Amazon EC2 announces AMI Watermarks for improved AMI governance
Amazon EC2 introduces AMI Watermarks, letting you embed sticky identifiers in your private AMIs. Once applied, a watermark automatically carries forward to every AMI derived from the original, whether you copy it across regions, create a new AMI from a running instance, or store and restore it. Watermarks also remain visible when you share an AMI with other accounts. This helps you identify trusted AMIs, track provenance, and enforce governance policies across your organization.
Each watermark includes metadata such as the AMI ID, owner ID, region, and creation timestamps, providing reliable provenance that persists regardless of how many times an AMI is copied or new AMIs are created from it. AMI Watermarks improve AMI tracking by enabling you to filter and find related AMIs across your accounts. For governance, you can combine watermarks with Allowed AMIs to restrict instance launches to only AMIs carrying approved watermarks, then enforce that policy at scale across your organization through Declarative Policies.
You can start adding AMI watermarks to your private AMIs by using the Amazon Web Services Management Console, Amazon CLI, or SDKs. To learn more, please visit the documentation. You can also attach watermarks through EC2 Image Builder, a service used to create and manage AMIs, as part of your AMI build pipeline.
This capability is available to all customers at no additional cost, and is available in enabled in all Amazon Web Services Regions, including Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD.