AWS Security ChangesHomeSearch

AWS AWSEC2 documentation change

Service: AWSEC2 · 2025-09-19 · Documentation medium

File: AWSEC2/latest/UserGuide/manage-settings-allowed-amis.md

Summary

Updated AMI management documentation with expanded criteria (Marketplace codes, creation/deprecation dates, image names)

Security assessment

The changes introduce granular controls for allowed AMIs (e.g., deprecation time limits, Marketplace validation), which are security-focused features. This enhances security posture but does not address a specific existing vulnerability.

Diff

diff --git a/AWSEC2/latest/UserGuide/manage-settings-allowed-amis.md b/AWSEC2/latest/UserGuide/manage-settings-allowed-amis.md
index 6e98f26d5..99f4ce1ce 100644
--- a//AWSEC2/latest/UserGuide/manage-settings-allowed-amis.md
+++ b//AWSEC2/latest/UserGuide/manage-settings-allowed-amis.md
@@ -115 +115 @@ AWS CLI
-Use the [replace-image-criteria-in-allowed-images-settings](https://docs.aws.amazon.com/cli/latest/reference/ec2/replace-image-criteria-in-allowed-images-settings.html) command as follows to allow AMIs from Amazon and the specified account.
+Use the [replace-image-criteria-in-allowed-images-settings](https://docs.aws.amazon.com/cli/latest/reference/ec2/replace-image-criteria-in-allowed-images-settings.html) command and specify the JSON file that contains the Allowed AMIs criteria.
@@ -118,2 +118 @@ Use the [replace-image-criteria-in-allowed-images-settings](https://docs.aws.ama
-    aws ec2 replace-image-criteria-in-allowed-images-settings \
-        --image-criteria ImageProviders=amazon,123456789012
+    aws ec2 replace-image-criteria-in-allowed-images-settings --cli-input-json file://file_name.json
@@ -126 +125 @@ PowerShell
-Use the [Set-EC2ImageCriteriaInAllowedImagesSetting](https://docs.aws.amazon.com/powershell/latest/reference/items/Set-EC2ImageCriteriaInAllowedImagesSetting.html) cmdlet as follows to allow AMIs from Amazon and the specified account.
+Use the [Set-EC2ImageCriteriaInAllowedImagesSetting](https://docs.aws.amazon.com/powershell/latest/reference/items/Set-EC2ImageCriteriaInAllowedImagesSetting.html) cmdlet and specify the JSON file that contains the Allowed AMIs criteria.
@@ -129,2 +128 @@ Use the [Set-EC2ImageCriteriaInAllowedImagesSetting](https://docs.aws.amazon.com
-    $imageCriteria = New-Object Amazon.EC2.Model.ImageCriterionRequest
-    $imageCriteria.ImageProviders = @("amazon", "123456789012")
+    $imageCriteria = Get-Content -Path .\file_name.json | ConvertFrom-Json
@@ -209 +207 @@ Use the [get-allowed-images-settings](https://docs.aws.amazon.com/cli/latest/ref
-In the following example output, the state is `audit-mode` and the image provider list includes two providers (`amazon`, plus the specified account).
+In the following example output, the state is `audit-mode` and the image criteria are set in the account.
@@ -214,0 +213,14 @@ In the following example output, the state is `audit-mode` and the image provide
+            {
+                "MarketplaceProductCodes": [
+                    "abcdefg1234567890"
+                ]
+            },
+            {
+                "ImageProviders": [
+                    "123456789012",
+                    "123456789013"
+                ],
+                "CreationDateCondition": {
+                    "MaximumDaysSinceCreated": 300
+                }
+            },
@@ -217,2 +229,4 @@ In the following example output, the state is `audit-mode` and the image provide
-                    "amazon",
-                    "123456789012"
+                    "123456789014"
+                ],
+                "ImageNames": [
+                    "golden-ami-*"
@@ -219,0 +234,8 @@ In the following example output, the state is `audit-mode` and the image provide
+            },
+            {
+                "ImageProviders": [
+                    "amazon"
+                ],
+                "DeprecationTimeCondition": {
+                    "MaximumDaysSinceDeprecated": 0
+                }
@@ -233,2 +255,8 @@ Use the [Get-EC2AllowedImagesSetting](https://docs.aws.amazon.com/powershell/lat
-    Get-EC2AllowedImagesSetting | `
-        Select State, ManagedBy, @{Name='ImageProviders'; Expression={($_.ImageCriteria.ImageProviders)}}
+    Get-EC2AllowedImagesSetting | Select-Object `
+        State, `
+        ManagedBy, `
+        @{Name='ImageProviders'; Expression={($_.ImageCriteria.ImageProviders)}}, `
+        @{Name='MarketplaceProductCodes'; Expression={($_.ImageCriteria.MarketplaceProductCodes)}}, `
+        @{Name='ImageNames'; Expression={($_.ImageCriteria.ImageNames)}}, `
+        @{Name='MaximumDaysSinceCreated'; Expression={($_.ImageCriteria.CreationDateCondition.MaximumDaysSinceCreated)}}, `
+        @{Name='MaximumDaysSinceDeprecated'; Expression={($_.ImageCriteria.DeprecationTimeCondition.MaximumDaysSinceDeprecated)}}
@@ -236 +264 @@ Use the [Get-EC2AllowedImagesSetting](https://docs.aws.amazon.com/powershell/lat
-In the following example output, the state is `audit-mode` and the image provider list includes two providers (`amazon`, plus the specified account).
+In the following example output, the state is `audit-mode` and the image criteria are set in the account.
@@ -239,3 +267,7 @@ In the following example output, the state is `audit-mode` and the image provide
-    State      ManagedBy ImageProviders
-    -----      --------- --------------
-    audit-mode account   {amazon, 123456789012}
+    State      : audit-mode
+    ManagedBy  : account
+    ImageProviders            : {123456789012, 123456789013, 123456789014, amazon}
+    MarketplaceProductCodes   : {abcdefg1234567890}
+    ImageNames                : {golden-ami-*}
+    MaximumDaysSinceCreated  : 300
+    MaximumDaysSinceDeprecated: 0