Open menu
-->

Unused Amazon Machine Images

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Cost
optimisation

Find any unused Amazon Machine Images available in your AWS account and remove them in order to lower the cost of your monthly AWS bill. The AMI removal/cleanup process consists of two steps: 1) deregister the unused image and 2) delete the snapshot associated with it.

This rule resolution is part of the Cloud Conformity Cost Optimisation Package

The AMIs created in your AWS account are adding charges to your monthly bill, regardless whether are being used or not. Many AWS customers will deregister their images but forget to delete the AMIs snapshots, therefore continue to incur storage costs. Cloud Conformity recommends implementing the two-step cleanup process shown in the Remediation/Resolution section in order to avoid any unexpected charges on your AWS bill.

Audit

To identify any unused EC2 AMIs within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the image that you want to examine.

05 Select the Details tab from the dashboard bottom panel and copy the AMI ID value (e.g. ami-15728c78) from the left column.

06 In the left navigation panel, under INSTANCES section, choose Instances.

07 Click inside the EC2 attributes filter box located under the dashboard top menu and select Image ID from the dropdown list:

Click inside the EC2 attributes filter box located under the dashboard top menu and select Image ID from the dropdown list

08 Paste the AMI ID copied at step no. 5 into the EC2 attributes filter box as the Image ID input value and press Enter. If the filtering process is returning one or more EC2 instances as search results, the selected AMI is currently in use. If the filtering process is not returning any results, the selected AMI is not used anymore and can be safely removed from your AWS account.

09 Repeat steps no. 4 – 8 to identify any other unused AMIs available in the current region.

10 Change the AWS region from the navigation bar and repeat the entire process for the other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom filtering to list the IDs of all Amazon Machine Images (AMIs) currently available in the selected region:

aws ec2 describe-images
	--region us-east-1
	--owners self
	--output table
	--query 'Images[*].ImageId'

02 The command output should return the AMI IDs requested:

	------------------
	| DescribeImages |
	+----------------+
	|  ami-15728c78  |
	|  ami-3f708e52  |
	+----------------+

03 Run describe-instances command (OSX/Linux/UNIX) using each image ID returned at the previous step as filter parameter to return the existing EC2 instance(s) launched from the specified AMI:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=image-id,Values=ami-15728c78"

04 The command output should return the metadata for the EC2 instance(s) that match the filter criteria. If the output is returning the metadata for one or more EC2 instances, the selected AMI is currently in use. If the command output is returning just an empty array (as shown in the example below), the selected AMI is not used anymore and can be safely removed:

{

	"Reservations": []

}

05 Repeat steps no. 3 and 4 to identify any other unused AMIs available in the current region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for the other AWS regions.

Remediation / Resolution

To remove any unused Amazon Machine Images (AMIs) available within your account, you need to deregister the image and then delete the associated snapshot. To implement the removal process, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the unused image that you want to remove.

05 Select the Details tab from the dashboard bottom panel and copy the image snapshot ID (e.g. snap-d370f8ce) displayed within the Block Devices parameter value:

Select the Details tab from the dashboard bottom panel and copy the image snapshot ID displayed within the Block Devices parameter value

06 Click the Actions dropdown button from the dashboard top menu and select Deregister.

07 In the Deregister dialog box, review the image details then click Continue to submit the changes.

08 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.

09 Paste the image snapshot ID copied at step no. 5 into EC2 snapshots attributes filter box and press Enter.

10 Select the snapshot(s) returned as search results (image snapshots that match the filter criteria).

11 Click the Actions dropdown button from the dashboard top menu and select Delete.

12 In the Delete Snapshot dialog box, review the details then click Yes, Delete to confirm the action.

13 Repeat steps no. 4 – 12 to remove other unused AMIs available in the current region.

14 Change the AWS region from the navigation bar and repeat the entire process for the other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) using the ID of the unused AMI (see the Audit section for getting the unused AMIs metadata) as identifier to return the ID of the EBS snapshot associated with the selected image:

aws ec2 describe-images
	--region us-east-1
	--image-ids ami-3f708e52
	--query 'Images[*].BlockDeviceMappings[*].Ebs.SnapshotId'

02 The command output should return the ID of the EBS snapshot associated with the AMI:

[
    [
        "snap-1a7aa86d"
    ]
]

03 Once you identified the AMI snapshot ID run deregister-image command (OSX/Linux/UNIX) using the image ID as identifier to deregister the selected AMI (the command does not produce an output):

aws ec2 deregister-image
	--region us-east-1
	--image-id ami-3f708e52

04 Finally, run delete-snapshot command (OSX/Linux/UNIX) using the ID returned at step no. 2 as identifier, to complete the removal/cleanup process by deleting the snapshot associated with the selected image (if successful, the command does not return an output):

aws ec2 delete-snapshot
	--region us-east-1
	--snapshot-id snap-1a7aa86d

05 Repeat steps no. 1 – 4 to remove other unused AMIs available in the current region.

06 Repeat the entire removal/cleanup process for the other AWS regions.

References

Publication date Jun 7, 2016