What Is an AMI in AWS? Amazon Machine Images Explained for EC2

An AMI (Amazon Machine Image) is the template Amazon EC2 uses to launch instances. It defines the operating system, disk layout, launch permissions, and optionally pre-installed software. You can launch EC2 instances from the console, CLI, a Launch Template, or an Auto Scaling Group — all of them start from an AMI.

AMIs matter most when you need consistency at scale. A single well-built AMI lets you launch ten or ten thousand identical servers without repeating any setup step. That repeatability is what makes AMIs central to reliable deployments in AWS.

AMIs in plain English

You configure one server exactly the way you want: install the OS, apply patches, install your application and monitoring agents. Then you take a snapshot of that entire disk and register it as an AMI. From that point on, you can launch as many identical instances as you need without repeating any of those setup steps.

Concretely: an AMI stores a snapshot of the root EBS volume (the disk the OS runs from), plus metadata about the instance. That metadata includes architecture (x86_64 or arm64), virtualisation type, additional volume mappings, and who is allowed to use the image. When you launch an instance, AWS creates a fresh EBS volume from that snapshot and boots the instance from it. The original snapshot is never modified. Every instance gets its own copy.

Note

AMIs do not run. They are static templates. Only EC2 instances run. The AMI is the recipe; the instance is the dish.

Why AMIs matter

Without AMIs, every new EC2 instance would start as a blank OS installation. You would need to install your application, configure dependencies, and set up monitoring manually. That process is slow, error-prone, and does not scale.

AMIs solve this by letting you bake configuration into a reusable image. Launch a hundred instances from the same AMI and they all start identically. This is the foundation of reliable, repeatable deployments in AWS.

AMIs also unlock Auto Scaling Groups. When traffic spikes and AWS adds capacity automatically, it launches new instances from the configured AMI. If that AMI already has your application installed, new instances are healthy and serving traffic in under a minute. If they need to run a long installation script at boot, they join the fleet slowly and can fail mid-installation.

How AMIs work

Understanding the relationship between AMIs, EBS snapshots, and EC2 instances makes the whole system easier to reason about.

  1. You create an AMI from a configured EC2 instance. AWS takes a snapshot of the root EBS volume (and any additional volumes in the block device mapping) and registers the result as an AMI with its own ID such as ami-0abc12345def67890.
  2. You reference the AMI in a launch request, a Launch Template, or an Auto Scaling Group configuration.
  3. At launch time, AWS creates a fresh EBS volume from the AMI’s root snapshot, attaches it as the root device, and boots the instance. The underlying snapshot is never modified. Every new instance gets its own copy.
  4. The instance runs independently from the AMI. You can deregister the AMI without affecting running instances, and you can release a new AMI version without touching existing instances.

A few important properties:

  • Region-specific: An AMI lives in one region. To use it elsewhere, you must copy it. Copied AMIs get a different ID in the destination region. AMI IDs are never portable across regions.
  • Architecture-specific: An AMI built for x86_64 cannot run on Graviton (arm64) instances, and vice versa.
  • Block device mapping: An AMI can define multiple volumes, including a root volume and additional data volumes, all created automatically at launch.
  • Launch permissions: AMIs are private by default. You can share them with specific AWS accounts or make them public.

What an AMI contains

An AMI is made up of several components:

  • A root volume snapshot: A point-in-time EBS snapshot of the OS volume. This is the primary component. It is what gets stamped into a new EBS volume each time you launch an instance.
  • Launch permissions: Controls who can use the AMI. Options are public (anyone), private (your account only), or shared with specific AWS account IDs.
  • Block device mapping: Specifies what volumes to attach at launch, including the root volume and any additional EBS or instance store volumes, with their sizes and termination behaviour.
  • Architecture and virtualisation type: Whether the image is x86_64 or arm64, and whether it uses HVM (hardware virtual machine) virtualisation. Nearly all modern AMIs use HVM.

