What is EC2 Image Builder?
EC2 Image Builder simplifies the creation, maintenance, validation, sharing, and deployment of Linux or Windows images for use with Amazon EC2 and on-premises.
What are the benefits of the Image Builder?
Improved IT productivity
EC2 Image Builder simplifies the process to build, maintain, and deploy secure and compliant images without the need to write and maintain automation code. Offloading the automation to Image Builder frees up resources and saves IT time.
Simpler to secure
EC2 Image Builder allows you to create images with only the essential components, reducing your exposure to security vulnerabilities. You can also apply AWS-provided security settings to further secure your images to meet internal security criteria.
Simple image management for both AWS and on-premises
EC2 Image Builder in conjunction with AWS VM Import/Export (VMIE) allows you to create and maintain golden images for Amazon EC2 (AMI) as well as on-premises VM formats (VHDX, VMDK, and OVF).
Built-in Validation Support
EC2 Image Builder allows you to easily validate your images with AWS-provided tests and your own tests before using them in production. Doing so reduces errors found in images normally caused by insufficient testing that can lead to downtime. Policies can be set that deploy the images to specific AWS regions only after they pass tests that you specify.
Centralized Policy Enforcement
EC2 Image Builder enables version control for easy revision management. It integrates with AWS Resource Access Manager and AWS Organizations to enable sharing of automation scripts, recipes, and images across AWS accounts. Image Builder also enables Information Security and IT teams to better enforce policies and compliance on images.
How do I get started with using the Image Builder?
You can use the Image Builder with the AWS console, AWS CLI, or APIs to create images in your own AWS account. When used with the AWS console, Image Builder provides a step-by-step wizard that covers the following steps:
- Step 1: Provide a base OS image
- Step 2: Select software for installation
- Step 3: Select and run tests
- Step 4: Distribute images to selected regions
The images you built are in your AWS account and can be configured to be patched on an ongoing basis. You can monitor the progress and have CloudWatch events notify you for troubleshooting and debugging. In addition to producing your final image, Image Builder also generates a “recipe” file that can be used with existing source-code version control systems and CI/CD pipelines for repeatable automation.
Which image formats does the Image Builder support?
EC2 Image Builder, in conjunction with AWS VM Import/Export (VMIE), allows you to create and maintain golden images for Amazon EC2 (AMI) as well as on-premises VM formats (VHDX, VMDK, and OVF). You can use an existing AMI (either your own custom AMI, or select from a list of Image Builder managed images) as the starting point of your image build process. Or, you can use VMIE to import an image from the VMDK, VHDX, or OVF formats into an AMI, which can then be the starting point of your image build. The final image generated is in the AMI format, which can be exported to VHDX, VMDK, and OVF formats using VMIE.
Which operating systems does the Image Builder support?
Image Builder supports:
- Amazon Linux 2
- Windows Server 2012, 2016, and 2019
- Ubuntu Server 16 and 18
- Red Hat Enterprise Linux (RHEL) 7 and 8
- Cent OS 7 and 8
- SUSE Linux Enterprise Server (SLES) 15
What is the output of Image Builder?
Image Builder outputs server images in AMI format. You can use VMIE to export these AMIs to VHDX, VMDK, or OVF for on-premises use.
What is an Image Builder recipe?
Image Builder recipe is a file that represents the final state of the images produced by automation pipelines and enables you to deterministically repeat builds. Recipes can be shared, forked, and edited outside the Image Builder UI. You can use your recipes with your version control software to maintain version-controlled recipes that you can use to share and track changes.
How is Image Builder priced?
Image Builder is offered at no cost, other than the cost of the underlying AWS resources used to create, store, and share the images.
Ongoing patching for up-to-date images
How can I automatically build images that are up-to-date with the latest patches and updates?
New images can be configured to be generated based on triggers such as every time there is a pending update (e.g., source AMI updates, security updates, updates to compliance, new tests, etc.) or at a stipulated time cadence. You can specify a “build cadence” at which new golden images are produced with the latest changes by applying pending changes. The latest images can be tested with the Image Builder to validate your applications on the updated builds. You can also subscribe to notifications via SNS queues for pending updates to images built with the Image Builder. You can use these notifications as triggers to build new images.
