# Manage and monitor AMI usage
AWS provides several features to help you manage and monitor your AMI usage effectively. You can track which accounts are using your shared AMIs, identify when your AMIs were last used, and discover which resources in your AWS account are referencing specific AMIs.
The following table provides an overview of the features for managing and monitoring AMI usage:
| Feature | Use case | Key benefits |
| --- | --- | --- |
| [AMI usage reports](your-ec2-ami-usage.md) | Gain visibility into which AWS accounts are using your AMIs and how much each AMI is being used. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-ami-usage.html) |
| [Last used tracking](ami-last-launched-time.md) | Check when your AMI was last used. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-ami-usage.html) |
| [AMI reference check](ec2-ami-references.md) | Ensure your AWS resources are using the latest compliant AMIs. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-ami-usage.html) |
**Topics**
+ [View your AMI usage](your-ec2-ami-usage.md)
+ [Check when an Amazon EC2 AMI was last used](ami-last-launched-time.md)
+ [Identify your resources referencing specified AMIs](ec2-ami-references.md)
# View your AMI usage
If you share your Amazon Machine Images (AMIs) with other AWS accounts—whether with specific AWS accounts, organizations, organizational units (OUs), or publicly—you can see how these AMIs are used by creating AMI usage reports. The reports provide visibility into:
+ Which AWS accounts are using your AMIs in EC2 instances or launch templates
+ How many EC2 instances or launch templates are referencing each AMI
AMI usage reports help you manage your AMIs more effectively by helping you:
+ Identify the AWS accounts and resource types referencing your AMIs so that you can safely deregister or disable AMIs.
+ Identify unused AMIs for deregistration to reduce storage costs.
+ Identify your most used AMIs.
**Topics**
+ [How AMI usage reports work](#how-ami-usage-reports-work)
+ [Create an AMI usage report](#create-ami-usage-reports)
+ [View AMI usage reports](#view-ami-usage-reports)
+ [Delete an AMI usage report](#delete-ami-usage-reports)
+ [Report quotas](#ami-usage-report-quotas)
## How AMI usage reports work
When you create an AMI usage report, you specify:
+ The AMI to report on.
+ The AWS accounts to check (specific accounts or all accounts).
+ The resource types to check (EC2 instances, launch templates, or both).
+ For launch templates, the number of versions to check (defaults to the 20 most recent versions).
Amazon EC2 creates a separate report for each AMI. Each report provides:
+ A list of the AWS accounts using the AMI.
+ A count of the resources referencing the AMI by resource type per account. Note that for launch templates, if an AMI is referenced in multiple versions of a launch template, the count is only 1.
**Important**
When you generate an AMI usage report, it might not contain the most recent activity. Instance activity from the past 24 hours and launch template activity from the past few days might not appear in the report.
Amazon EC2 automatically deletes a report 30 days after creation. You can download reports from the EC2 console to retain locally.
## Create an AMI usage report
To view how your AMI is being used, you must first create an AMI usage report, specifying the accounts and resource types to report on. Once the report is created, you can view the contents of the report. You can also download the report from the EC2 console.
------
#### [ Console ]
**To create an AMI usage report**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **AMIs**.
1. Select an AMI and choose **Actions**, **AMI usage**, **View my AMI usage**.
1. On the **Create my AMI usage report** page, do the following:
1. For **Resource types**, select one or more resource types to report on.
1. For **Account IDs**, do one of the following:
+ Choose **Specify accounts IDs** and then choose **Add account ID** for each account to report on.
+ Choose **Include all accounts** to report on all accounts.
1. Choose **Create my AMI usage report**.
1. On the AMI page, choose the **My AMI usage** tab.
1. Choose a report ID to view its details.
------
#### [ AWS CLI ]
**To create an AMI usage report for a list of accounts**
Use the [create-image-usage-report](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-image-usage-report.html) command with the following required parameters:
+ `--image-id` – The ID of the AMI to report on.
+ `--resource-types` – The types of resources to check. In the following example, the resource types to check are EC2 instances and launch templates. In addition, the number of launch template versions to check is also specified (`version-depth=100`).
To report on specific accounts, use the `--account-ids` parameter to specify the ID of each account to report on.
