How to update AWS AMI permission from Public to Private

Riyaz Walikar
Feature image


Amazon Machine Image (AMI) is an image provided by Amazon typically containing the operating system and other software which is required to launch a virtual machine within the Amazon Elastic Compute Cloud (EC2). It serves as the basic unit of deployment for services delivered using EC2.

On AWS you can create your own AMIs from your EC2 instances. These AMIs can be either public or private images. AWS provides the ability to share these AMIs with other AWS accounts by changing the permissions on the AMI. There is also a provision to make the AMI public for all AWS users.

Public AMIs can be used by malicious AWS users to create their own instances. If these AMIs contain any sensitive information like SSH keys, configuration files, credentials to other resources etc., these would then become available to the malicious users.

In this article, let’s take a look at how to make a public AWS AMI image private.

Making your Public AWS AMI image Private

Following are the steps to change the AMI visibility permissions for an image using the AWS Console

  1. Sign in to the AWS Console and navigate to the EC2 dashboard.

  2. In the left navigation panel, under the IMAGES section, choose AMIs.

    EC2 navigation panel

  3. Select the AMI that you want to make private.

  4. Select the Permissions tab from the dashboard bottom panel and click the Edit AMI Permissions button to update the selected image launch permissions.

    edit AMI permissions

  5. In the Modify Image Permissions dialog box, select Private

    Modify AMI Permissions to private

  6. Click on Save changes and the AMI permissions are successfully changed to Private.

Following are the steps to change permissions for an AMI using CLI:

  1. To list the AMI’s, run the following command. This command takes some time to show the output and can be skipped if you already know your AMI ID.

    aws ec2 describe-images `--region <region>`
  2. To get AMI’s configuration metadata to check whether it is public or private, run the following command. It is public if “Public”: true

    aws ec2 describe-images --region <region> --image-ids <AMI ID>

    aws ec2 describe images.

  3. To update the AMI launch permissions and make it private run below command

    aws ec2 modify-image-attribute --region <region> --image-id <AMI ID> --launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"
  4. To verify if the AMI image has changed to private, run the following command. The value will be “Public”: false in the AMI’s configuration metadata.

    aws ec2 describe-images --region <region> --image-ids <AMI ID>

    aws ec2 describe images private


AWS allows users to create AMIs from their EC2 instances. This is a useful feature when one needs to have a custom base image to launch their instances like an image baked in software or hardened as per one’s requirements.

These AMIs can be made either public or private. For images that may have sensitive data and in cases where one does not intend their AMI to be accessible publicly by any AWS user, these must be made private.

← Back to Academy