AMI vs EBS snapshot

AMIs and EBS snapshots are closely related but serve different purposes. An AMI references snapshots. It does not replace them.

DimensionAMIEBS Snapshot
PurposeLaunch template for EC2 instancesPoint-in-time backup of a single volume
What it containsSnapshot references, block device mapping, launch permissions, architectureCompressed incremental data from one EBS volume
Can launch an EC2 instance?Yes, directlyNo. Must be restored to a volume first, or used to register an AMI
Region portabilityRegion-specific; copy with copy-imageRegion-specific; copy with copy-snapshot
Typical use caseStandardised server templates, golden images, Auto Scaling sourceVolume backups, disaster recovery, volume migration

If you deregister an AMI, the underlying snapshots are not deleted automatically. You are still billed for snapshot storage until you delete them explicitly. See the cleanup steps in the deregistering section below.

EBS-backed vs instance store AMIs

The root volume type affects how the instance behaves when stopped or terminated.

EBS-backed AMIs (the standard)

The root volume is an EBS volume created fresh from the AMI snapshot at launch time. This means:

  • The instance can be stopped and started. The root volume persists.
  • You can take snapshots of the root volume at any time.
  • Boot time is typically 30–90 seconds.
  • The root volume can survive instance termination if DeleteOnTermination is disabled.

EBS-backed AMIs are the right choice for almost every workload.

Instance store AMIs (legacy)

The root volume lives on physical storage directly attached to the host. The instance cannot be stopped; it can only be rebooted or terminated. All data is lost on termination. Instance store root volumes are a legacy feature. Unless you have a specific reason to use them, and you almost certainly do not, use EBS-backed AMIs exclusively.

FeatureEBS-backedInstance store
Can stop/start?YesNo (terminate only)
Data persists on stop?YesNo
Can take snapshots?YesNo
Recommended?YesRarely

Public, private, and golden AMIs

AMIs have launch permissions that control who can use them. Teams often create a third category called the golden AMI for internal use.

Public AMIs

AWS and its partners publish thousands of public AMIs: official OS images from Amazon, Canonical (Ubuntu), Red Hat, and SUSE, as well as commercial images from the AWS Marketplace. Any AWS account can launch from a public AMI.

Security risk

Always check the owner account ID before using a community AMI. Official Amazon Linux AMIs are owned by account 137112412989. Canonical’s Ubuntu AMIs use owner ID 099720109477. AMIs from unknown accounts may contain modified software or backdoors.

Private AMIs

AMIs you create are private by default. Only your AWS account can use them. You can share a private AMI with specific AWS account IDs, or make it fully public. Sharing by account ID is common in large organisations where a platform team maintains a hardened base image that product teams build on top of.

Golden AMIs

A golden AMI is a private AMI your team builds and maintains as an approved starting point. It typically includes the OS, security patches, monitoring agents, and organisation-wide configuration — except application-specific code. Product teams launch instances from the golden AMI, layer their application on top, and optionally create a more specific AMI for their service.

When to use a custom AMI

Custom AMIs add real value in specific situations:

  • Auto Scaling fleets with complex software. If your application takes more than a minute to install and start, pre-bake it into an AMI. New instances join the fleet faster and cannot fail due to installation errors at boot time.
  • Consistent environments across dev, staging, and prod. Use the same AMI across all environments to eliminate environment-specific bugs. What you test is exactly what you deploy.
  • Multi-region deployments. Copy a single golden AMI to each region you operate in. Every region gets the same verified image rather than a separately built instance.
  • Disaster recovery. Pre-copy AMIs to your recovery region so you can launch instances immediately during an outage without rebuilding anything from scratch.
  • Image versioning and rollback. When you deploy a new version, build a new AMI and update your Launch Template. Rolling back to the previous version is just a matter of pointing the Launch Template at the old AMI ID.
  • Distributing a hardened base image. Platform teams can share a patched, security-configured AMI across all accounts in an AWS Organisation, ensuring every new instance starts from an approved baseline.