```
aws ec2 create-image-usage-report \
--image-id ami-0abcdef1234567890 \
--account-ids 111122223333 444455556666 123456789012 \
--resource-types ResourceType=ec2:Instance \
'ResourceType=ec2:LaunchTemplate,ResourceTypeOptions=[{OptionName=version-depth,OptionValues=100}]'
```
**To create an AMI usage report of all accounts**
To report on all accounts using the specified AMI, use the same command but omit the `--account-ids` parameter.
```
aws ec2 create-image-usage-report \
--image-id ami-0abcdef1234567890 \
--resource-types ResourceType=ec2:Instance \
'ResourceType=ec2:LaunchTemplate,ResourceTypeOptions=[{OptionName=version-depth,OptionValues=100}]'
```
The following is example output.
```
{
"ReportId": "amiur-00b877d192f6b02d0"
}
```
**To monitor the report creation status**
Use the [describe-image-usage-reports](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-usage-reports.html) command and specify the report ID.
```
aws ec2 describe-image-usage-reports --report-ids amiur-00b877d192f6b02d0
```
The following is example output. The initial value of the `State` field is `pending`. To be able to view the report entries, the state must be `available`.
```
{
"ImageUsageReports": [
{
"ImageId": "ami-0e9ae3dc21c2b3a64",
"ReportId": "amiur-abcae3dc21c2b3999",
"ResourceTypes": [
{"ResourceType": "ec2:Instance"}
],
"State": "pending",
"CreationTime": "2025-09-29T13:27:12.322000+00:00",
"ExpirationTime": "2025-10-28T13:27:12.322000+00:00"
}
]
}
```
------
#### [ PowerShell ]
**To create an AMI usage report for a list of accounts**
Use the [New-EC2ImageUsageReport](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2ImageUsageReport.html) cmdlet with the following required parameters:
+ `-ImageId` – The ID of the AMI to report on.
+ `-ResourceType` – The types of resources to check. In the following example, the resource types to check are EC2 instances and launch templates. In addition, the number of launch template versions to check is also specified (`'version-depth' = 100`).
To report on specific accounts, use the `-AccountId` parameter to specify the ID of each account to report on.
```
New-EC2ImageUsageReport `
-ImageId ami-0abcdef1234567890 `
-AccountId 111122223333 444455556666 123456789012 `
-ResourceType @(
@{ResourceType = 'ec2:Instance'},
@{ResourceType = 'ec2:LaunchTemplate'ResourceTypeOptions = @{'version-depth' = 100}
})
```
**To create an AMI usage report of all accounts**
To report on all accounts using the specified AMI, use the same command but omit the `-AccountId` parameter.
```
New-EC2ImageUsageReport `
-ImageId ami-0abcdef1234567890 `
-ResourceType @(
@{ResourceType = 'ec2:Instance'},
@{ResourceType = 'ec2:LaunchTemplate'ResourceTypeOptions = @{'version-depth' = 100}
})
```
The following is example output.
```
ReportId
--------
amiur-00b877d192f6b02d0
```
**To monitor the report creation status**
Use the [Get-EC2ImageUsageReport](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2ImageUsageReport.html) command and specify the report ID.
```
Get-EC2ImageUsageReport -ReportId amiur-00b877d192f6b02d0
```
The following is example output. The initial value of the `State` field is `pending`. To be able to view the report entries, the state must be `available`.
```
ImageUsageReports
-----------------
{@{ImageId=ami-0e9ae3dc21c2b3a64; ReportId=amiur-abcae3dc21c2b3999; ResourceTypes=System.Object[]; State=pending; CreationTime=2025-09-29; ExpirationTime=2025-10-28}}
```
------
## View AMI usage reports
You can view all the usage reports you've created for an AMI in the past 30 days. Amazon EC2 automatically deletes a report 30 days after creation.
For each report, you can see the AWS accounts that are using the AMI, and for each account, a count of the resources referencing the AMI by resource type. You can also see when the report creation was initiated. This information is only available when the report is in the **Complete** (console) or `available` (AWS CLI) state.
**Important**
When you generate an AMI usage report, it might not contain the most recent activity. Instance activity from the past 24 hours and launch template activity from the past few days might not appear in the report.
