0
I have a number of Amazon Machine Images (AMIs) which need to be kept private, but shared with a growing number of partners and customers, each using a distinct AWS account. Each account should be able to launch instances using my AMI.
AWS supports this trivially by letting you add Amazon account numbers to the AMI's ACL, but it appears that this approach is limited to 10 accounts. If I have 50 customers, I can't share an AMI with them all this way.
The logical consideration is using a policy to grant this access, but I'm having trouble formulating such a policy. There is a policy property for granting access to a foreign principal:
"Principal": {"AWS": "accountnumber"}
but this is rejected by the validator when I try to write a policy that gives access to a specific AMI's ARN. I can't find any examples of this elsewhere. Does anyone have clues or suggestions? Does this approach even work?