AWS Marketplace

Announcing the Golden AMI Pipeline

Today, I’m happy to announce that the golden AMI pipeline sample configuration is now available. Many AWS customers I work with are taking concrete steps to mature their cloud processes. These AWS customers have already identified and agreed upon a set of best practices they want to follow. One such practice is to set up a process to create golden Amazon Machine Images (AMIs). A golden AMI is an AMI that you standardize through configuration, consistent security patching, and hardening. It also contains agents you approve for logging, security, performance monitoring, etc. Customers have also expressed desire to establish repeatable processes to:

  1. Distribute the golden AMI(s) to their business units.
  2. Continuously assess the security posture of all active golden AMIs.
  3. Decommission golden AMIs once obsolete.

Note

This sample configuration assumes that a golden AMI you want to create is a:

  1. Standardized golden OS-AMI that you want to distribute to accounts or line of businesses (LOBs) in your organization for consumption:
    1. For general use like a bastion host.
    2. As an input base AMI for creating a standardized application specific golden AMI.
  2. Or is a standardized application specific golden AMI you want to let your business unit(s)/users deploy in their environment.

Moreover, customers have been looking for recommendations and best practices on how to leverage existing AWS services to set up a pipeline to manage the lifecycle of golden AMIs.

The golden AMI pipeline sample configuration is now available in the following GitHub repository under Amazon Software License.

GitHub Repositoryhttps://github.com/aws-samples/aws-golden-ami-pipeline-sample

The repository contains a read-me guide that includes step-by-step instructions and CloudFormation templates required to set up a golden AMI pipeline that allows you to create, distribute across accounts, regularly assess, and decommission golden AMIs.

About the golden AMI pipeline

The golden AMI pipeline enables creation, distribution, verification, launch-compliance, and decommissioning of the golden AMI out of the box. The following diagram highlights the high-level workflow.

Golden AMI pipeline

Once you create a golden AMI for a product (a product can be a standardized OS-AMI that you want to distribute to accounts in your organization or an application specific AMI you want to let your business unit(s) deploy in their environment), you can validate whether the AMI meets your expectations, and choose to approve or reject the AMI. If you reject a golden AMI, the golden AMI pipeline provides you an AWS Systems manager automation you can execute to decommission the golden AMI version completely. If you choose to approve the AMI as a golden AMI, it gets registered as active and is regularly inspected by the continuous vulnerability assessment process. As a Cloud Center of Excellence (CCOE) team you can then choose to distribute the approved golden AMI to your business units based in other AWS accounts. Many compliance aware AWS customers I work with also want a compliance check set up to track non-golden AMI launches, which can be achieved via an AWS Config rule set up by the golden AMI pipeline.

It is a standard DevOps best practice to establish golden AMIs (and the resulting running instances) as immutable objects and to manage any changes through a standard pipeline. Golden AMI pipeline follows the same best practice and enables the requirement of patching by allowing you to decommission an affected golden AMI version and creating a new one. Also, over time, a golden AMI version becomes obsolete. You can decommission the version by executing an automation set up by the pipeline.

Here is an architecture diagram of the golden AMI creation process:

Golden AMI creation process architecture diagram

For more information on how a golden AMI is created by the pipeline, see the read-me guide available in the GitHub repository.

How do I deploy the sample golden AMI pipeline?

The repository contains sample CloudFormation (CFN) templates and a read-me guide. You can use the CloudFormation Templates to set up the pipeline, however, instructions on how and where to execute these CloudFormation templates are available in the read-me guide. The read-me guide is a detailed step-by-step instruction guide, which contains instructions to:

  1. Set up the pipeline infrastructure in the master account. Note that If you are using AWS organizations, this is not the master-payer account. It is an account that your Cloud Center Of Excellence (CCOE) team has identified as the master account.
  2. Test the golden AMI pipeline. As part of the test, you would:
  3. Create a golden AMI version (a product can have multiple golden AMI versions) you approve of. You can use your private AMI/Amazon-owned AMI/AWS Marketplace-based AMI as the source AMI.
    1. Distribute the golden AMI version to one or more accounts using AWS Lambda and AWS Systems Manager.
    2. Check if non-golden AMI launches are flagged as non-compliance via an AWS Config rule.
    3. Launch an EC2 instance from the golden AMI in a governed manner in the child account using AWS Service Catalog.
    4. Perform continuous security assessment of all active golden AMIs using Amazon Inspector.
    5. Decommission a golden AMI version.

Important Notes

Conclusion

Golden AMI pipeline provides an out-of-the-box solution for building, distributing, and managing golden AMIs at enterprise level. It is compatible with single as well as multi-account based golden AMI distribution requirements and can be extended to meet specific requirements.

If you have questions about implementing the solution described in this post, please contact AWS Support.

About the Author

Kanchan WaikarKanchan Waikar is an AWS Marketplace Solutions Architect at Amazon Web Services. She enjoys helping customers build architectures using AWS, AWS Marketplace products, and AWS Service Catalog.