Yes, sharing Amazon Machine Images (AMIs) across accounts in an AWS Organization is possible. Here's a more direct approach to your question:
When EC2 Image Builder completes a build, it produces an AMI. You can modify the permissions of this AMI to be shared with other AWS accounts.
Sharing with Specific Accounts:
- Go to the EC2 console.
- Under "Images", select "AMIs".
- Select your AMI, click on "Actions", and then choose "Modify Image Permissions".
- Under "Add account", you can specify the AWS account numbers with which you want to share the AMI.
- To automatically share the AMI with all accounts in your organization, you would need to set up an automation (e.g., using AWS Lambda) that:
- Detects the creation of a new AMI using CloudWatch Events.
- Shares the AMI with all accounts in the AWS Organization by modifying the AMI permissions.
I hope this helps! If this solution works for you, please accept the answer. Otherwise, do leave a comment, and I'll try to assist you.
Here is an example Lambda to share an AMI to an AWS Organization:
import boto3 import logging logger = logging.getLogger() ec2client = boto3.client('ec2') orgclient = boto3.client('organizations') try: accounts = orgclient.list_accounts() accountlist =  for account in accounts['Accounts']: if account['Status'] == 'ACTIVE': accountlist.append(account['Id']) except(): logger.error("Could not get Account ids") try: print(accountlist) logger.info("Share new AMI with Organization Accounts") response = ec2client.modify_image_attribute( Attribute='launchPermission', ImageId="YOURIMAGEID", OperationType='add', UserIds=accountlist ) except(ec2client.Client.exceptions): logger.error("Could not share AMI: YOURIMAGEID.")
Actually, I just found out that there is a built-in functionality of image pipeline to share with the whole Org/OUnit. So, I don't need any Lambdas. Thank you for your replies.
- AWS公式更新しました 1年前