Building AMIs for AWS Marketplace

What is an AMI?
Best Practices
AWS Marketplace Compatibility and Policies
AMI Sharing with AWS Marketplace
AMI Cloning and Product Code assignment
Additional Resources

What is an AMI?

AMI is the acronym for Amazon Machine Image. An Amazon Machine Image (AMI) is an encrypted machine image of a specific computer running an operating system that is configured in a specific way and that can also contain a set of applications and services for accomplishing a specific purpose. An AMI contains all the information necessary to start up and run the software in the image. Amazon Elastic Compute Cloud (Amazon EC2) and AWS infrastructure make up the computing environment for running an AMI.

Best Practices

  • Products should be created from existing, well-maintained EBS-backed AMIs with a clearly defined life-cycle provided by trusted, reputable sources such as AWS Marketplace.
  • You are responsible for securing resell rights for non-free Linux distributions, with the exception of AWS-provided RHEL, SUSE and Windows AMIs.
  • Build AMIs using the most up-to-date operating systems, packages, and software.
  • Develop a repeatable process for building, updating, and republishing AMIs.
  • Prior to submission to AWS Marketplace, configure a running instance from your final AMI to the end-user experience you want, and test all installation, features, and performance.
  • Architect your AMI to deploy as a minimum installation to reduce the attack surface. You should disable or remove unnecessary services and programs.
  • Whenever possible, use end-to-end encryption for network traffic. For example, use Secure Socket Layer (SSL) to secure HTTP sessions between you and your customers. Ensure that your service uses only valid and up-to-date certificates.
  • Use security groups to control inbound traffic access to your instance. Ensure that your security groups are configured to allow access only to the minimum set of ports required to provide necessary functionality for your services. In addition, allow administrative access only to the minimum set of ports and source IP address ranges necessary.
  • Be aware of the top 10 vulnerabilities for web applications and build your applications accordingly. To learn more, visit Open Web Application Security Project (OWASP) - Top 10 Web Application Security Risks.When new Internet vulnerabilities are discovered, promptly update any web applications that ship in your AMI. Examples of resources that include this information are SecurityFocus and the NIST National Vulnerability Database.

AWS Marketplace Compatibility and Policies

Architecture

  1. Source AMIs for AWS Marketplace MUST be provided in the us-east-1 region.
  2. AWS Marketplace AMIs MUST be 32-bit or 64-bit EBS-backed AMIs. We do not currently support S3-backed AMIs.
  3. AMIs MUST use a supported file system; Ext2, Ext3, Ext4, and NTFS. Encrypted file systems are not supported.
  4. Your AMI MUST be built such that it can run in all regions and is region agnostic. AMIs built differently for regions are not allowed.
  5. The seller MUST map any non-Amazon owned AKI to all applicable regions and the mapping information. Please see this link for information.  It is STRONGLY recommended that you use the Amazon provided PV-GRUB Linux Kernel (AKI) when creating your AMIs.  Some EC2 regions (Sydney) only support PV-GRUB 1.03 based AMIs.
  6. Self-referencing security groups are NOT supported. A default set of ports must be identified for each AMI.
  7. Only TCP and UDP ingress rules are supported at this time. ICMP is not.

Security

  1. AMIs MUST NOT contain any known vulnerabilities, malware or viruses. A number of tools are available for scanning the software, such as Chkrootkit, rkhunter, OpenVAS and Nessus.
  2. AMIs MUST NOT contain default passwords, auth keys, key pairs, security keys or other credentials for any reason.  All instance authentication must use key pair access rather than password based auth, even if the password is generated, reset or defined by the user at launch.
  3. Linux-based AMIs MUST lock/disable root login and allow only sudo access.  Additionally, root password must not be null or blank.
  4. AMIs MUST allow end-users with OS-level administration capabilities to allow for compliance requirements, vulnerability updates and log file access.  For Linux-based AMIs this is normally through SSH, and for Windows-based AMIs this is normally through RDP.
  5. AMIs MUST NOT use default passwords for application access.  It is recommended to use a randomization process such as using the instance_id from the AWS EC2 Metadata Service.
  6. Windows-based AMIs MUST have the following settings (see Creating an Amazon EBS-Backed Windows AMI):
    1. The most recent version of Ec2ConfigService must be installed. (Please check here to find the most recent version of Ec2ConfigService.)
    2. Ec2SetPassword is enabled
    3. Ec2WindowsActivate is enabled
    4. Ec2HandleUserData is enabled
    5. No Guest Accounts or Remote Desktop Users are allowed
  7. NEVER include software in your AMI that collects and exports customer data without the customer’s knowledge and express consent.

