interface AmiLaunchPermission
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.ImageBuilder.Alpha.AmiLaunchPermission |
 Go | github.com/aws/aws-cdk-go/awsimagebuilderalpha/v2#AmiLaunchPermission |
 Java | software.amazon.awscdk.services.imagebuilder.alpha.AmiLaunchPermission |
 Python | aws_cdk.aws_imagebuilder_alpha.AmiLaunchPermission |
 TypeScript (source) | @aws-cdk/aws-imagebuilder-alpha ยป AmiLaunchPermission |
The launch permissions for the AMI, defining which principals are allowed to access the AMI.
Example
const distributionConfiguration = new imagebuilder.DistributionConfiguration(this, 'DistributionConfiguration', {
distributionConfigurationName: 'test-distribution-configuration',
description: 'A Distribution Configuration',
amiDistributions: [
{
// Distribute AMI to us-east-2 and publish the AMI ID to an SSM parameter
region: 'us-east-2',
ssmParameters: [
{
parameter: ssm.StringParameter.fromStringParameterAttributes(this, 'CrossRegionParameter', {
parameterName: '/imagebuilder/ami',
forceDynamicReference: true
})
}
]
}
]
});
// For AMI-based image builds - add an AMI distribution in the current region
distributionConfiguration.addAmiDistributions({
amiName: 'imagebuilder-{{ imagebuilder:buildDate }}',
amiDescription: 'Build AMI',
amiKmsKey: kms.Key.fromLookup(this, 'ComponentKey', { aliasName: 'alias/distribution-encryption-key' }),
// Copy the AMI to different accounts
amiTargetAccountIds: ['123456789012', '098765432109'],
// Add launch permissions on the AMI
amiLaunchPermission: {
organizationArns: [
this.formatArn({ region: '', service: 'organizations', resource: 'organization', resourceName: 'o-1234567abc' })
],
organizationalUnitArns: [
this.formatArn({
region: '',
service: 'organizations',
resource: 'ou',
resourceName: 'o-1234567abc/ou-a123-b4567890'
})
],
isPublicUserGroup: true,
accountIds: ['234567890123']
},
// Attach tags to the AMI
amiTags: {
Environment: 'production',
Version: '{{ imagebuilder:buildVersion }}'
},
// Optional - publish the distributed AMI ID to an SSM parameter
ssmParameters: [
{
parameter: ssm.StringParameter.fromStringParameterAttributes(this, 'Parameter', {
parameterName: '/imagebuilder/ami',
forceDynamicReference: true
})
},
{
amiAccount: '098765432109',
dataType: ssm.ParameterDataType.TEXT,
parameter: ssm.StringParameter.fromStringParameterAttributes(this, 'CrossAccountParameter', {
parameterName: 'imagebuilder-prod-ami',
forceDynamicReference: true
})
}
],
// Optional - create a new launch template version with the distributed AMI ID
launchTemplates: [
{
launchTemplate: ec2.LaunchTemplate.fromLaunchTemplateAttributes(this, 'LaunchTemplate', {
launchTemplateId: 'lt-1234'
}),
setDefaultVersion: true
},
{
accountId: '123456789012',
launchTemplate: ec2.LaunchTemplate.fromLaunchTemplateAttributes(this, 'CrossAccountLaunchTemplate', {
launchTemplateId: 'lt-5678'
}),
setDefaultVersion: true
}
],
// Optional - enable Fast Launch on an imported launch template
fastLaunchConfigurations: [
{
enabled: true,
launchTemplate: ec2.LaunchTemplate.fromLaunchTemplateAttributes(this, 'FastLaunchLT', {
launchTemplateName: 'fast-launch-lt'
}),
maxParallelLaunches: 10,
targetSnapshotCount: 2
}
],
// Optional - license configurations to apply to the AMI
licenseConfigurationArns: [
'arn:aws:license-manager:us-west-2:123456789012:license-configuration:lic-abcdefghijklmnopqrstuvwxyz'
]
});
Properties
| Name | Type | Description |
|---|---|---|
| account | string[] | The AWS account IDs to share the AMI with. |
| is | boolean | Whether to make the AMI public. Block public access for AMIs must be disabled to make the AMI public. |
| organization | string[] | The ARNs for the AWS Organization that you want to share the AMI with. |
| organizational | string[] | The ARNs for the AWS Organizations organizational units to share the AMI with. |
accountIds?
Type:
string[]
(optional, default: None)
The AWS account IDs to share the AMI with.
isPublicUserGroup?
Type:
boolean
(optional, default: false)
Whether to make the AMI public. Block public access for AMIs must be disabled to make the AMI public.
WARNING: Making an AMI public exposes it to any AWS account globally. Ensure the AMI does not contain:
- Sensitive data or credentials
- Proprietary software or configurations
- Internal network information or security settings
For more information on blocking public access for AMIs, see: Understand block public access for AMIs
organizationArns?
Type:
string[]
(optional, default: None)
The ARNs for the AWS Organization that you want to share the AMI with.
organizationalUnitArns?
Type:
string[]
(optional, default: None)
The ARNs for the AWS Organizations organizational units to share the AMI with.