Merge pull request #96 from ivancasco/feat/block-public-ami-access

Account wide AMI public block

Author: jplock

src/regional/account_setup/lambda_handler.py

@@ -61,6 +61,9 @@ def handler(event: Dict[str, Any], context: LambdaContext) -> None:
     logger.info(f"Enabling snapshot block public access in {region_name} in {account_id}")
     ec2.enable_snapshot_block_public_access()
 
+    logger.info(f"Enabling AMI block public access in {region_name} in {account_id}")
+    ec2.enable_ami_block_public_access()
+
     logger.info(f"Setting default ECS settings in {region_name} in {account_id}")
     ecs = ECS(assumed_session, region_name)
     ecs.put_account_setting_default()

src/regional/account_setup/resources/ec2.py

@@ -110,3 +110,9 @@ def enable_snapshot_block_public_access(self) -> None:
             self.client.enable_snapshot_block_public_access(State="block-all-sharing")
         except botocore.exceptions.ClientError:
             logger.exception(f"Unable to enable snapshot block public access in {self.region}")
+
+    def enable_ami_block_public_access(self) -> None:
+        try:
+            self.client.enable_image_block_public_access(ImageBlockPublicAccessState="block-new-sharing")
+        except botocore.exceptions.ClientError:
+            logger.exception(f"Unable to enable AMI block public access in {self.region_name}")