Ubuntu image.

Bob knows that we have given him launch permissions to his web server and needs to find the AMI's ID. He does this by adding flags to ec2-describe-images so that only AMIs we own and he has explicit launch permissions for are returned. The -x flag is short hand for --executable-by.

$ ec2-describe-images -o 495219933132 -x self
IMAGE ami-5da964c3 my-bucket/bobs-webserver.manifest.xml 495219933132 available private

Bob can then launch the AMI in the normal fashion using ec2-run-instances.

$ ec2-run-instances ami-5da964c3 -k websvr-key
INSTANCE i-67a4410e ami-5da964c3 pending websvr-key 0

To build his Ubuntu image, Bob wants to find a public image with an Ubuntu base install. Bob executes the following command to list all public images, then only display the results containing the text ubuntu:

$ ec2-describe-images -x all | grep ubuntu
IMAGE ami-4ca2529b my-bucket/ubuntu-base.manifest.xml 495219933132 available public
Note: If you are running on Windows, you may need to remove | grep ubuntu for this command to work.

This AMI is exactly what Bob is looking for. He recognizes our AWS account ID. Because he knows us, he trusts that we would not produce a malicious AMI. Just to be sure, he checks the Public AMIs category in the Resource Center to see how other AWS developers have reviewed the Ubuntu AMI. Public AMIs are launched in the normal fashion.

$ ec2-run-instances ami-4ca2529b -k test-key
INSTANCE i-64a4410d ami-4ca2529b pending test-key 0

Permission Management with AMIs

After some time we no longer want our AMIs to be shared. Perhaps we release newer versions, or have a falling out with Bob and no longer want him running our software. Although de-registering an AMI will remove all launch permissions, we want to illustrate launch permission management without deregistering the AMI.

Individual launch permissions can be removed with ec2-modify-image-attribute.

$ ec2-modify-image-attribute ami-4ca2529b -l -r all
launchPermission ami-4ca2529b REMOVE group all

All launch permissions can be cleared from an AMI by using ec2-reset-image-attribute.

$ ec2-reset-image-attribute ami-5da964c3 -l
launchPermission ami-5da964c3 RESET

The owner of an AMI always has implicit launch permissions for that AMI. These will not be removed by using ec2-reset-image-attribute.

Advertising Your AMI

Advertise your shared AMI with the AWS developer community by adding it to the list of Public AMIs we have in our Resource Center. Submit your AMI to the Resource Center by following the directions on this page:

Your category listing will show up after a quick review by AWS.


very cool
well done very informative and simple thanks
craig meagher on September 21, 2010 6:55 AM GMT
We are temporarily not accepting new comments.
©2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.