AWS Security ChangesHomeSearch

AWS AWSEC2 medium security documentation change

Service: AWSEC2 · 2025-04-11 · Security-related medium

File: AWSEC2/latest/UserGuide/how-ami-copy-works.md

Summary

Clarified that AMI copy requires permissions for underlying storage (EBS/S3) in addition to AMI permissions

Security assessment

Emphasizes the need for explicit storage permissions beyond AMI sharing, addressing potential security gaps where users might think AMI sharing alone is sufficient. This helps prevent unauthorized access to storage resources.

Diff

diff --git a/AWSEC2/latest/UserGuide/how-ami-copy-works.md b/AWSEC2/latest/UserGuide/how-ami-copy-works.md
index 3281e866e..06a2a24dc 100644
--- a//AWSEC2/latest/UserGuide/how-ami-copy-works.md
+++ b//AWSEC2/latest/UserGuide/how-ami-copy-works.md
@@ -79 +79 @@ If an AMI from another AWS account is [shared with your AWS account](./sharingam
-To copy an AMI that was shared with you from another account, the owner of the source AMI must grant you read permissions for the storage that backs the AMI. The storage is either the associated EBS snapshot (for an Amazon EBS-backed AMI) or an associated S3 bucket (for an instance store-backed AMI). If the shared AMI has encrypted snapshots, the owner must share the key or keys with you. For more information about granting resource permissions, for EBS snapshots, see [Share an Amazon EBS snapshot with other AWS accounts](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) in the _Amazon EBS User Guide_ , and for S3 buckets, see [Identity and access management for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-iam.html) in the _Amazon S3 User Guide_.
+To copy an AMI that was shared with you from another account, the owner of the source AMI must grant you read permissions for the storage that backs the AMI, not just for the AMI itself. The storage is either the associated EBS snapshot (for an Amazon EBS-backed AMI) or an associated S3 bucket (for an instance store-backed AMI). If the shared AMI has encrypted snapshots, the owner must share the key or keys with you. For more information about granting resource permissions, for EBS snapshots, see [Share an Amazon EBS snapshot with other AWS accounts](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) in the _Amazon EBS User Guide_ , and for S3 buckets, see [Identity and access management for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-iam.html) in the _Amazon S3 User Guide_.