Deregister (delete) an AMI
When you deregister an AMI, Amazon EC2 permanently deletes it. Once deregistered, you can't use
the AMI to launch new instances. You might consider deregistering an AMI when you have finished
using it.
To protect against accidental or malicious deregistering of an AMI, you can turn on deregistration protection. If you accidentally
deregister an EBS-backed AMI, you can use the Recycle Bin to
restore it only if you restore it within the allowed time period before it is permanently
deleted.
Deregistering an AMI has no effect on any instances that were launched from the AMI. You can
continue to use these instances. Deregistering an AMI also has no effect on any snapshots that
were created during the AMI creation process. You'll continue to incur usage costs for these
instances and storage costs for the snapshots. Therefore, to avoid incurring unnecessary costs,
we recommend that you terminate any instances and delete any snapshots that you do not need. For
more information, see Avoid costs from unused
resources.
Considerations
-
You can't deregister an AMI that is not owned by your account.
-
You can't use Amazon EC2 to deregister an AMI that is managed by the AWS Backup service.
Instead, use AWS Backup to delete the corresponding recovery points in the backup vault. For
more information, see Deleting backups in the
AWS Backup Developer Guide.
Deregister an AMI
Use any of the following methods to deregister an EBS-backed AMI or instance store-backed
AMI.
To avoid incurring unnecessary costs, you should delete any resources that you do not
need. For example, for EBS-backed AMIs, if you do not need the snapshots associated with the
deregistered AMI, you should delete them. For more information, see Avoid costs from unused
resources.
- Console
-
To deregister an AMI
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
In the navigation pane, choose AMIs.
-
From the filter bar, choose Owned by me to list your
available AMIs, or choose Disabled images to list your disabled
AMIs.
-
Select the AMI to deregister.
-
Choose Actions, Deregister AMI.
-
When you are prompted for confirmation, choose Deregister
AMI.
It might take a few minutes before the console removes the AMI from the list.
Choose Refresh to refresh the status.
- AWS CLI
-
To deregister an AMI
Use the deregister-image command and specify the ID of the AMI to
deregister.
aws ec2 deregister-image --image-id ami-0123456789example
- Powershell
-
To deregister an AMI
Use the Unregister-EC2Image cmdlet and specify the ID of the AMI to
deregister.
Unregister-EC2Image -ImageId ami-0123456789example
Check when an AMI was last used
LastLaunchedTime
is a timestamp that indicates when your AMI was last used to
launch an instance. AMIs that have not been used recently to launch an instance might be good
candidates for deregistering or deprecation.
-
When the AMI is used to launch an instance, there is a 24-hour delay before that
usage is reported.
-
lastLaunchedTime
data is available starting April 2017.
- Console
-
To view the last launched time of an AMI
-
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
In the left navigation pane, choose AMIs.
-
From the filter bar, choose Owned by me.
-
Select the AMI, and then check the Last launched time field
(if you selected the check box next to the AMI, it's located on the
Details tab). The field shows the date and time when the AMI
was last used to launch an instance.
- AWS CLI
-
You can use either the describe-images or describe-image-attribute command to view the last launched time of an
AMI.
To view the last launched time of an AMI by using describe-images
Use the describe-images command
and specify the ID of the AMI.
aws ec2 describe-images --image-id ami-0123456789example
Example output
The LastLaunchedTime
field only appears in the output for AMIs that
you own.
{
"Images": [
{
...
"LastLaunchedTime": {
"Value": "2024-04-02T02:03:18Z"
},
...
}
]
}
To view the last launched time of an AMI
Use the describe-image-attribute command and specify --attribute
lastLaunchedTime
. You must be owner of the AMI to run this command.
aws ec2 describe-image-attribute \
--image-id ami-0123456789example
\
--attribute lastLaunchedTime
Example output
{
"ImageId": "ami-1234567890example",
"LastLaunchedTime": {
"Value": "2022-02-10T02:03:18Z"
}
}
Protect an AMI from deregistration
You can turn on deregistration protection on an AMI to
prevent accidental or malicious deletion. When you turn on deregistration protection, the AMI
can’t be deregistered by any user, regardless of their IAM permissions. If you want to
deregister the AMI, you must first turn off the deregistration protection on it.
When you turn on deregistration protection on an AMI, you have the option to include a
24-hour cooldown period. This cooldown period is the time during which deregistration
protection remains in effect after you turn it off. During this cooldown period, the AMI can’t
be deregistered. When the cooldown period ends, the AMI can be deregistered.