------
#### [ Console ]
**To view an AMI usage report**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **AMIs**.
1. Select an AMI.
1. Choose the **My usage reports** tab.
The report list shows:
+ All reports generated in the past 30 days for the selected AMI.
+ For each report, the **Report initiated time** column shows the date the report was created.
1. Choose the ID of a report to view its contents.
1. To go back to the **My usage reports** tab on the AMI details page, choose **View all reports for this AMI**.
------
#### [ AWS CLI ]
**To list all the AMI usage reports for the specified AMI**
Use the [describe-image-usage-reports](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-usage-reports.html) command and specify the ID of the AMI to get a list of its reports.
```
aws ec2 describe-image-usage-reports --image-ids ami-0abcdef1234567890
```
The following is example output. Each report ID is listed along with the resource types that were scanned and the report creation and expiration dates. You can use this information to identify the reports whose entries you want to view.
```
{
"ImageUsageReports": [
{
"ImageId": "ami-0abcdef1234567890",
"ReportId": "amiur-1111111111111111",
"ResourceTypes": [
{
"ResourceType": "ec2:Instance"
}
],
"State": "available",
"CreationTime": "2025-09-29T13:27:12.322000+00:00",
"ExpirationTime": "2025-10-28T13:27:12.322000+00:00",
"Tags": []
},
{
"ImageId": "ami-0abcdef1234567890",
"ReportId": "amiur-22222222222222222",
"ResourceTypes": [
{
"ResourceType": "ec2:Instance"
},
{
"ResourceType": "ec2:LaunchTemplate"
}
],
"State": "available",
"CreationTime": "2025-10-01T13:27:12.322000+00:00",
"ExpirationTime": "2025-10-30T13:27:12.322000+00:00",
"Tags": []
}
],
"NextToken": "opaque"
}
```
**To view the contents of an AMI usage report for the specified AMI**
Use the [describe-image-usage-report-entries](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-usage-report-entries.html) command and specify the ID of the AMI. The response returns all the reports for the specified AMI, showing the accounts that have used the AMI and their resource counts.
```
aws ec2 describe-image-usage-report-entries --image-ids ami-0abcdef1234567890
```
The following is example output.
```
{
"ImageUsageReportEntries": [
{
"ImageId": "ami-0abcdef1234567890",
"ResourceType": "ec2:Instance",
"AccountId": "123412341234",
"UsageCount": 15,
"ReportCreationTime": "2025-09-29T13:27:12.322000+00:00",
"ReportId": "amiur-1111111111111111"
},
{
"ImageId": "ami-0abcdef1234567890",
"ResourceType": "ec2:Instance",
"AccountId": "123412341234",
"UsageCount": 2,
"ReportCreationTime": "2025-10-01T13:27:12.322000+00:00",
"ReportId": "amiur-22222222222222222"
},
{
"ImageId": "ami-0abcdef1234567890",
"ResourceType": "ec2:Instance",
"AccountId": "001100110011",
"UsageCount": 39,
"ReportCreationTime": "2025-10-01T13:27:12.322000+00:00",
"ReportId": "amiur-22222222222222222"
}
],
"NextToken": "opaque"
}
```
**To view the contents of an AMI usage report for the specified report**
Use the [describe-image-usage-report-entries](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-usage-report-entries.html) command and specify the ID of the report. The response returns all the entries for the specified report, showing the accounts that have used the AMI and their resource counts.
```
aws ec2 describe-image-usage-report-entries --report-ids amiur-11111111111111111
```
The following is example output.
```
{
"ImageUsageReportEntries": [
{
"ImageId": "ami-0abcdef1234567890",
"ResourceType": "ec2:Instance",
"AccountId": "123412341234",
"UsageCount": 15,
"ReportCreationTime": "2025-09-29T13:27:12.322000+00:00",
"ReportId": "amiur-11111111111111111"
},
{
"ImageId": "ami-0abcdef1234567890",
"ResourceType": "ec2:LaunchTemplate",
"AccountId": "123412341234",
"UsageCount": 4,
"ReportCreationTime": "2025-09-29T13:27:12.322000+00:00",
"ReportId": "amiur-11111111111111111"
},
{
"ImageId": "ami-0abcdef1234567890",
"ResourceType": "ec2:LaunchTemplate",
"AccountId": "001100110011",
"UsageCount": 2,
"ReportCreationTime": "2025-09-29T13:27:12.322000+00:00",
"ReportId": "amiur-11111111111111111"
}
],
"NextToken": "opaque"
}
```
------
#### [ PowerShell ]
**To list all the AMI usage reports for the specified AMI**
Use the [Get-EC2ImageUsageReport](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2ImageUsageReport.html) cmdlet and specify the ID of the AMI to get a list of its reports.
