Announcing the Golden AMI Pipeline

Updated 1/9/2020

On 12/1/2019, AWS released EC2 Image Builder, which simplifies the creation, maintenance, validation, sharing, and deployment of Linux or Windows Server images. We now recommend AWS customers use EC2 Image Builder to manage your golden images. Find out more about EC2 Image Builder here, and read this blog post Automate OS image build pipelines with EC2 Image Builder.

Today, I’m happy to announce that the golden AMI pipeline sample configuration is now available. Many AWS customers I work with are taking concrete steps to mature their cloud processes. These AWS customers have already identified and agreed upon a set of best practices they want to follow. One such practice is to set up a process to create golden Amazon Machine Images (AMIs). A golden AMI is an AMI that you standardize through configuration, consistent security patching, and hardening. It also contains agents you approve for logging, security, performance monitoring, etc. Customers have also expressed desire to establish repeatable processes to:

1. Distribute the golden AMI(s) to their business units.
2. Continuously assess the security posture of all active golden AMIs.
3. Decommission golden AMIs once obsolete.

Note

This sample configuration assumes that a golden AMI you want to create is a:

1. Standardized golden OS-AMI that you want to distribute to accounts or line of businesses (LOBs) in your organization for consumption:
   1. For general use like a bastion host.
   2. As an input base AMI for creating a standardized application specific golden AMI.
2. Or is a standardized application specific golden AMI you want to let your business unit(s)/users deploy in their environment.

Moreover, customers have been looking for recommendations and best practices on how to leverage existing AWS services to set up a pipeline to manage the lifecycle of golden AMIs.

The golden AMI pipeline sample configuration is now available in the following GitHub repository under Amazon Software License.

GitHub Repository – https://github.com/aws-samples/aws-golden-ami-pipeline-sample

The repository contains a read-me guide that includes step-by-step instructions and CloudFormation templates required to set up a golden AMI pipeline that allows you to create, distribute across accounts, regularly assess, and decommission golden AMIs.

About the golden AMI pipeline

The golden AMI pipeline enables creation, distribution, verification, launch-compliance, and decommissioning of the golden AMI out of the box. The following diagram highlights the high-level workflow.

Once you create a golden AMI for a product (a product can be a standardized OS-AMI that you want to distribute to accounts in your organization or an application specific AMI you want to let your business unit(s) deploy in their environment), you can validate whether the AMI meets your expectations, and choose to approve or reject the AMI. If you reject a golden AMI, the golden AMI pipeline provides you an AWS Systems manager automation you can execute to decommission the golden AMI version completely. If you choose to approve the AMI as a golden AMI, it gets registered as active and is regularly inspected by the continuous vulnerability assessment process. As a Cloud Center of Excellence (CCOE) team you can then choose to distribute the approved golden AMI to your business units based in other AWS accounts. Many compliance aware AWS customers I work with also want a compliance check set up to track non-golden AMI launches, which can be achieved via an AWS Config rule set up by the golden AMI pipeline.

It is a standard DevOps best practice to establish golden AMIs (and the resulting running instances) as immutable objects and to manage any changes through a standard pipeline. Golden AMI pipeline follows the same best practice and enables the requirement of patching by allowing you to decommission an affected golden AMI version and creating a new one. Also, over time, a golden AMI version becomes obsolete. You can decommission the version by executing an automation set up by the pipeline.

Here is an architecture diagram of the golden AMI creation process:

For more information on how a golden AMI is created by the pipeline, see the read-me guide available in the GitHub repository.

How do I deploy the sample golden AMI pipeline?

The repository contains sample CloudFormation (CFN) templates and a read-me guide. You can use the CloudFormation Templates to set up the pipeline, however, instructions on how and where to execute these CloudFormation templates are available in the read-me guide. The read-me guide is a detailed step-by-step instruction guide, which contains instructions to:

1. Set up the pipeline infrastructure in the master account. Note that If you are using AWS organizations, this is not the master-payer account. It is an account that your Cloud Center Of Excellence (CCOE) team has identified as the master account.
2. Test the golden AMI pipeline. As part of the test, you would:
3. Create a golden AMI version (a product can have multiple golden AMI versions) you approve of. You can use your private AMI/Amazon-owned AMI/AWS Marketplace-based AMI as the source AMI.
   1. Distribute the golden AMI version to one or more accounts using AWS Lambda and AWS Systems Manager.
   2. Check if non-golden AMI launches are flagged as non-compliance via an AWS Config rule.
   3. Launch an EC2 instance from the golden AMI in a governed manner in the child account using AWS Service Catalog.
   4. Perform continuous security assessment of all active golden AMIs using Amazon Inspector.
   5. Decommission a golden AMI version.

Important Notes

• For details on which operating systems are supported by the golden AMI pipeline, check the support section of the read-me guide.
• The golden AMI pipeline does not give you guidance on how to harden the AMI and which agents/tools to bake into the golden AMI. The security hardening requirements are organization specific and so are the hardening-validation scripts. The golden AMI pipeline provides a framework for managing different aspects of the golden AMI you create and approve of.
• The pipeline does not give any inputs on whether you should create environment specific or agnostic golden AMIs. How you inject the environment specific parameters to create the final AMI, is out of the context of this blog and the pipeline.
• The golden AMI pipeline is based on architectures described in the following content:
  • Whitepaper – Building a Secure, Approved AMI Factory Process Using Amazon EC2 Systems Manager (SSM), AWS Marketplace, and AWS Service Catalog
  • Blog – How to Set Up Continuous Golden AMI Vulnerability Assessments with Amazon Inspector

Conclusion

Golden AMI pipeline provides an out-of-the-box solution for building, distributing, and managing golden AMIs at enterprise level. It is compatible with single as well as multi-account based golden AMI distribution requirements and can be extended to meet specific requirements.

If you have questions about implementing the solution described in this post, please contact AWS Support.

About the Author

Kanchan Waikar is an AWS Marketplace Solutions Architect at Amazon Web Services. She enjoys helping customers build architectures using AWS, AWS Marketplace products, and AWS Service Catalog.