When not to create a custom AMI

A custom AMI is not always the right tool:

  • Simple, short configuration. If your EC2 user data script takes less than 60 seconds, a custom AMI adds pipeline complexity without meaningful benefit. A plain vendor AMI plus a lightweight bootstrap script is often simpler to maintain.
  • Containerised workloads. If you are running containers on ECS or EKS, your application lives in a container image, not an AMI. The EC2 node only needs to run the container runtime. AWS provides managed node AMIs for this.
  • Serverless workloads. Lambda, Fargate, and similar services abstract away the instance entirely. There is no AMI to manage.
  • Very frequent releases. If you ship multiple times per day and your image build pipeline cannot keep up, reconsider. A hybrid model using a pre-baked base AMI for the OS and runtime layer plus user data for the application layer can be a better fit than rebuilding the entire image on every deploy.

Creating your own AMI

Start with a running or stopped EC2 instance configured the way you want. Launch an instance from a base vendor AMI, install and validate your software, then run:

# Create an AMI from a running instance
aws ec2 create-image \
  --instance-id i-0abc12345def67890 \
  --name "myapp-v1.0-2026-04-01" \
  --description "Application server with Node.js 20 and app v1.0" \
  --no-reboot

The —no-reboot flag skips rebooting the instance before snapshotting. Without it, AWS reboots the instance first to ensure filesystem consistency. For most Linux workloads under light load, —no-reboot is fine. For production golden AMI builds, omit the flag and let AWS reboot. A consistent snapshot is worth the extra few minutes.

Wait for the AMI to reach the available state before using it:

aws ec2 wait image-available --image-ids ami-0abc12345def67890

List all your owned AMIs to confirm creation:

aws ec2 describe-images \
  --owners self \
  --query "Images[*].[ImageId,Name,State,CreationDate]" \
  --output table

AMI creation snapshots the root EBS volume and any additional volumes in the block device mapping. While snapshots are in progress, the AMI state shows as pending. Once all snapshots complete, it moves to available. Larger volumes take longer. A few minutes is typical.

For automated golden AMI builds, HashiCorp Packer is a popular choice. You define the build in a configuration file. Packer launches an instance, runs your provisioning steps, and creates the AMI automatically. This slots naturally into a CI/CD pipeline alongside the Launch Templates that reference the resulting AMI.

Note

Tag your AMIs with version numbers and build dates. A naming convention like myapp-v2.4.1-2026-04-01 makes it easy to identify the current version and audit what you have. Use aws ec2 describe-images —owners self regularly to find AMIs ready for cleanup.

Golden AMI vs user data scripts

Both golden AMIs and EC2 user data scripts configure EC2 instances, but they operate at different points in the lifecycle and suit different needs.

DimensionGolden AMIUser data script
When software is installedAt AMI build time, before any instance launchesAt first boot, adding to launch time
Launch speedFast. Application ready within seconds of bootSlower. Depends on script duration
Failure modesBuild-time failures, caught before deploymentBoot-time failures, can fail silently on live instances
Update frequencyRequires a new image build per changeScript changes apply immediately to new instances
Best forComplex stacks, Auto Scaling, consistent production fleetsLightweight setup, environment-specific config, injecting runtime secrets
Production pattern

Use a golden AMI for the OS, runtime, and monitoring layer, then use a short user data script to inject environment-specific values such as a database endpoint from AWS Secrets Manager at boot. You get fast, consistent launches without baking environment-specific values into the image itself.

Copying, sharing, and deregistering AMIs

Copying to another region

To use an AMI in a different region for multi-region deployments or disaster recovery, copy it explicitly:

aws ec2 copy-image \
  --source-region us-east-1 \
  --source-image-id ami-0abc12345def67890 \
  --region eu-west-1 \
  --name "myapp-v1.0-eu-copy"

The copy process duplicates the underlying snapshots into the destination region. You will be billed for snapshot storage in both regions until you clean up old copies.

