AWS Security ChangesHomeSearch

AWS AWSEC2 documentation change

Service: AWSEC2 · 2025-04-18 · Documentation low

File: AWSEC2/latest/UserGuide/ec2-allowed-amis.md

Summary

Restructured documentation by consolidating multiple management sections into a single linked guide, updated formatting, and removed detailed procedural steps in favor of external references.

Security assessment

Changes focus on documentation organization and formatting rather than addressing specific security vulnerabilities. The Allowed AMIs feature itself is security-related, but these updates don't introduce new security information or address disclosed weaknesses.

Diff

diff --git a/AWSEC2/latest/UserGuide/ec2-allowed-amis.md b/AWSEC2/latest/UserGuide/ec2-allowed-amis.md
index 36db32e4b..eb8fe74b2 100644
--- a//AWSEC2/latest/UserGuide/ec2-allowed-amis.md
+++ b//AWSEC2/latest/UserGuide/ec2-allowed-amis.md
@@ -5 +5 @@
-How Allowed AMIs worksBest practices for implementing Allowed AMIsRequired IAM permissionsEnable audit mode and specify criteriaEnable Allowed AMIsDisable Allowed AMIsUpdate Allowed AMIs criteriaIdentify Allowed AMIs state and criteriaIdentify AMIs that meet the Allowed AMIs criteriaIdentify whether instances were launched with AMIs that aren't allowed
+How Allowed AMIs worksBest practices for implementing Allowed AMIsRequired IAM permissions
@@ -17 +17 @@ You specify the Allowed AMIs settings at the account level, either directly in t
-The Allowed AMIs feature only controls the discovery and use of public AMIs or AMIs shared with your account. It does not restrict the AMIs owned by your account. Regardless of the criteria you set, the AMIs created by your account will always be discoverable and usable by users in your account.
+The Allowed AMIs feature only controls the discovery and use of public AMIs or AMIs shared with your account. It does not restrict the AMIs owned by your account. Regardless of the criteria you set, the AMIs created by your account are always discoverable and usable by users in your account.
@@ -19 +19 @@ The Allowed AMIs feature only controls the discovery and use of public AMIs or A
-**Key benefits of Allowed AMIs**
+###### Key benefits of Allowed AMIs
@@ -38,13 +38 @@ The Allowed AMIs feature only controls the discovery and use of public AMIs or A
-  * Enable audit mode and specify criteria
-
-  * Enable Allowed AMIs
-
-  * Disable Allowed AMIs
-
-  * Update Allowed AMIs criteria
-
-  * Identify Allowed AMIs state and criteria
-
-  * Identify AMIs that meet the Allowed AMIs criteria
-
-  * Identify whether instances were launched with AMIs that aren't allowed
+  * [Manage the settings for Allowed AMIs](./manage-settings-allowed-amis.html)
@@ -204 +192 @@ CLI: Run the [describe-instance-image-metadata](https://awscli.amazonaws.com/v2/
-For the console and CLI instructions, see Identify whether instances were launched with AMIs that aren't allowed.
+For the console and CLI instructions, see [Find instances launched from AMIs that aren't allowed](./manage-settings-allowed-amis.html#identify-instances-with-allowed-AMIs).
@@ -242,476 +229,0 @@ To use the Allowed AMIs feature, you need the following IAM permissions:
-## Enable audit mode and specify criteria
-
-Use the following procedures to enable the audit mode for Allowed AMIs and specify the Allowed AMIs criteria in your account for the specified Region.
-
-Console
-    
-
-###### To enable audit mode and specify criteria for Allowed AMIs
-
-  1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
-
-  2. In the navigation pane, choose **Dashboard**.
-
-  3. Under **Account attributes** (top right), choose **Allowed AMIs**.
-
-  4. On the **Allowed AMIs** page, do the following:
-
-    1. Choose **Manage**.
-
-    2. For **Allowed AMIs settings** , choose **Audit mode**.
-
-    3. For **AMI criteria** , specify the criteria in JSON format. Currently, only image providers can be specified as criteria.
-
-For the correct configuration and valid values, see JSON configuration for the Allowed AMIs criteria.
