Authorize other AWS accounts for EC2 AMI access

0

I have a number of Amazon Machine Images (AMIs) which need to be kept private, but shared with a growing number of partners and customers, each using a distinct AWS account. Each account should be able to launch instances using my AMI.

AWS supports this trivially by letting you add Amazon account numbers to the AMI's ACL, but it appears that this approach is limited to 10 accounts. If I have 50 customers, I can't share an AMI with them all this way.

The logical consideration is using a policy to grant this access, but I'm having trouble formulating such a policy. There is a policy property for granting access to a foreign principal:

"Principal": {"AWS": "accountnumber"}

but this is rejected by the validator when I try to write a policy that gives access to a specific AMI's ARN. I can't find any examples of this elsewhere. Does anyone have clues or suggestions? Does this approach even work?

dgc

Posted 2016-10-11T19:40:47.217

Reputation: 101

Answers

0

Turns out we misinterpreted some data, and there's not a limit of 10 accounts. We haven't found any documentation of what the limit is, but it's at least 5700. I found this by extracting a list of 5700 account IDs from the list of public images in us-west and applying them to a dummy AMI that I made for the purpose of the test. Code if anyone is interested:

aws --profile dgc@domain --region us-west-2 ec2 describe-images >images.json

jq -r .Images[].OwnerId <images.json | sort | uniq <images.json >ids.txt

wc -l ids.txt
5705

(
    echo '{"Add":['
    for id in $(cat ids.txt); do
        echo '{"UserId":"'$id'"},'
    done
    echo '{"UserId":"##one-last-id-to-end-the-json-array-with##"}'
    echo ']}'
) >perms.json

aws --profile dgc@domain --region us-west-2 ec2 modify-image-attribute --image-id example-ami-id --launch-permission "$(cat perms.json)"

aws --profile dgc@domain --region us-west-2 ec2 describe-image-attribute --image-id example-ami-id --attribute launchPermission | jq -r '.LaunchPermissions[].UserId' | wc -l
    5706

5706 in, 5706 out.

dgc

Posted 2016-10-11T19:40:47.217

Reputation: 101

Asked: 2016-10-11T19:40:47.217

Viewed: 168 times

Active: 2019-06-02T09:53:26.580