AWS – Amazon EC2 introduces Allowed AMIs to enhance AMI governance

Amazon EC2 introduces Allowed AMIs, a new account-wide setting that enables you to limit the discovery and use of Amazon Machine Images (AMIs) within your AWS accounts. You can now simply specify the AMI owner accounts or AMI owner aliases permitted within your account, and only AMIs from these owners will be visible and available to you to launch EC2 instances.

Prior to today, you could use any AMI explicitly shared with your account or any public AMI, regardless of its origin or trustworthiness, putting you at risk of accidentally using an AMI that didn’t meet your organization’s compliance requirements. Now with Allowed AMIs, your administrators can specify the accounts or owner aliases whose AMIs are permitted for discovery and use within your AWS environment. This streamlined approach provides guardrails to reduce the risk of inadvertently using non-compliant or unauthorized AMIs. Allowed AMIs also supports an audit-mode functionality to identify EC2 instances launched using AMIs not permitted by this setting, helping you identify non-compliant instances before the setting is applied. You can apply this setting across AWS Organizations and Organizational Units using Declarative Policies, allowing you to manage and enforce this setting at scale.

Allowed AMI setting only applies to public AMIs and AMIs explicitly shared with your AWS accounts. By default, this setting is disabled for all AWS accounts. You can enable it by using the AWS CLI, SDKs, or Console. To learn more, please visit our documentation.

Read More for the details.