Sharing with another AWS account

To share a private AMI with a specific account without making it public:

aws ec2 modify-image-attribute \
  --image-id ami-0abc12345def67890 \
  --launch-permission "Add=[{UserId=123456789012}]"

Deregistering and cleaning up

When you no longer need an AMI, clean it up in three steps. Retrieve the snapshot IDs first. After deregistering, that association is gone.

# Step 1: Get the snapshot IDs from the AMI's block device mapping
SNAPSHOT_IDS=$(aws ec2 describe-images \
  --image-ids ami-0abc12345def67890 \
  --query "Images[0].BlockDeviceMappings[*].Ebs.SnapshotId" \
  --output text)

# Step 2: Deregister the AMI
aws ec2 deregister-image --image-id ami-0abc12345def67890

# Step 3: Delete the associated snapshots
for SNAPSHOT_ID in $SNAPSHOT_IDS; do
  aws ec2 delete-snapshot --snapshot-id "$SNAPSHOT_ID"
done
Watch out

Deregistering an AMI does not delete the underlying EBS snapshots. You are still billed for snapshot storage until you delete them explicitly. Always retrieve snapshot IDs from the block device mapping before deregistering the AMI. The association is gone once deregistration completes.

Common mistakes

  1. Hardcoding AMI IDs in infrastructure code. AMI IDs are region-specific and change when new versions are released. Use SSM Parameter Store or a name filter to look up the current AMI ID dynamically rather than hardcoding it.
  2. Using untrusted public AMIs. Always check the owner account ID before using a community AMI. Unknown owners may distribute AMIs containing malware or backdoors. Stick to AMIs published by AWS or known vendors.
  3. Baking secrets into AMIs. If you create an AMI from an instance that had credentials, private keys, or environment variables with secrets, those values are frozen into the image. Scrub all secrets before creating an AMI, and deliver them at runtime using AWS Secrets Manager or Parameter Store instead.
  4. Not cleaning up old AMIs and snapshots. Each AMI’s underlying snapshots cost money. Deregister AMIs you no longer use and delete their snapshots. A regular audit cadence prevents runaway storage costs.
  5. Running long user data scripts instead of golden AMIs for Auto Scaling. If your script takes 5–10 minutes, new instances scale slowly and can fail mid-installation. Pre-bake the application layer into the AMI to keep launches fast and reliable.
  6. Forgetting to update the Launch Template after building a new AMI. Building a new AMI and not updating the Launch Template means your Auto Scaling Group keeps launching the old version. Automate the AMI ID update as part of your build pipeline.

Frequently asked questions

What is an AMI in AWS?

An AMI (Amazon Machine Image) is a template that defines everything needed to launch an EC2 instance: the operating system, disk layout, pre-installed software, and launch permissions. Every EC2 instance starts from an AMI.

Can I create my own AMI?

Yes. You can create an AMI from any running or stopped EC2 instance using the AWS Console or CLI. AWS takes a snapshot of the root EBS volume and registers it as a reusable image. Any instance launched from that AMI starts with the same OS and software already in place.

Are AMIs region-specific?

Yes. An AMI exists in one AWS region. To use it in another region, you must copy it using aws ec2 copy-image. The copy gets a new AMI ID in the destination region. AMI IDs are never portable across regions.

What is the difference between an AMI and an EBS snapshot?

An EBS snapshot is a point-in-time backup of a single volume. An AMI is a launch template that references one or more snapshots, defines block device mappings, and includes launch permissions. You can launch an EC2 instance from an AMI, but not directly from a snapshot alone.

Do I need a custom AMI for every EC2 instance?

No. For simple workloads, a standard AWS or vendor AMI plus a short EC2 user data script is often enough. Custom AMIs become valuable when you have complex software stacks, need fast Auto Scaling launches, or want consistent, pre-validated environments.

Last verified: 1 April 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.