```
Get-EC2ImageUsageReport -ImageId ami-0abcdef1234567890
```
The following is example output. Each report ID is listed along with the resource types that were scanned and the report creation and expiration dates. You can use this information to identify the reports whose entries you want to view.
```
@{
ImageUsageReports = @(
@{
ImageId = "ami-0abcdef1234567890"
ReportId = "amiur-1111111111111111"
ResourceTypes = @(
@{
ResourceType = "ec2:Instance"
}
)
State = "available"
CreationTime = "2025-09-29T13:27:12.322000+00:00"
ExpirationTime = "2025-10-28T13:27:12.322000+00:00"
},
@{
ImageId = "ami-0abcdef1234567890"
ReportId = "amiur-22222222222222222"
ResourceTypes = @(
@{
ResourceType = "ec2:Instance"
}
)
State = "available"
CreationTime = "2025-09-30T13:27:12.322000+00:00"
ExpirationTime = "2025-10-29T13:27:12.322000+00:00"
},
@{
ImageId = "ami-0abcdef1234567890"
ReportId = "amiur-33333333333333333"
ResourceTypes = @(
@{
ResourceType = "ec2:Instance"
}
)
State = "available"
CreationTime = "2025-10-01T13:27:12.322000+00:00"
ExpirationTime = "2025-10-30T13:27:12.322000+00:00"
}
)
NextToken = "opaque"
}
```
**To view the contents of an AMI usage report for the specified AMI**
Use the [Get-EC2ImageUsageReportEntry](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2ImageUsageReportEntry.html) cmdlet and specify the ID of the AMI. The response returns all the reports for the specified AMI, showing the accounts that have used the AMI and their resource counts.
```
Get-EC2ImageUsageReportEntry -ImageId ami-0abcdef1234567890
```
The following is example output.
```
ImageUsageReportEntries : {@{
ImageId = "ami-0abcdef1234567890"
ResourceType = "ec2:Instance"
AccountId = "123412341234"
UsageCount = 15
ReportCreationTime = "2025-09-29T13:27:12.322000+00:00"
ReportId = "amiur-1111111111111111"
}, @{
ImageId = "ami-0abcdef1234567890"
ResourceType = "ec2:Instance"
AccountId = "123412341234"
UsageCount = 7
ReportCreationTime = "2025-09-30T13:27:12.322000+00:00"
ReportId = "amiur-22222222222222222"
}...}
NextToken : opaque
```
**To view the contents of an AMI usage report for the specified report**
Use the [Get-EC2ImageUsageReportEntry](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2ImageUsageReportEntry.html) cmdlet and specify the ID of the report. The response returns all the entries for the specified report, showing the accounts that have used the AMI and their resource counts.
```
Get-EC2ImageUsageReportEntry -ReportId amiur-11111111111111111
```
The following is example output.
```
ImageUsageReportEntries : {@{
ImageId = "ami-0abcdef1234567890"
ResourceType = "ec2:Instance"
AccountId = "123412341234"
UsageCount = 15
ReportCreationTime = "2025-09-29T13:27:12.322000+00:00"
ReportId = "amiur-11111111111111111"
}, @{
ImageId = "ami-0abcdef1234567890"
ResourceType = "ec2:LaunchTemplate"
AccountId = "123412341234"
UsageCount = 4
ReportCreationTime = "2025-09-29T13:27:12.322000+00:00"
ReportId = "amiur-11111111111111111"
}, @{
ImageId = "ami-0abcdef1234567890"
ResourceType = "ec2:LaunchTemplate"
AccountId = "************"
UsageCount = 2
ReportCreationTime = "2025-09-29T13:27:12.322000+00:00"
ReportId = "amiur-11111111111111111"
}}
NextToken : opaque
```
------
## Delete an AMI usage report
Amazon EC2 automatically deletes a report 30 days after it was created. You can delete it manually before that time.
