Troubleshooting: Shared AWS AMI Not Visible in Target Account – EC2 Permissions and Discovery Guide


2 views

After modifying the AMI permissions using either the AWS console or CLI, the target account still can't see the shared AMI. Here's what I've learned through painful experience:

1. Triple-check the account ID format:

# Correct format (12 digits, no hyphens)
aws ec2 modify-image-attribute \
    --image-id ami-1234567890abcdef0 \
    --launch-permission "Add=[{UserId=123456789012}]"

2. Verify the AMI actually exists in source account:

aws ec2 describe-images \
    --image-ids ami-1234567890abcdef0 \
    --query 'Images[0].State'

AMIs are region-specific. The target account must look in the same region where the AMI was shared. To check regions:

# In source account
aws ec2 describe-regions --output table

# In target account (ensure you're in correct region)
aws configure set region us-east-1

In target account console, use these precise filters:

  • Under "Owned by" select "Private images"
  • Add filter: "Image Location" contains "account-id"

Or via CLI:

aws ec2 describe-images \
    --filters Name=owner-alias,Values=amazon \
              Name=is-public,Values=false \
    --query 'Images[?contains(ImageLocation, 123456789012) == true]'

If the AMI still doesn't appear, try these advanced checks:

# Check effective permissions (source account)
aws ec2 describe-image-attribute \
    --image-id ami-1234567890abcdef0 \
    --attribute launchPermission

# Cross-account test launch (target account)
aws ec2 run-instances \
    --image-id ami-1234567890abcdef0 \
    --instance-type t2.micro \
    --dry-run

Remember that AWS Organizations SCPs or IAM policies might override AMI sharing permissions at higher levels.

When sharing AMIs between AWS accounts, the process involves several steps that must be correctly executed:

aws ec2 modify-image-attribute \
    --image-id ami-1234567890abcdef0 \
    --launch-permission "Add=[{UserId=123456789012}]"

Based on my experience managing AWS infrastructure, these are the most frequent causes:

  • Region mismatch between source and target accounts
  • Incomplete AMI permissions propagation (AWS typically takes 10-15 minutes)
  • Incorrect filtering in the EC2 console
  • Underlying snapshot permissions not shared

Try these AWS CLI commands to check visibility:

# List all AMIs including shared ones
aws ec2 describe-images --owners self amazon --query 'Images[*].[ImageId,Name]' --output table

# Check specific AMI attributes
aws ec2 describe-image-attribute \
    --image-id ami-1234567890abcdef0 \
    --attribute launchPermission

If basic checks don't work, try these advanced methods:

# Cross-account verification (replace with your details)
aws sts assume-role \
    --role-arn "arn:aws:iam::123456789012:role/AMI-Sharing-Role" \
    --role-session-name "AMIVerification" \
    --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
    --output text

Then use the temporary credentials to verify AMI access.

Here's a complete Python script I've used to automate AMI sharing with verification:

import boto3
import time

def share_ami_with_verification(source_account_id, target_account_id, ami_id, region='us-east-1'):
    ec2 = boto3.client('ec2', region_name=region)
    
    # Share AMI
    ec2.modify_image_attribute(
        ImageId=ami_id,
        LaunchPermission={'Add': [{'UserId': target_account_id}]}
    )
    
    # Wait for propagation
    time.sleep(900)  # 15 minute wait
    
    # Verify using STS
    sts = boto3.client('sts')
    assumed_role = sts.assume_role(
        RoleArn=f"arn:aws:iam::{target_account_id}:role/AMI-Verification-Role",
        RoleSessionName="AMIVerification"
    )
    
    temp_ec2 = boto3.client(
        'ec2',
        aws_access_key_id=assumed_role['Credentials']['AccessKeyId'],
        aws_secret_access_key=assumed_role['Credentials']['SecretAccessKey'],
        aws_session_token=assumed_role['Credentials']['SessionToken'],
        region_name=region
    )
    
    try:
        response = temp_ec2.describe_images(ImageIds=[ami_id])
        return True if response['Images'] else False
    except Exception as e:
        print(f"Verification failed: {str(e)}")
        return False

When using the AWS Management Console:

  1. Navigate to EC2 -> AMIs
  2. Click the dropdown for "Owned by me"
  3. Select "Private images" and "Shared with me"
  4. Use the search bar with the exact AMI ID

Remember that AMIs are region-specific. If you've shared an AMI from us-east-1, the recipient must look in the same region. Use this command to check all regions:

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text)
do
    echo "Checking region $region"
    aws ec2 describe-images --owners self amazon --region $region
done