- Compute›
- EC2 Image Builder›
- FAQs
EC2 Image Builder FAQs
General
What is EC2 Image Builder?
EC2 Image Builder simplifies the creation, maintenance, validation, sharing, and deployment of Linux, Windows, and macOS images for use with Amazon EC2 and on-premises.
What are the benefits of the Image Builder?
Improved IT productivity
EC2 Image Builder simplifies the process to build, maintain, and deploy secure and compliant images without the need to write and maintain automation code. Offloading the automation to Image Builder frees up resources and saves IT time.
Simpler to secure
EC2 Image Builder allows you to create images with only the essential components, reducing your exposure to security vulnerabilities. You can also apply AWS-provided security settings to further secure your images to meet internal security criteria.
Simple image management for both AWS and on-premises
EC2 Image Builder in conjunction with AWS VM Import/Export (VMIE) allows you to create and maintain golden images for Amazon EC2 (AMI) as well as on-premises VM formats (VHDX, VMDK, and OVF).
Built-in Validation Support
EC2 Image Builder allows you to easily validate your images with AWS-provided tests and your own tests before using them in production. Doing so reduces errors found in images normally caused by insufficient testing that can lead to downtime. Policies can be set that deploy the images to specific AWS regions only after they pass tests that you specify.
Centralized Policy Enforcement
EC2 Image Builder enables version control for easy revision management. It integrates with AWS Resource Access Manager and AWS Organizations to enable sharing of automation scripts, recipes, and images across AWS accounts. Image Builder also enables Information Security and IT teams to better enforce policies and compliance on images.
How do I get started with using the Image Builder?
You can use the Image Builder with the AWS console, AWS CLI, or APIs to create images in your own AWS account. When used with the AWS console, Image Builder provides a step-by-step wizard that covers the following steps:
- Step 1: Provide a base OS image
- Step 2: Select software for installation
- Step 3: Select and run tests
- Step 4: Distribute images to selected regions
The images you built are in your AWS account and can be configured to be patched on an ongoing basis. You can monitor the progress and have CloudWatch events notify you for troubleshooting and debugging. In addition to producing your final image, Image Builder also generates a “recipe” file that can be used with existing source-code version control systems and CI/CD pipelines for repeatable automation.
Which image formats does the Image Builder support?
EC2 Image Builder, in conjunction with AWS VM Import/Export (VMIE), allows you to create and maintain golden images for Amazon EC2 (AMI) as well as on-premises VM formats (VHDX, VMDK, and OVF). You can use an existing AMI (either your own custom AMI, or select from a list of Image Builder managed images) as the starting point of your image build process. Or, you can use VMIE to import an image from the VMDK, VHDX, or OVF formats into an AMI, which can then be the starting point of your image build. The final image generated is in the AMI format, which can be exported to VHDX, VMDK, and OVF formats using VMIE.
Which operating systems does the Image Builder support?
Image Builder supports:
- Amazon Linux 2 and 2023
- CentOS 7 and 8
- CentOS Stream 8
- macOS 12.x (Monterey), 13.x (Ventura), 14.x (Sonoma)
- Red Hat Enterprise Linux (RHEL) 7, 8, and 9
- SUSE Linux Enterprise Server (SUSE) 12 and 15
- Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS
- Windows Server 2012 R2, 2016, 2019, and 2022
What is the output of Image Builder?
Image Builder outputs server images in AMI format. You can use VMIE to export these AMIs to VHDX, VMDK, or OVF for on-premises use.
What is an Image Builder recipe?
Image Builder recipe is a file that represents the final state of the images produced by automation pipelines and enables you to deterministically repeat builds. Recipes can be shared, forked, and edited outside the Image Builder UI. You can use your recipes with your version control software to maintain version-controlled recipes that you can use to share and track changes.
How is Image Builder priced?
Image Builder is offered at no cost, other than the cost of the underlying AWS resources used to create, store, and share the images.
Ongoing patching for up-to-date images
How can I automatically build images that are up-to-date with the latest patches and updates?
New images can be configured to be generated based on triggers such as every time there is a pending update (e.g., source AMI updates, security updates, updates to compliance, new tests, etc.) or at a stipulated time cadence. You can specify a “build cadence” at which new golden images are produced with the latest changes by applying pending changes. The latest images can be tested with the Image Builder to validate your applications on the updated builds. You can also subscribe to notifications via SNS queues for pending updates to images built with the Image Builder. You can use these notifications as triggers to build new images.
Customizing images
How can I customize my images?
You can customize software images from registered software sources such as RPM/Debian package repositories and MSIs and custom installers on Windows. In addition to pre-registered AWS software sources, you can also register one or more of your repositories and Amazon S3 locations that contain software for installation. You can provide installer-specific “unattend” mechanisms (such as answers files) for installation workflows that need interactive input.
How do I find and procure the AWS Marketplace component that I like?
Similar to how you find current EC2 Image Builder components today, you can find AWS Marketplace components from the EC2 Image Builder console or from the AWS Marketplace website. Once subscribed, you can add these components in the EC2 Image Builder recipe, while managing your EC2 Image Builder pipeline.
I purchased the software as an AMI. Can I use the same subscription to deploy an EC2 Image Builder component?