------
#### [ Console ]
**To delete an AMI usage report**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **AMIs**.
1. Select an AMI.
1. Choose the **My AMI usage** tab.
1. Choose the option button next to the report to delete, and then choose **Delete**.
------
#### [ AWS CLI ]
**To delete an AMI usage report**
Use the [delete-image-usage-report](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-image-usage-report.html) command and specify the ID of the report.
```
aws ec2 delete-image-usage-report --report-id amiur-0123456789abcdefg
```
------
#### [ PowerShell ]
**To delete an AMI usage report**
Use the [Remove-EC2ImageUsageReport](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2ImageUsageReport.html) cmdlet and specify the ID of the report.
```
Remove-EC2ImageUsageReport -ReportId amiur-0123456789abcdefg
```
------
## Report quotas
The following quotas apply to creating AMI usage reports. The quotas apply per AWS Region.
| Description | Quota |
| --- | --- |
| In-progress (pending) AMI usage reports per AWS account | 2,000 |
| In-progress (pending) AMI usage reports per AMI | 1 |
# Check when an Amazon EC2 AMI was last used
Amazon EC2 automatically tracks the date and time when an AMI was last used to launch an instance. If you have an AMI that has not been used to launch an instance in a long time, consider whether the AMI is a good candidate for [deregistration](deregister-ami.md) or [deprecation](ami-deprecate.md).
**Considerations**
+ When an AMI is used to launch an instance, there is a 24-hour delay before that usage is reported.
+ You must be the owner of the AMI to get the last launched time.
+ AMI usage data is available starting April 2017.
------
#### [ Console ]
**To view the last launched time of an AMI**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the left navigation pane, choose **AMIs**.
1. From the filter bar, choose **Owned by me**.
1. Select the checkbox for the AMI.
1. On the **Details** tab, find **Last launched time**.
------
#### [ AWS CLI ]
**To view the last launched time by describing the AMI**
Use the [describe-images](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html) command. If `LastLaunchedTime` is not present in the output, verify that you own the AMI.
```
aws ec2 describe-images \
--image-id ami-0abcdef1234567890 \
--query Images[].LastLaunchedTime \
--output text
```
The following is example output.
```
2025-02-17T20:22:19Z
```
**To view the last launched time attribute of an AMI**
Use the [describe-image-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-attribute.html) command. You must be the owner of the specified AMI.
```
aws ec2 describe-image-attribute \
--image-id ami-0abcdef1234567890 \
--attribute lastLaunchedTime \
--query LastLaunchedTime.Value \
--output text
```
The following is example output.
```
2025-02-17T20:22:19Z
```
------
#### [ PowerShell ]
**To view the last launched time by describing the AMI**
Use the [Get-EC2Image](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2Image.html) cmdlet. If `LastLaunchedTime` is not present in the output, verify that you own the AMI.
```
(Get-EC2Image -ImageId ami-0abcdef1234567890).LastLaunchedTime
```
The following is example output.
```
2025-02-17T20:22:19Z
```
**To view the last launched time attribute of an AMI**
Use the [Get-EC2ImageAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2ImageAttribute.html) cmdlet. You must be the owner of the specified AMI.
```
(Get-EC2ImageAttribute `
-ImageId ami-0abcdef1234567890 `
-Attribute LastLaunchedTime).LastLaunchedTime
```
The following is example output.
```
2025-02-17T20:22:19Z
```
------
# Identify your resources referencing specified AMIs
You can identify your AWS resources that reference specified Amazon Machine Images (AMIs), regardless of whether the AMIs are public or private, or who owns them. This visibility helps you ensure your resources use the latest compliant AMIs.
**Key benefits**
Checking AMI references helps you:
+ Audit the use of AMIs in your account.
+ Check where specific AMIs are being referenced.
+ Maintain compliance by updating your resources to reference the latest AMIs.