-
-    4. Choose **Update**.
-
-
-
-
-AWS CLI
-    
-
-###### To enable audit mode and specify criteria for Allowed AMIs
-
-  1. **Enable audit mode**
-
-Use the [enable-allowed-images-settings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-allowed-images-settings.html) command and specify `audit-mode` in the specified Region.
-    
-        aws ec2 enable-allowed-images-settings \
-        --region us-east-1 \
-        --allowed-images-settings-state audit-mode
-
-Expected output
-    
-        {
-    "AllowedImagesSettingsState": "audit-mode"
-    }
-
-  2. **Specify the criteria**
-
-Use the [replace-image-criteria-in-allowed-images-settings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/replace-image-criteria-in-allowed-images-settings.html) command and reference a JSON file with the image criteria.
-
-Currently, only image providers are supported for image criteria. For the correct configuration and valid values, see JSON configuration for the Allowed AMIs criteria.
-    
-        aws ec2 replace-image-criteria-in-allowed-images-settings \
-        --region us-east-1 \
-        --cli-input-json file://path/to/image-criteria.json
-
-
-
-
-## Enable Allowed AMIs
-
-Use the following procedures to enable Allowed AMIs in your account for the specified Region.
-
-Console
-    
-
-###### To enable Allowed AMIs
-
-  1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
-
-  2. In the navigation pane, choose **Dashboard**.
-
-  3. Under **Account attributes** (top right), choose **Allowed AMIs**.
-
-  4. On the **Allowed AMIs** page, do the following:
-
-    1. Choose **Manage**.
-
-    2. For **Allowed AMIs settings** , choose **Enabled**.
-
-    3. For **AMI criteria** , specify the criteria in JSON format. Currently, only image providers can be specified as criteria.
-
-For the correct configuration and valid values, see JSON configuration for the Allowed AMIs criteria.
-
-    4. Choose **Update**.
-
-
-
-
-AWS CLI
-    
-
-###### To enable Allowed AMIs and specify criteria for Allowed AMIs
-
-  1. **Enable Allowed AMIs**
-
-Use the [enable-allowed-images-settings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-allowed-images-settings.html) command and specify `enable` in the specified Region.
-    
-        aws ec2 enable-allowed-images-settings \
-        --region us-east-1 \
-        --allowed-images-settings-state enabled
-
-Expected output
-    
-        {
-    "AllowedImagesSettingsState": "enabled"
-    }
-
-  2. **Specify the criteria**
-
-Use the [replace-image-criteria-in-allowed-images-settings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/replace-image-criteria-in-allowed-images-settings.html) command and reference a JSON file with the image criteria.
-
-Currently, only image providers are supported for image criteria. For the correct configuration and valid values, see JSON configuration for the Allowed AMIs criteria.
-    
-        aws ec2 replace-image-criteria-in-allowed-images-settings \
-        --region us-east-1 \
-        --cli-input-json file://path/to/image-criteria.json
-
-
-
-
-## Disable Allowed AMIs
-
-Use the following procedures to disable Allowed AMIs in your account for the specified Region.
-
-Console
-    
-
-###### To disable Allowed AMIs
-
-  1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
-
-  2. In the navigation pane, choose **Dashboard**.
-
-  3. Under **Account attributes** (top right), choose **Allowed AMIs**.
-
-  4. On the **Allowed AMIs** page, do the following:
-
-    1. Choose **Manage**.
-
-    2. For **Allowed AMIs settings** , choose **Disabled**.
-
-    3. Choose **Update**.
-
-
-
-
-AWS CLI
-    
-
-###### To disable Allowed AMIs
-
-Use the [disable-allowed-images-settings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-allowed-images-settings.html) command to disable Allowed AMIs in the specified Region.
-    
-    
-    aws ec2 disable-allowed-images-settings \
-        --region us-east-1
-
-Expected output
-    
-    
-    {
-    "AllowedImagesSettingsState": "disabled"
-    }
-