Product Usage

  1. All non-BYOL products MUST NOT require buyer registration with the seller, or require buyer information to use the product.
  2. "Trial" or "Beta" products or products that restrict access to the application by time, users, bandwidth or other restrictions are NOT supported.
  3. The seller MUST NOT maintain access to the customer’s running instances. The customer has to explicitly enable any outside access, and any accessibility built into the AMI must be off by default.
  4. All AMIs MUST meet be compatible with the AWS fulfillment experience of 1-click.  Only Single AMI configurations are currently supported.  The AMI cannot require custom or user data at instance creation in order to function correctly.  Master/Slave (Head/Worker), Multi-instance, clustered formation or Cloud Formation launches are not currently supported or allowed as part of usage instructions.
  5. Each AMI MUST contain everything a seller needs to use the software, including any client applications.
  6. For Free or Paid AMI products, the fulfillment process MUST NOT require the buyer to leave the AWS Marketplace.
  7. AMIs that require the use of GovCloud are NOT supported.
  8. AMIs that require a subscription API or are launched from outside the AWS Marketplace are NOT supported.
  9. Products MUST NOT use Copyrighted material you do not have the rights to use.
  10. Product software and metadata MUST NOT contain language that redirects users to other cloud platforms, additional products or upsell services not available on AWS Marketplace.
  11. Private AMIs are NOT supported. Each listing must be publically available.

AMI Sharing with AWS Marketplace

AMIs and all associated snapshots MUST be shared and accessible to the AWS Marketplace account (679593333241) in order to be processed. Please follow these steps to grant access to the AMI and snapshots:

AMI and Snapshot Sharing

  1. In the AWS Management Console, access the EC2 Dashboard
  2. Click "AMIs" in the left hand navigation bar
  3. Select the AMI to be shared
  4. Select the Permissions tab at the bottom of the page
  5. Check the box to, Add "create volume" permissions to the following associated snapshots when creating permissions
  6. Click "Edit"
  7. Enter "679593333241" into the text field
  8. Click "Save"
  9. You should see the account number listed under "AWS Account Number"

To verify that the snapshot(s) have been correctly shared:

  1. Click "Snapshots" in the left hand navigation bar
  2. Select the snapshot(s) associated with the AMI
  3. Click "Permissions"
  4. You should see "aws-marketplace" in the list of "Remove Create Volume Permission"
  5. If you do not see it listed, you can add AWS Account Number "679593333241" and click Save

Public AMI sharing

To share the snapshot of a public AMI:

  1. Run this command from the command line using the EC2 command line interface tools: ec2-modify-snapshot-attribute snapshot_id -c --add 679593333241.
  2. Replace 'snapshot_id' with the snapshot id of the snapshot underlying the Ami. If the AMI uses multiple snapshots, this command should be run for each snapshot.
  3. If you are unsure of the snapshot ID you can run ec2-describe-images to see the snapshot ID associated with the AMI on the command line.

AMI Cloning and Product Code assignment

Once your AMI is submitted, AWS Marketplace will create cloned AMIs for each region that you have indicated that software should be available. During this cloning and publishing process, AWS Marketplace will attach a product code to the cloned AMIs. The product code is used to both control access and to meter usage. All submissions must go through this AMI cloning process.

Additional Resources

Building AMIs


Amazon Web Services (AWS) Resources


How-to Guides


Mistakes to Avoid


General