**Topics**
+ [Supported resources](#ec2-ami-references-supported-resources)
+ [How AMI reference checks work](#how-ami-references-works)
+ [Required IAM permissions](#ami-references-required-permissions)
+ [Steps for checking AMI references](#ami-reference-procedures)
## Supported resources
AMI references can be checked in:
+ EC2 instances
+ Launch templates
+ SSM parameters
+ Image Builder image recipes
+ Image Builder container recipes
## How AMI reference checks work
**Basic operation**
When you run an AMI reference check, you:
+ Specify which AMIs to check.
+ Choose which resource types to scan.
+ Receive a list of your resources that reference the specified AMIs.
**Resource type selection**
In the console, you select the resource types to scan.
In the CLI, you specify resource types to scan using one or both of the following CLI parameters:
+ `IncludeAllResourceTypes`: Scans all supported resource types.
+ `ResourceTypes`: Scans your specified resource types.
**Response scoping**
You can scope the response for EC2 instances and launch templates by customizing the `ResourceTypeOptions` values using the `ResourceTypes` parameter. The console and `IncludeAllResourceTypes` parameter both use default option values. When `ResourceTypes` and `IncludeAllResourceTypes` are used together, the `ResourceTypes` option values take precedence over the defaults.
The following are the default values:
| Resource type | Scoping option (`OptionName`) | Purpose | Default values for `OptionValue` and console |
| --- | --- | --- | --- |
| EC2 instances | state-name | Filter by instance state | pending, running, shutting-down, terminated, stopping, stopped (all states) |
| Launch templates | version-depth | Specify the number of launch template versions to check (starting from the most recent version) | 10 (most recent versions) |
## Required IAM permissions
To use the DescribeImageReferences API to identify your resources that are referencing specified AMIs, you need the following IAM permissions to describe the resources:
+ `ec2:DescribeInstances`
+ `ec2:DescribeLaunchTemplates`
+ `ec2:DescribeLaunchTemplateVersions`
+ `ssm:DescribeParameters`
+ `ssm:GetParameters`
+ `imagebuilder:ListImageRecipes`
+ `imagebuilder:ListContainerRecipes`
+ `imagebuilder:GetContainerRecipe`
**Example IAM policy for using the DescribeImageReferences API**
The following example policy grants you the permissions to use the DescribeImageReferences API, which includes the permissions to describe EC2 instances, launch templates, Systems Manager parameters, Image Builder image recipes, and Image Builder container recipes.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeImageReferences",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ssm:DescribeParameters",
"ssm:GetParameters",
"imagebuilder:ListImageRecipes",
"imagebuilder:ListContainerRecipes",
"imagebuilder:GetContainerRecipe"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"ec2-images.amazonaws.com"
]
}
}
}
]
}
```
------
**Important**
We strongly recommend using the AWS managed policy [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ImageReferencesAccessPolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ImageReferencesAccessPolicy.html) instead of creating the policy yourself. Creating a custom IAM policy that provides only the required permissions requires time and expertise, and will require updates as new resource types become available.
The `AmazonEC2ImageReferencesAccessPolicy` managed policy:
Grants all the permissions needed to use the DescribeImageReferences API (these include the permissions to describe EC2 instances, launch templates, Systems Manager parameters, and Image Builder container and image recipes).
Automatically supports new resource types as they become available (especially important when using the `IncludeAllResourceTypes` parameter).
You can attach the `AmazonEC2ImageReferencesAccessPolicy` policy to your IAM identities (users, groups, and roles).
To view the permissions included in this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ImageReferencesAccessPolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ImageReferencesAccessPolicy.html) in the *AWS Managed Policy Reference*.
## Steps for checking AMI references
Use the following procedures to identify which of your AWS resources are referencing specified AMIs.
------
#### [ Console ]
**To identify resources referencing specified AMIs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **AMIs**.
1. Select one or more AMIs to check for references.
1. Choose **Actions**, **AMI usage**, **View referenced resources**.
1. On the **View resources referencing selected AMIs** page:
1. For **Resource types**, select one or more resource types.
1. Choose **View resources**.
1. The **Resources referencing selected AMIs** section appears. The list displays the resources referencing the specified AMIs. Each row provides the following information:
+ **AMI ID** – The ID of the referenced AMI.
+ **Resource type** – The resource type of the resource referencing the AMI.
+ **Resource ID** – The ID of the resource referencing the AMI.
