Creating AWS Marketplace components with EC2 Image Builder and Amazon Q

At AWS re:Invent 2024, AWS Marketplace introduced an integration with EC2 Image Builder. This feature enables Independent Software Vendors (ISVs) to deliver Amazon Machine Image (AMI) products in AWS Marketplace using EC2 Image Builder components. The integration helps increase customer adoption by providing a new delivery method and expands product visibility in the EC2 Image Builder console. ISVs can now create and package software components into their AMI-based products using EC2 Image Builder.

To further support ISVs, AWS provides intelligent assistance through Amazon Q, which integrates with the Amazon EC2 Image Builder Management Console to deliver real-time, contextual code suggestions while you write YAML documents for Image Builder components.This helps speed up the definition of build and test phases, input parameters, and metadata, while reducing syntax and logical errors. For parameter management, Amazon Q suggest best practices for structuring input parameters, helping you create configurable and reusable components that work across different customer environments. During development, Q’s validation features identify schema and compliance issues early, shortening debugging cycles and helping make components meet AWS Marketplace requirements.

This post shows how AWS Marketplace sellers can use EC2 Image Builder and Amazon Q to simplify creating AMI-based products. You’ll learn two approaches: using existing components and creating custom components with AI assistance. This guide will help you improve your product development process and build secure AMIs for AWS Marketplace.

Prerequisites

• To enable Amazon Q integration with Amazon EC2 Image Builder, proper AWS Identity and Access Management (IAM) permissions must be configured in your AWS account. For detailed implementation steps and policy examples, refer to the “Allow users to chat about resources with Amazon Q” section in the documentation.
• Complete the Amazon EC2 Image BuilderMarketplace component onboarding process.
• Set up your resources in the US East (N. Virginia) Region:
  •  Component and dependencies
  •  Amazon S3 buckets
  •  AWS Secrets Manager entries
  •  Parameter Store keys

Solution overview

This guide shows you how to create EC2 Image Builder components using two approaches:

1. Customize an existing component
   •  Start with an Amazon-managed Quick Start component
   •  Use Amazon Q to modify it for your software
2. Build a new component
   •  Generate compliance-aligned YAML using Amazon Q
   •  Add parameters and validate AWS Marketplace requirements in Amazon EC2 Image BuilderManagement Console

Amazon Q helps streamline these workflows by providing contextual suggestions for common tasks, such as:

• • Using AWSTOE actions like S3Download and ExecuteBash
  • Implementing security features like SecureString parameter retrieval from AWS Systems Manager Parameter Store

Figure 1: Component Creation Workflows With and Without Amazon Q.

Limitations and testing

While Amazon Q accelerates YAML authoring and validates documents against known schemas, it’s important to understand that this validation is static. Amazon Q checks for structural accuracy, syntax, and common best practices, but it does not execute your component to verify real-world behavior.

In practice, this means:

• Schema-only checks: Amazon Q helps align your YAML with EC2 Image Builder and AWSTOE schema rules but does not confirm that all actions will succeed during a build.
• Action hallucinations: Depending on the prompt, Amazon Q may suggest actions, parameters, or syntax that do not exist in AWSTOE. Always cross-check with the official AWSTOE documentation.
• No runtime verification: Security configuration steps, IAM policies, or OS-specific logic may pass Amazon Q’s validation but still fail at runtime due to missing permissions, misconfigured resources, or unsupported operating systems.
• Marketplace compliance is partial: Amazon Q helps you include required metadata and parameters but cannot guarantee that your component will pass AWS Marketplace automated or manual review.

Best practice: After generating or modifying a component with Amazon Q, run it through a full EC2 Image Builder pipeline test in your target Region(s) and OS configurations. Validate security-sensitive steps—such as AWS Secrets Manager retrieval or SecureString parameter use—under real conditions before submitting your component to AWS Marketplace.

Creating a custom component from an existing template

As an AWS Marketplace seller, you can save time by customizing an existing EC2 Image Builder component. You can modify an Amazon-managed Quick Start component to match your software requirements. To create a custom component from an existing template:

1. Open the EC2 Image Builder console .
2. In the navigation pane, under Saved resources, choose Components .
3. From the Filter owner dropdown menu, select Quick start (Amazon-managed) .

Figure 2: Available EC2 Image Builder Components

4. To find a specific component:

• • Use the search bar labeled “Find components by name“
  • Enter keywords (for example, “cloudwatch” for amazon-cloudwatch-agent-linux)

5. Select your desired component.

6. In the Content section:

• • Review the component YAML
  • Copy the YAML content
  • Modify the YAML for your requirements

Figure 3: CloudWatch Agent Component YAML Configuration

You can use this custom component in your AMI build pipeline using EC2 Image Builder.

Creating components with Amazon Q

When preparing components for AWS Marketplace, you need to address several key requirements. If your software requires sensitive credentials or configuration values, your components must securely retrieve them using AWS Systems Manager Parameter Store or AWS Secrets Manager. They should include default parameter values to pass AWS Marketplace validation. For reliable software installation, use AWSTOE actions like S3Download to retrieve assets consistently. Before submission, fully test your components in the US East (N. Virginia) Region. To reach more customers, consider making your components compatible with multiple operating systems.

