Tagging EC2 AMIs and Cross-Account Sharing
Let’s paint a picture:
You manage a vast array of AWS accounts across many different OUs and environments. Your team has spent a lot of time coming up with an excellent CI/CD solution to pump out hardened AMIs. Here’s some ‘gotchas I have ran into recently surrounding this topic.
You can share an AMI with specific AWS accounts without making the AMI public. All you need are the AWS account IDs.
“All you need” makes things sound super easy. In general, they are. But if you are working with a large organization which utilizes multiple AWS accounts, it is generally considered best practice that you create “golden” AMIs in one account and share them “out” to other accounts or OUs for use in application deployment or infrastructure rollout.
You can’t share user-defined tags (tags that you attach to an AMI). When you share an AMI, your user-defined tags are not available to any AWS account that the AMI is shared with.
To be clear, this means that any kind of tagging metadata that you attach to your “golden” images is effectively wiped when you share the AMIs with other accounts. This means you cannot use these tags with tools such as Cloud Custodian (c7n) to automate cleanup or reporting. Nor can you create SCPs which would prevent ec2:RunInstances action.
The solution to all this of course is to make sure that when you copy AMIs across accounts to also copy any tags that are attached to the AMI resource. How will we accomplish this? Hopefully coming in another post very soon…