How can I customize my images?
You can customize software images from registered software sources such as RPM/Debian package repositories and MSIs and custom installers on Windows. In addition to pre-registered AWS software sources, you can also register one or more of your repositories and Amazon S3 locations that contain software for installation. You can provide installer-specific “unattend” mechanisms (such as answers files) for installation workflows that need interactive input.
Preset settings towards meeting security and compliance requirements
How can I apply my internal IT policies to my images produced with Image Builder?
Image Builder allows you to define collections of security settings that you can edit, update, and use to harden your images built using Image Builder. These settings collections can be applied towards meeting applicable compliance criteria. These criteria may be mandated by your organization or by the regulatory authority in your industry. AWS provides a gallery of settings to help meet popular industry regulations. You can apply collections of settings directly or in a modified form. For example, AWS-provided settings for STIG closes non-essential open ports, and enables a software firewall.
Will using Image Builder ensure compliance with regulations such as CIS, HIPAA, etc.?
No, the collections of settings from AWS represent recommended guidance towards achieving compliance and do not guarantee compliance. You will need to work with your compliance teams and auditors to validate compliance. The settings provided by AWS can be modified based on your needs and saved for reuse in the gallery.
Can I capture settings vetted by my compliance team and reuse them for hardening of my VM images?
Collections of settings can be authored from scratch or derived from AWS-provided templates and stored in a registered Amazon S3 location. You can build your own collections that apply security settings such as ensuring security patches are applied, installing firewall, closing certain ports, not allowing file sharing among programs, installing anti-malware, creating strong passwords, keeping a backup, using encryption when possible, disabling weak encryption, logging/audit controls, removal of personal data, etc. You can add your custom settings to the gallery.
How do I test my images?
The test framework in the Image Builder lets you catch incompatibilities introduced by OS updates before deployment to AWS regions. You can run both - AWS-provided tests and your own tests, manage test runs, results, and gate downstream operations on the passing of tests. Examples of AWS-provided tests include: testing if an AMI can boot to the login prompt, testing if an AMI can run a sample app, etc. You can also run your own tests on the images.
What does each test consist of in Image Builder?
Each test in Image Builder consists of a test script, a test binary, and test metadata. The test script contains orchestration commands to kick off the test binary that can be written in any language and in any test framework supported by in the OS (e.g., PowerShell on Windows and bash, python, ruby, etc. on Linux) and exit status codes denote test outcomes. Test metadata also includes attributes such as the name, description, paths to test binary, expected duration, etc.).
Distribution and sharing
How do I share AMIs across AWS accounts?
Image Builder integrates with AWS Organizations to enable sharing of AMIs across AWS accounts using existing mechanisms. Image Builder can modify AMI launch permissions to control which AWS accounts besides the owner are allowed to launch EC2 VMs with the AMI (e.g., private, public, and share with specific accounts). You can also have your AWS Organization master account enforce constraints on member accounts to launch instances only with approved and compliant AMIs. See Image Builder documentation for details on integration with AWS Organizations.
How do I share, distribute, and replicate container images across AWS accounts and AWS regions?
Image Builder uses Amazon ECR (a managed service for container registries) as both an input and output for container images. You can configure policies to manage permissions for each repository and restrict access to IAM users, roles, or AWS accounts. ECR integrates with RAM and AWS Organizations to allow the sharing, distribution, and replication of container images across regions and accounts. ECR uses IAM policies for controlling access to resources.
How do I distribute AMIs to AWS regions?
Image Builder can copy AMIs to selected AWS regions using existing AMI sharing mechanisms. The distribution can be gated on the passing of tests with Image Builder.
I already have a CI/CD pipeline to produce my images. How can I use it with Image Builder?
The Image Builder can integrate with AWS CI/CD services such as Code Build and Code Pipeline to help actualize an end-to-end CI/CD pipeline for building, testing, and deploying AMIs.
Troubleshooting and debugging
How do I troubleshoot and debug issues with the Image Builder?
Image Builder tracks and displays the progress for each step in the image building process. In addition, Image Builder can be made to emits logs to CloudWatch. For advanced troubleshooting, you can run arbitrary commands and scripts using the SSM runCommand interface.