Amazon Q can help you meet these requirements by generating appropriate YAML configurations. When you need to create a component that downloads files from Amazon S3, you can ask Amazon Q to create a Linux component that uses the S3Download (for assets stored in Amazon S3). Another way is WebDownload (for ISVs who host their software outside of S3) actions to retrieve assets consistently. Your prompt might ask for a component that downloads from a static path in the US-East -1 Region, saves files to a specific directory, and includes validation steps to confirm successful installation.

1. Open the EC2 Image Builder console

2. In the navigation pane, choose Components.

3. Choose Create component.

4. Enter the following details:

• • For Component name , enter a descriptive name (example: MyAppComponent)
  • For Version, enter a version number (example: 1.0.0)
  • For Description, enter what the component does
  • Under Image operating system (OS), select your target OS
  • For Compatible OS versions, select the supported versions

5. Under Definition document, choose Define document content .

6. Choose the Amazon Q icon in the top right corner.

7. Enter your component requirements prompt:

Example 1: Creating an S3 download component

Figure 4: Example of using Amazon Q to generate a S3Download action

When building components that handle sensitive information like database credentials, proper security implementation is crucial. AWS Secrets Manager provides a secure way to manage and retrieve these credentials during the component build process, and you can also use AWS Systems Manager (SSM) Parameter Store to retrieve secrets securely. For example, you can reference an AWS Secrets Manager secret using an SSM SecureString parameter:

{{ aws:ssm:/aws/reference/secretsmanager/test/test-secret }}

This approach minimizes the risk of exposing sensitive information in your component configurations and helps you meet AWS Marketplace security requirements. The SSM Parameter Store integration offers significant advantages. It works seamlessly across all supported systems because AWSTOE includes built-in SDK support for API calls. This eliminates the need for AWS CLI installation, which is particularly beneficial for Windows systems where CLI tools aren’t available by default.

By integrating AWS Secrets Manager or SSM Parameter Store into your components, you can manage credentials independently from your component code. This means you can update passwords and other sensitive values without rebuilding your components. Both integrations provide proper access control through IAM permissions.

You can use Amazon Q to help create components that implement these security best practices. When requesting help with credential handling, specify how you want to retrieve values—via Secrets Manager directly or through SSM Parameter Store—implement proper error handling, and use SecureString parameters. Remember to include the default parameters required for AWS Marketplace validation.

Example 2: Implementing secure configuration management

Figure 5: Example of using Amazon Q to retrieve Configuration value

 EC2 Image Builder components often need to access sensitive information like database credentials during software installation. Rather than embedding these credentials directly in your component configurations, you can use AWS Secrets Manager to handle them securely. This approach helps protect your sensitive data by retrieving secrets at runtime, keeping them out of component definitions and log files.

AWS Secrets Manager integrates with your components through IAM permissions, allowing you to control exactly which components can access specific secrets. This means you can update credentials whenever needed without rebuilding your components, and you can track who accesses these secrets through AWS CloudTrail.

To help you implement these security patterns, you can use Amazon Q. When you prompt Amazon Q to create a component that uses AWS Secrets Manager, it generates YAML that includes secure credential retrieval, proper error handling, and the required parameter schemas for AWS Marketplace validation. The generated code demonstrates how to safely retrieve and use credentials during installation while maintaining the security standards required for AWS Marketplace components.

Example 3: Secure credential management

Figure 6: Example of using Amazon Q to retrieve credentials from AWS Secrets Manager

As shown in these three examples, AI assistance can help accelerate development, but it’s crucial to maintain security and compliance standards through proper review and testing procedures. While Amazon Q can help streamline authoring by suggesting YAML structures and patterns, its recommendations are based on language models rather than a complete, context-aware understanding of AWSTOE capabilities. This means Q may occasionally suggest unsupported or incorrect actions—for example, inventing actions like DownloadFile or ExtractArchive that do not exist in AWSTOE, even when provided with official documentation links.

Because of this, you should treat Q’s output as a starting point rather than final, production-ready code. Always cross-reference suggested actions with the official AWSTOE action reference and run a full test build to validate syntax, action availability, and runtime behavior.

For example, when integrating with Amazon S3, you can parameterize the S3 bucket and object key so your component can fetch scripts or assets dynamically—but you must use a supported retrieval action (S3Download or WebDownload).

Conclusion

The integration of EC2 Image Builder with AWS Marketplace is transforming how AMI-based products are built and delivered—not just for AWS Marketplace sellers, but for any organization building AMI-based solutions. EC2 Image Builder components are evolving to meet enterprise security, compliance, and operational needs across industries. Building on the secure credential management and validation patterns covered earlier, customers are creating components that implement these practices for endpoint security, threat detection, and compliance monitoring. These components often leverage AWS Systems Manager Parameter Store and AWS Secrets Manager for secure configuration management, while meeting AWS Marketplace validation requirements when applicable.

Amazon Q can help accelerate the authoring process but always validate its output against official documentation and through full pipeline testing. By combining automation with rigorous review, you can create Image Builder components that are both efficient to produce and trusted in operation.

Learn more:

• Building with EC2 Image Builder and AWS Marketplace – Detailed guide for component creation
• AWS Marketplace Seller Workshop – Learn about creating and managing AWS Marketplace products
• Security Best Practices for EC2 Image Builder – Implementation guidance for secure components
• Referencing AWS Secrets – Referencing AWS Secrets Manager secrets from Parameter Store parameters
• SSM parameter support – Use Systems Manager Parameter Store parameters

About the authors