------
#### [ AWS CLI ]
**To check AMI references for specific resource types**
Use the [describe-image-references](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-references.html) command with the `--resource-types` parameter. The following example checks EC2 instances (scoping by instance state), launch templates (scoping to the 20 most recent launch template versions), and other specific resource types.
```
aws ec2 describe-image-references \
--image-ids ami-0abcdef1234567890 ami-1234567890abcdef0 \
--resource-types \
'ResourceType=ec2:Instance,ResourceTypeOptions=[{OptionName=state-name,OptionValues=[running,pending]}]' \
'ResourceType=ec2:LaunchTemplate,ResourceTypeOptions=[{OptionName=version-depth,OptionValues=[20]}]' \
'ResourceType=ssm:Parameter' \
'ResourceType=imagebuilder:ImageRecipe' \
'ResourceType=imagebuilder:ContainerRecipe'
```
The following is example output.
```
{
"ImageReferences": [
{
"ImageId": "ami-0abcdef1234567890",
"ResourceType": "ec2:Instance",
"Arn": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0"
},
{
"ImageId": "ami-1234567890abcdef0",
"ResourceType": "ec2:LaunchTemplate",
"Arn": "arn:aws:ec2:us-east-1:123456789012:launch-template/lt-1234567890abcdef0"
}
]
}
```
**To check AMI references for all the supported resource types**
Use the [describe-image-references](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-references.html) command with the `--include-all-resource-types` parameter.
```
aws ec2 describe-image-references \
--image-ids ami-0abcdef1234567890 ami-1234567890abcdef0 \
--include-all-resource-types
```
**To check AMI references for all supported resource types and specific options**
Use the [describe-image-references](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-image-references.html) command with both the `--include-all-resource-types` and `--resource-types` parameters. This example checks all resource types while scoping the response for EC2 instances to running or pending instances.
```
aws ec2 describe-image-references \
--image-ids ami-0abcdef1234567890 ami-1234567890abcdef0 \
--include-all-resource-types \
--resource-types 'ResourceType=ec2:Instance,ResourceTypeOptions=[{OptionName=state-name,OptionValues=[running,pending]}]'
```
------
#### [ PowerShell ]
**To check AMI references for specific resource types**
Use the [Get-EC2ImageReference](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2ImageReference.html) cmdlet with the `-ResourceType` parameter. The following example checks EC2 instances (scoping by instance state), launch templates (scoping to the 20 most recent launch template versions), and other specific resource types.
```
Get-EC2ImageReference `
-ImageId 'ami-0abcdef1234567890', 'ami-1234567890abcdef0' `
-ResourceType @(
@{
ResourceType = 'ec2:Instance'
ResourceTypeOptions = @(
@{
OptionName = 'state-name'
OptionValues = @('running', 'pending')
}
)
},
@{
ResourceType = 'ec2:LaunchTemplate'
ResourceTypeOptions = @(
@{
OptionName = 'version-depth'
OptionValues = @('20')
}
)
},
@{
ResourceType = 'ssm:Parameter'
},
@{
ResourceType = 'imagebuilder:ImageRecipe'
},
@{
ResourceType = 'imagebuilder:ContainerRecipe'
}
)
```
**To check AMI references for all the supported resource types**
Use the [Get-EC2ImageReference](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2ImageReference.html) cmdlet with the `-IncludeAllResourceTypes` parameter.
```
Get-EC2ImageReference `
-ImageId 'ami-0abcdef1234567890', 'ami-1234567890abcdef0' `
-IncludeAllResourceTypes
```
**To check AMI references for all supported resource types and specific options**
Use the [Get-EC2ImageReference](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2ImageReference.html) cmdlet with both the `-IncludeAllResourceTypes` and `-ResourceType` parameters. This example checks all resource types while scoping the response for EC2 instances to running or pending instances.
```
Get-EC2ImageReference `
-ImageId 'ami-0abcdef1234567890', 'ami-1234567890abcdef0' `
-IncludeAllResourceTypes `
-ResourceType @(
@{
ResourceType = 'ec2:Instance'
ResourceTypeOptions = @(
@{
OptionName = 'state-name'
OptionValues = @('running', 'pending')
}
)
}
)
```
------