Overview
This is a hardened, enterprise-ready operating system image optimized for AWS deployments. Built-in security hardening and ongoing lifecycle maintenance are included for an additional charge.
Leverage the reliability and security of Debian 13, engineered specifically for AWS environments. This Amazon Machine Image (AMI) delivers a highly secure, stable foundation right out of the box, drastically reducing the time required for initial configuration and manual security patching.
Core Capabilities:
- Latest Updates: Debian 13 deployed with the most recent security updates applied at build time.
- CIS Hardening: CIS Level 1 Benchmark configurations applied to guarantee a secure baseline.
- IMDSv2 Enforced: Strictly enforced metadata service to protect against SSRF vulnerabilities.
- Seamless Management: Native AWS Systems Manager (SSM) Agent pre-installed for streamlined remote management.
- Clean OS: Zero unnecessary telemetry agents and absolutely no cross-cloud bloatware.
- Secure Access: SSH heavily hardened, with root login and password authentication entirely disabled.
- Graviton Optimized: Compiled and tuned specifically to maximize price-performance on AWS ARM64 Graviton processors.
Operational Advantages:
- Rapid Deployment: Spin up fully hardened, compliant instances in minutes rather than hours or days.
- Reduced Overhead: Eliminates the tedious need for manual OS hardening, patching, and agent installation before deploying workloads.
- Audit-Ready Infrastructure: Pre-configured to align with strict industry security standards, easing the burden of compliance audits and security reviews.
Use Cases:
- Enterprise Workloads: The perfect foundation for deploying and managing mission-critical applications or services at scale.
- Regulated Environments: Highly recommended for industries requiring strict security baselines, such as finance, healthcare, and public sector.
- Development and Testing: Provides a secure, highly predictable environment for software engineering teams to iterate and stage safely.
Accelerate your AWS journey with Debian 13 and build your cloud strategies on a secure, optimized infrastructure.
Highlights
- CIS Hardened by Default: CIS Level 1 benchmarks applied, IMDSv2 enforced, root SSH disabled, and password authentication removed at build time.
- Zero Bloat, Operationally Ready: Carefully stripped of legacy packages, stale kernels, and unnecessary background services to minimize vulnerabilities. Includes the native AWS Systems Manager (SSM) Agent for seamless remote access without a bastion host.
- Graviton Optimized: Compiled and built specifically to maximize price-performance on AWS ARM64 processors.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
- ...
Dimension | Cost/hour |
|---|---|
t4g.small Recommended | $0.12 |
c8g.large | $0.12 |
m8gn.large | $0.12 |
i8g.2xlarge | $0.48 |
c8gd.8xlarge | $1.92 |
i8ge.metal-48xl | $3.02 |
m8gn.8xlarge | $1.92 |
c8g.xlarge | $0.24 |
c8g.8xlarge | $1.92 |
c8gd.xlarge | $0.24 |
Vendor refund policy
Usage is billed by AWS on a pay-as-you-go basis by the hour. The Debian 13 instance can be stopped or terminated at any time to stop incurring additional software charges. Refunds are not available once launched. To completely avoid future costs, ensure you terminate the instance and cancel your AWS Marketplace subscription.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (Arm) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
[Release v16JUN26] ClearImages Debian 13 stage build (arm64). CIS Level 1 hardening, IMDSv2 enforced, SSM + CloudWatch agents pre-installed.
Additional details
Usage instructions
- Launch via AWS Marketplace 1-Click or EC2 console.
- Select t4g.small or larger. Ensure your security group allows inbound SSH (port 22) from your IP.
- Connect via SSH: ssh -i your-key.pem admin@<public-ip> Or use SSM Session Manager from the EC2 console (no SSH key required).
Resources
Vendor resources
Support
Vendor support
Email support for this AMI is available through the following: https://clearscale.com/clearimages/support OR clearimages-support@clearscale.com
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Customer reviews
Hardened debian cluster has simplified edge load balancing and has reduced security maintenance
What is our primary use case?
We run a high-availability HAProxy cluster at the very edge of our infrastructure to route incoming traffic to our app tiers. It's a classic active/passive setup using Keepalived with a floating virtual IP (VIP) to handle instant failover. Debian is our absolute go-to for anything network-heavy like this because of its stability, and we use this pre-hardened image as the base for the nodes in the cluster.
How has it helped my organization?
Honestly, it just took a massive chunk of recurring maintenance off our plate. Because our load balancers are directly exposed to public traffic, we used to spend a significant amount of time updating Packer templates, patching packages, and double-checking CIS compliance rules. Switching to this AMI meant the hardening was already baked in and kept up-to-date by ClearScale. Our security audits are now a breeze because we don't have to defend our own custom OS tweaks anymore.
What is most valuable?
Debian 's core stability under massive network stress has been the real highlight. Running high-throughput load balancers requires predictable TCP performance and zero memory leaks. This image is incredibly clean with no background bloatware eating up memory or CPU cycles, allowing HAProxy to run at maximum efficiency with super low latency. We didn't have to spend any time doing custom kernel or network-level tuning to get top-tier performance.
What needs improvement?
A slimmed-down 'minimal' build option for this Debian 13 release would be fantastic for minimizing the attack surface even further.
For how long have I used the solution?
We've been running ClearScale Debian in production for about six months. But our team has used Debian in general for over ten years.
Which solution did I use previously and why did I switch?
We used to spin up different vendors' Debian AMIs and run a massive Ansible playbook at launch to strip out packages, lock down SSH, and set up the local firewalls. It worked, but it was slow, fragile, and we had to constantly maintain the script as Debian evolved. We switched to this AMI to get that hardening out-of-the-box, which made our deployment workflows much faster and less prone to failures.
What's my experience with pricing, setup cost, and licensing?
Since we only run a small cluster of edge load balancers rather than a massive fleet of app servers, the hourly license premium is basically a rounding error on our AWS bill. For critical gateway infrastructure, paying a few cents extra per hour to have a verified hardened base OS is extremely cheap insurance.
Which other solutions did I evaluate?
We considered a few routes: sticking with the standard AWS AMIs and building our own Packer pipeline, or evaluating older Ubuntu releases. We stuck with Debian because of its reputation for rock-solid networking, and chose the ClearScale version because the math made sense. Their hourly markup is way cheaper than having our senior engineers build, test, and audit custom base images ourselves.
What other advice do I have?
If you are setting up Keepalived for high availability, remember to explicitly allow VRRP protocol in your firewall config before starting the service. If you don't, both of your HAProxy nodes will think they are the active master and you'll end up with a split-brain scenario. Once you have that rule in place, it’s a beautifully quiet and stable setup.

