全てのリージョンの Allowed AMIs を AWS CLI で設定してみる
2025.03.02Amazon EC2 の Allowed AMIs 機能は、AWS Organizations 環境では宣言型ポリシーで全ての AWS アカウントの設定が一括で可能です。本ブログでは、AWS Organizations 環境ではない場合や宣言型ポリシーを利用できない場合を想定して、AWS CLI で単一の AWS アカウント内の全てのリージョンの Allowed AMIs 設定を試したため紹介します。
AWS CLI で Allowed AMIs を設定
Amazon EC2 の Allowed AMIs を同一 AWS アカウント内の有効な全てのリージョンに設定するコマンド例は下記です。本コマンドでは Audit Mode で設定しています。Audit Mode から有効化に変更するコマンドも後述しています。
echo '{
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-marketplace",
"aws-backup-vault",
"111122223333",
"444455556666"
]
}
]
}' > image-criteria.json
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Allowed AMIs settings in ${region}"
aws ec2 replace-image-criteria-in-allowed-images-settings \
--cli-input-json file://image-criteria.json \
--region ${region}
aws ec2 enable-allowed-images-settings \
--allowed-images-settings-state audit-mode \
--region ${region}
done
image-criteria.json の中身です。設定したい内容に応じて、上記コマンドの内容を変更する必要があります。
{
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-marketplace",
"aws-backup-vault",
"111122223333",
"444455556666"
]
}
]
}
実行結果例です。"ReturnValue": true は replace-image-criteria-in-allowed-images-settings の実行結果、"AllowedImagesSettingsState": "audit-mode" は enable-allowed-images-settings の実行結果です。
$ echo '{
> "ImageCriteria": [
> {
> "ImageProviders": [
> "amazon",
> "aws-marketplace",
> "aws-backup-vault",
> "111122223333",
> "444455556666"
> ]
> }
> ]
> }' > image-criteria.json
[cloudshell-user@ip-10-132-91-34 ~]$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Allowed AMIs settings in ${region}"
> aws ec2 replace-image-criteria-in-allowed-images-settings \
> --cli-input-json file://image-criteria.json \
> --region ${region}
> aws ec2 enable-allowed-images-settings \
> --allowed-images-settings-state audit-mode \
> --region ${region}
> done
### Allowed AMIs settings in ap-south-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in eu-north-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in eu-west-3
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in eu-west-2
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in eu-west-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in ap-northeast-3
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in ap-northeast-2
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in ap-northeast-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in ca-central-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in sa-east-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in ap-southeast-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in ap-southeast-2
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in eu-central-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in us-east-1
{[c
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in us-east-2
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in us-west-1
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
### Allowed AMIs settings in us-west-2
{
"ReturnValue": true
}
{
"AllowedImagesSettingsState": "audit-mode"
}
実行後に、不要な場合は作成された image-criteria.json ファイルを削除します。なお、JSON ファイルを生成しない方法も補足情報に記載しているため参考にしていただければ幸いです。
rm image-criteria.json
マネジメントコンソール上で確認した設定内容は次のようになっていました。
次に、Autit Mode から有効化に切り替えるコマンド例です。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Enable Allowed AMIs settings in ${region}"
aws ec2 enable-allowed-images-settings \
--allowed-images-settings-state enabled \
--region ${region}
done
実行結果例です。
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Enable Allowed AMIs settings in ${region}"
> aws ec2 enable-allowed-images-settings \
> --allowed-images-settings-state enabled \
> --region ${region}
> done
### Enable Allowed AMIs settings in ap-south-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in eu-north-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in eu-west-3
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in eu-west-2
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in eu-west-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in ap-northeast-3
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in ap-northeast-2
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in ap-northeast-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in ca-central-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in sa-east-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in ap-southeast-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in ap-southeast-2
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in eu-central-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in us-east-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in us-east-2
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in us-west-1
{
"AllowedImagesSettingsState": "enabled"
}
### Enable Allowed AMIs settings in us-west-2
{
"AllowedImagesSettingsState": "enabled"
}
マネジメントコンソール上の設定画面です。有効に変更されていました。