Deregistration protection is turned off by default on all existing and new AMIs.
Turn on deregistration protection
Use any of the following methods to turn on deregistration protection on an AMI. To do
this, you must be the owner of the AMI.
- Console
-
To turn on deregistration protection on an AMI
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
In the navigation pane, choose AMIs.
-
From the filter bar, choose Owned by me to list your
available AMIs, or choose Disabled images to list your
disabled AMIs.
-
Select the AMI on which you want to turn on deregistration protection, and
then choose Actions, Manage AMI deregistration
protection.
-
In the Manage AMI deregistration protection dialog box,
you can turn on deregistration protection with or without a cooldown period.
Choose one of the following options:
-
Enable with a 24-hour cooldown period – With a
cooldown period, the AMI can’t be deregistered for 24 hours when
deregistration protection is turned off.
-
Enable without cooldown – Without a cooldown
period, the AMI can be deregistered immediately when deregistration protection
is turned off.
-
Choose Save.
- AWS CLI
-
To turn on deregistration protection on an AMI
Use the enable-image-deregistration-protection command and specify the AMI ID. To
include the optional 24-hour cooldown period, include --with-cooldown
set to true
. To exclude the cooldown period, omit the
--with-cooldown
parameter.
aws ec2 enable-image-deregistration-protection \
--image-id ami-0123456789example
\
--with-cooldown true
Turn off deregistration
protection
Use any of the following methods to turn off deregistration protection on an AMI. To do
this, you must be the owner of the AMI.
If you chose to include a 24-hour cooldown period when you turned on deregistration
protection for the AMI, then, when you turn off deregistration protection, you won’t
immediately be able to deregister the AMI. The cooldown period is the 24-hour time period
during which deregistration protection remains in effect even after you turn it off.
During this cooldown period, the AMI can’t be deregistered. After the cooldown period
ends, the AMI can be deregistered.
- Console
-
To turn off deregistration protection on an AMI
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
In the navigation pane, choose AMIs.
-
From the filter bar, choose Owned by me to list your
available AMIs, or choose Disabled images to list your
disabled AMIs.
-
Select the AMI to turn off deregistration protection, and then choose
Actions, Manage AMI deregistration
protection.
-
In the Manage AMI deregistration protection dialog box,
choose Disable.
-
Choose Save.
- AWS CLI
-
To turn off deregistration protection on an AMI
Use the disable-image-deregistration-protection command and specify the AMI
ID.
aws ec2 disable-image-deregistration-protection --image-id ami-0123456789example
Avoid costs from unused
resources
When you deregister an AMI, you don't delete the resources that are associated with the
AMI. These resources include the snapshots for EBS-backed AMIs and the files in Amazon S3 for
instance store-backed AMIs. When you deregister an AMI, you also don't terminate or stop any
instances launched from the AMI.
You will continue to incur costs for storing the snapshots and files, and you will incur
costs for any running instances.
To avoid incurring these types of unnecessary costs, we recommend deleting any resources
that you don't need.
Delete resources associated with your AMI
Use any of the following methods to delete the resources associated with your EBS-backed
AMI.
- Console
-
To delete resources associated with your EBS-backed AMI
-
Deregister the AMI.
Note the AMI ID—this can help you find the snapshots to delete in the
next step.
-
Delete
snapshots that you don't need.
The ID of the associated AMI is displayed in the
Description column on the Snapshots
screen.
-
Terminate instances that you
don't need.
- AWS CLI
-
To delete resources associated with your EBS-backed AMI
-
Deregister the AMI by using the deregister-image
command.
aws ec2 deregister-image --image-id ami-0123456789example
-
Delete snapshots that you don't need by using the delete-snapshot
command.
aws ec2 delete-snapshot --snapshot-id snap-0123456789example
-
Terminate instances that you don't need by using the terminate-instances
command.
aws ec2 terminate-instances --instance-ids i-0123456789example
- PowerShell
-
To delete resources associated with your EBS-backed AMI
-
Deregister the AMI by using the Unregister-EC2Image
cmdlet.
Unregister-EC2Image -ImageId ami-0123456789example
-
Delete snapshots that you don't need by using the Remove-EC2Snapshot
cmdlet.
Remove-EC2Snapshot -SnapshotId snap-0123456789example
-
Terminate instances that you don't need by using the Remove-EC2Instance
cmdlet.
Remove-EC2Instance -InstanceId i-0123456789example
The following diagram illustrates the flow for you to delete resources associated with
an EBS-backed AMI.