Amazon EC2 now supports Block Public Access for AMI’s

Muhammad Hassan Saeed
2 min readSep 15, 2023

--

AWS added a way to protect your AMIs from being shared publicly. You can enable Block Public Access for AMIs. This is an account-level setting, but you must enable it in each AWS region where you want to keep your AMIs private.AMI BPA is currently disabled by default for all AWS Accounts, and customers can enable AMI BPA through AWS CLI, SDKs or Console.

If this setting is enabled, you won’t be able to make any AMIs public. However, if you already have public AMIs, they won’t be affected. If you need to share AMIs publicly, turn off Block Public Access, share, and then reverse.

This is a good way to make sure that your AMIs are not shared publicly by mistake (if someone is still using this way of sharing AMIs)

Demo:

Goto Ec2 Account

In Top-Right Corner their is table labled Account attributes, In settings select very first option named Data Protection and Security

Scroll down !

Click Manage and check box if you want to block public share

Required IAM permissions

To use block public access for AMIs, you must have the following IAM permissions:

  • EnableImageBlockPublicAccess
  • DisableImageBlockPublicAccess
  • GetImagePublicAccessState

AWS CLI Command:

Enable:

aws ec2 enable-image-block-public-access \
--region "your region here" \
--image-block-public-access-state block-new-sharing

Disable:

aws ec2 disable-image-block-public-access --region "Your region here"

For More Read Documentation here:

--

--

Muhammad Hassan Saeed

Greetings! I'm a passionate AWS DevOps Engineer with hands-on Experience on Majority Devops Tools