さいごに、Allowed AMI を無効化するコマンド例です。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Disable Allowed AMIs settings in ${region}"
aws ec2 disable-allowed-images-settings \
--region ${region}
done
実行結果例です。
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Disable Allowed AMIs settings in ${region}"
> aws ec2 disable-allowed-images-settings \
> --region ${region}
> done
### Disable Allowed AMIs settings in ap-south-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in eu-north-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in eu-west-3
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in eu-west-2
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in eu-west-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in ap-northeast-3
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in ap-northeast-2
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in ap-northeast-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in ca-central-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in sa-east-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in ap-southeast-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in ap-southeast-2
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in eu-central-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in us-east-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in us-east-2
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in us-west-1
{
"AllowedImagesSettingsState": "disabled"
}
### Disable Allowed AMIs settings in us-west-2
{
"AllowedImagesSettingsState": "disabled"
}
マネジメントコンソール上の設定画面です。無効に変更されていました。
AWS CLI で Allowed AMIs の設定情報を取得
Allowed AMIs の現在の設定状況は get-allowed-images-settings コマンドで確認できます。
全てのリージョンの設定情報を取得するコマンド例です。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Get Allowed AMIs settings in ${region}"
aws ec2 get-allowed-images-settings \
--region ${region}
done
実行結果例です。
$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
> echo "### Get Allowed AMIs settings in ${region}"
> aws ec2 get-allowed-images-settings \
> --region ${region}
> done
### Get Allowed AMIs settings in ap-south-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in eu-north-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in eu-west-3
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in eu-west-2
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in eu-west-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in ap-northeast-3
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in ap-northeast-2
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in ap-northeast-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in ca-central-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in sa-east-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in ap-southeast-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in ap-southeast-2
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in eu-central-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in us-east-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in us-east-2
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in us-west-1
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
### Get Allowed AMIs settings in us-west-2
{
"State": "audit-mode",
"ImageCriteria": [
{
"ImageProviders": [
"amazon",
"aws-backup-vault",
"444455556666",
"aws-marketplace",
"111122223333"
]
}
],
"ManagedBy": "account"
}
補足情報
これまで紹介した内容では、次の AWS CLI コマンドを利用しています。
- enable-allowed-images-settings — AWS CLI 2.24.15 Command Reference
- disable-allowed-images-settings — AWS CLI 2.24.15 Command Reference
- replace-image-criteria-in-allowed-images-settings — AWS CLI 2.24.15 Command Reference
- get-allowed-images-settings — AWS CLI 2.24.15 Command Reference
また、AWS CLI による Allowed AMIs の設定は次のユーザーガイドのページも詳しく記載されているため参考になります。
- Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs - Amazon Elastic Compute Cloud
なお、replace-image-criteria-in-allowed-images-settings では JSON をインプットする代わりに次の構文を利用できます。わざわざ JSON を用意する必要がないためシンプルに設定できます。
aws ec2 replace-image-criteria-in-allowed-images-settings \
--image-criteria ImageProviders=amazon,aws-marketplace,aws-backup-vault,111122223333,444455556666
この構文を使い、冒頭の Audit Mode の設定と同様の内容を設定する場合は例えば次のようになります。
aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
echo "### Allowed AMIs settings in ${region}"
aws ec2 replace-image-criteria-in-allowed-images-settings \
--image-criteria ImageProviders=amazon,aws-marketplace,aws-backup-vault,111122223333,444455556666 \
--region ${region}
aws ec2 enable-allowed-images-settings \
--allowed-images-settings-state audit-mode \
--region ${region}
done
上記コマンド実行後にマネジメントコンソールで確認すると JSON に変換されていました。
さいごに
AWS Organizations 環境ではない場合や宣言型ポリシーを利用できない場合を想定して、AWS CLI で AWS アカウント内の全リージョンの Allowed AMIs を設定する例を試したため紹介しました。補足情報に記載したとおり、JSON を用いない構文で設定もできるため、利用しやすい方法で設定するのがよいと思います。
以上、このブログがどなたかのご参考になれば幸いです。