It depends on the delivery options the Independent Software Vendor (ISV) selected while publishing their software version in AWS Marketplace. The ISV can publish their software in AWS Marketplace either to be used as an AMI, an EC2 Image Builder component, or both. If the ISV published their software to be used as an AMI and an EC2 Image Builder component in the same listing, then you would only need 1 subscription to the software. In this case, you have the choice to either deploy as an AMI, or use the software as an EC2 Image Builder component using the same subscription. If the ISV elected to publish 2 listings in AWS Marketplace, one as an AMI, and another as a component, then 2 separate subscriptions are required.
How can I provide feedback or request enhancements for an AWS Marketplace component?
You can find the support information on product detail page in AWS Marketplace. You'll need to engage with the vendor's support directly regarding their specific components. For feedback or more questions, you can email us at aws-mp-imagebuilder@amazon.com.
Preset settings towards meeting security and compliance requirements
How can I apply my internal IT policies to my images produced with Image Builder?
Image Builder allows you to define collections of security settings that you can edit, update, and use to harden your images built using Image Builder. These settings collections can be applied towards meeting applicable compliance criteria. These criteria may be mandated by your organization or by the regulatory authority in your industry. AWS provides a gallery of settings to help meet popular industry regulations. You can apply collections of settings directly or in a modified form. For example, AWS-provided settings for STIG closes non-essential open ports, and enables a software firewall.
Will using Image Builder ensure compliance with regulations such as CIS, HIPAA, etc.?
No, the collections of settings from AWS represent recommended guidance towards achieving compliance and do not guarantee compliance. You will need to work with your compliance teams and auditors to validate compliance. The settings provided by AWS can be modified based on your needs and saved for reuse in the gallery.
Can I capture settings vetted by my compliance team and reuse them for hardening of my VM images?
Collections of settings can be authored from scratch or derived from AWS-provided templates and stored in a registered Amazon S3 location. You can build your own collections that apply security settings such as ensuring security patches are applied, installing firewall, closing certain ports, not allowing file sharing among programs, installing anti-malware, creating strong passwords, keeping a backup, using encryption when possible, disabling weak encryption, logging/audit controls, removal of personal data, etc. You can add your custom settings to the gallery.
Testing
How do I test my images?
The test framework in the Image Builder lets you catch incompatibilities introduced by OS updates before deployment to AWS regions. You can run both - AWS-provided tests and your own tests, manage test runs, results, and gate downstream operations on the passing of tests. Examples of AWS-provided tests include: testing if an AMI can boot to the login prompt, testing if an AMI can run a sample app, etc. You can also run your own tests on the images.
What does each test consist of in Image Builder?
Each test in Image Builder consists of a test script, a test binary, and test metadata. The test script contains orchestration commands to kick off the test binary that can be written in any language and in any test framework supported by in the OS (e.g., PowerShell on Windows and bash, python, ruby, etc. on Linux) and exit status codes denote test outcomes. Test metadata also includes attributes such as the name, description, paths to test binary, expected duration, etc.).
Distribution and sharing
How do I share AMIs across AWS accounts?
Image Builder integrates with AWS Organizations to enable sharing of AMIs across AWS accounts using existing mechanisms. Image Builder can modify AMI launch permissions to control which AWS accounts besides the owner are allowed to launch EC2 VMs with the AMI (e.g., private, public, and share with specific accounts). You can also have your AWS Organization master account enforce constraints on member accounts to launch instances only with approved and compliant AMIs. See Image Builder documentation for details on integration with AWS Organizations. If your AMIs have third-party components from AWS Marketplace, you must share the license for the software with these accounts to allow them to use the component.
Can I share a license for software that I purchased in AWS Marketplace?
Yes. As an AWS Marketplace customer, you can use the managed entitlement feature provided by AWS Marketplace to distribute software license entitlements through AWS License Manager to your organization. Accounts that you have shared the entitlement with can use the third-party software and can launch golden images. If there is no entitlement to use the component, then EC2 Image Builder fails with an exception that there is no valid subscription.
How do I share, distribute, and replicate container images across AWS accounts and AWS regions?
Image Builder uses Amazon ECR (a managed service for container registries) as both an input and output for container images. You can configure policies to manage permissions for each repository and restrict access to IAM users, roles, or AWS accounts. ECR integrates with RAM and AWS Organizations to allow the sharing, distribution, and replication of container images across regions and accounts. ECR uses IAM policies for controlling access to resources.
How do I distribute AMIs to AWS regions?
Image Builder can copy AMIs to selected AWS regions using existing AMI sharing mechanisms. The distribution can be gated on the passing of tests with Image Builder.
I already have a CI/CD pipeline to produce my images. How can I use it with Image Builder?
The Image Builder can integrate with AWS CI/CD services such as Code Build and Code Pipeline to help actualize an end-to-end CI/CD pipeline for building, testing, and deploying AMIs.
Troubleshooting and debugging
How do I troubleshoot and debug issues with the Image Builder?
Image Builder tracks and displays the progress for each step in the image building process. In addition, Image Builder can be made to emits logs to CloudWatch. For advanced troubleshooting, you can run arbitrary commands and scripts using the SSM runCommand interface.
My AMI build failed during the installation/configuration of an AWS Marketplace component. How can I troubleshoot this?
To troubleshoot an AMI build failure with a third-party component, you should review the build logs for any errors. It is crucial to verify dependencies and compatibility with other components in your AMI. You need to check the component's documentation and system requirements provided by the Independent Software Vendor (ISV) in the usage instructions on components. If you are unable to resolve the issue, you can reach out to the ISV for guidance. AWS does not validate dependencies between third-party components, so you must ensure compatibility before building AMIs.