By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 Image Builder in AWS Organization

0

Hi,

My EC2 Image Builder is in AWS Organization, it's not the root account. I want to create images and automatically share them with all accounts and newly created accounts? Is it possible to do that?

Thanks

Topics
Security, Identity, & ComplianceComputeManagement & Governance
Tags
Security, Identity, & ComplianceEC2 Image BuilderAmazon EC2AWS OrganizationsAWS Account Management
Language
English
profile picture
myronix88
asked 7 months ago476 views
3 Answers
0
Accepted Answer

Actually, I just found out that there is a built-in functionality of image pipeline to share with the whole Org/OUnit. So, I don't need any Lambdas. Thank you for your replies.

profile picture
myronix88
answered 7 months ago
  • David
    7 months ago

    True, thats possible, only if you want to put the latest image to SSM in the specific accounts to help people to use that parameter while automation creation of instances you would need to have a lambda function

  • Gustav
    3 months ago

    This is the correct way to do it.

0

Yes, sharing Amazon Machine Images (AMIs) across accounts in an AWS Organization is possible. Here's a more direct approach to your question:

  1. When EC2 Image Builder completes a build, it produces an AMI. You can modify the permissions of this AMI to be shared with other AWS accounts.

  2. Sharing with Specific Accounts:

  • Go to the EC2 console.
  • Under "Images", select "AMIs".
  • Select your AMI, click on "Actions", and then choose "Modify Image Permissions".
  • Under "Add account", you can specify the AWS account numbers with which you want to share the AMI.
  1. To automatically share the AMI with all accounts in your organization, you would need to set up an automation (e.g., using AWS Lambda) that:
  • Detects the creation of a new AMI using CloudWatch Events.
  • Shares the AMI with all accounts in the AWS Organization by modifying the AMI permissions.

I hope this helps! If this solution works for you, please accept the answer. Otherwise, do leave a comment, and I'll try to assist you.

profile picture
Vitor Castellani
answered 7 months ago
profile pictureAWS
EXPERT
Jose Guay
reviewed 7 months ago
  • Gustav
    3 months ago

    This is redundant. Use the built in function in Image Builder to share the AMIs with the Org/OU.

0

Here is an example Lambda to share an AMI to an AWS Organization:

import boto3
import logging
logger = logging.getLogger()

ec2client = boto3.client('ec2')
orgclient = boto3.client('organizations')

try: 
    accounts = orgclient.list_accounts()
    accountlist = []
    for account in accounts['Accounts']:
        if account['Status'] == 'ACTIVE':
            accountlist.append(account['Id'])
except():
    logger.error("Could not get Account ids")
try:
    print(accountlist)
    logger.info("Share new AMI with Organization Accounts")
    response = ec2client.modify_image_attribute(
    Attribute='launchPermission',
    ImageId="YOURIMAGEID",
    OperationType='add',
    UserIds=accountlist
    )
except(ec2client.Client.exceptions):
    logger.error("Could not share AMI: YOURIMAGEID.")
profile picture
David
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content