What is EC2 Image Builder?
EC2 Image Builder simplifies the creation, maintenance, validation, sharing, and deployment of Linux or Windows images for use with Amazon EC2 and on-premises.
What are the benefits of the Image Builder?
Improved IT productivity
EC2 Image Builder simplifies the process to build, maintain, and deploy secure and compliant images without the need to write and maintain automation code. Offloading the automation to Image Builder frees up resources and saves IT time.
Simpler to secure
EC2 Image Builder allows you to create images with only the essential components, reducing your exposure to security vulnerabilities. You can also apply Amazon Web Services-provided security settings to further secure your images to meet internal security criteria.
Simple image management for both Amazon Web Services and on-premises
EC2 Image Builder in conjunction with Amazon VM Import/Export (VMIE) allows you to create and maintain golden images for Amazon EC2 (AMI) as well as on-premises VM formats (VHDX, VMDK, and OVF).
Built-in validation support
EC2 Image Builder allows you to easily validate your images with Amazon Web Services-provided tests and your own tests before using them in production. Doing so reduces errors found in images normally caused by insufficient testing that can lead to downtime. Policies can be set that deploy the images to specific Amazon Web Services China regions only after they pass tests that you specify.
Centralized policy enforcement
EC2 Image Builder enables version control for easy revision management. Image Builder also enables Information Security and IT teams to better enforce policies and compliance on images.
How do I get started with using the Image Builder?
You can use the Image Builder with the Amazon Web Services console, Amazon CLI, or APIs to create images in your own Amazon Web Services account. When used with the Amazon Web Services console, Image Builder provides a step-by-step wizard that covers the following steps:
- Step 1: Provide a base OS image
- Step 2: Select software for installation
- Step 3: Select and run tests
- Step 4: Distribute images to selected regions
The images you built are in your Amazon Web Services account and can be configured to be patched on an ongoing basis. You can monitor the progress and have CloudWatch events notify you for troubleshooting and debugging. In addition to producing your final image, Image Builder also generates a “recipe” file that can be used with existing source-code version control systems and CI/CD pipelines for repeatable automation.
Which image formats does the Image Builder support?
EC2 Image Builder in conjunction with Amazon VM Import/Export (VMIE) allows you to create and maintain golden images for Amazon EC2 (AMI) as well as on-premises VM formats (VHDX, VMDK, and OVF). You can use the following formats as a starting point of your image build process: a) an ID or resource alias of an existing AMI; b) an image in the VMDK, VHDX, or OVF formats. The final image can be generated in the AMI, VHDX, VMDK, and OVF formats.
Which operating systems does the Image Builder support?
Image Builder supports:
- Amazon Linux 2
- Windows Server 2012R2, 2016, and 2019
- Ubuntu Server 16 and 18
- Red Hat Enterprise Linux (RHEL) 7 and 8
- Cent OS 7 and 8
- SUSE Linux Enterprise Server (SLES) 15
What is the output of Image Builder?
Image Builder will output a server image in the selected output image formats that are supported - AMI, VHDX, VMDK, and OVF. On-premises images can be downloaded from an S3 location provided by Image Builder using the UI console, API, and CLI.
What is an Image Builder recipe?
Image Builder recipe is a file that represents the final state of the images produced by automation pipelines and enables you to deterministically repeat builds. Recipes can be shared, forked, and edited outside the Image Builder UI. You can use your recipes with your version control software to maintain version-controlled recipes that you can use to share and track changes.
How is Image Builder priced?
Image Builder is offered at no cost, other than the cost of the underlying Amazon Web Services resources used to create, store, and share the images.
Ongoing patching for up-to-date images
How can I automatically build VM images that are up-to-date with the latest patches and updates?
New images can be configured to be generated based on triggers such as every time there is a pending update (e.g., source AMI updates, security updates, updates to compliance, new tests, etc.) or at a stipulated time cadence. You can specify a “build cadence” at which new golden images are produced with the latest changes by applying pending changes. The latest images can be tested with the Image Builder to validate your applications on the updated builds. You can also subscribe to notifications via SNS queues for pending updates to images built with the Image Builder. You can use these notifications as triggers to build new images.
Adding and removing software
How can I add/remove software in my VM images?
You can add and remove software to be included in your VM images from registered software sources such as RPM/Debian package repositories and MSIs and custom installers on Windows. In addition to pre-registered Amazon Web Services software sources, you can also register one or more of your repositories and Amazon S3 locations that contain software for installation. You can provide installer-specific “unattend” mechanisms (such as answers files) for installation workflows that need interactive input.
Preset settings towards meeting security and compliance requirements
How can I apply my internal IT policies to my images produced with Image Builder?
Image Builder allows you to define collections of security settings that you can edit, update, and use to harden your images built using Image Builder. These settings collections can be applied towards meeting applicable compliance criteria. These criteria may be mandated by your organization or by the regulatory authority in your industry. Amazon Web Services provides a gallery of settings to help meet popular industry regulations. You can apply collections of settings directly or in a modified form. For example, Amazon Web Services-provided settings for STIG closes non-essential open ports, and enables a software firewall.
Will using Image Builder ensure compliance with regulations such as SOC, PCI, etc.?
No, the collections of settings from Amazon Web Services represent recommended guidance towards achieving compliance and do not guarantee compliance. You will need to work with your compliance teams and auditors to validate compliance. The settings provided by Amazon Web Services can be modified based on your needs and saved for reuse in the gallery.
Can I capture settings vetted by my compliance team and reuse them for hardening of my VM images?
Collections of settings can be authored from scratch or derived from Amazon Web Services-provided templates and stored in a registered Amazon S3 location. You can build your own collections that apply security settings such as ensuring security patches are applied, installing firewall, closing certain ports, not allowing file sharing among programs, installing anti-malware, creating strong passwords, keeping a backup, using encryption when possible, disabling weak encryption, logging/audit controls, removal of personal data, etc. You can add your custom settings to the gallery.
How do I test my VM images?
The test framework in the Image Builder lets you catch incompatibilities introduced by OS updates before deployment to Amazon Web Services China regions. You can run both - Amazon Web Services-provided tests and your own tests, manage test runs, results, and gate downstream operations on the passing of tests. Examples of Amazon Web Services-provided tests include: testing if an AMI can boot to the login prompt, testing if an AMI can run a sample app, etc. You can also run your own tests on the images.
What does each test consist of in Image Builder?
Each test in Image Builder consists of a test script, a test binary, and test metadata. The test script contains orchestration commands to kick off the test binary that can be written in any language and in any test framework supported by in the OS (e.g., PowerShell on Windows and bash, python, ruby, etc. on Linux) and exit status codes denote test outcomes. Test metadata also includes attributes such as the name, description, paths to test binary, expected duration, etc.).
Distribution and sharing
How do I share AMIs across Amazon Web Services accounts?
Image Builder can modify AMI launch permissions to control which Amazon Web Services accounts besides the owner are allowed to launch EC2 VMs with the AMI (e.g., private, public, and share with specific accounts).
How do I distribute AMIs to Amazon Web Services China regions?
Image Builder can copy AMIs to selected Amazon Web Services China regions using existing AMI sharing mechanisms. The distribution can be gated on the passing of tests with Image Builder.
I already have a CI/CD pipeline to produce my images. How can I use it with Image Builder?
The Image Builder can integrate with Amazon CI/CD services such as Code Build to help actualize an end-to-end CI/CD pipeline for building, testing, and deploying AMIs.
How do I share my recipes across accounts?
Each recipe can be exported as a text file and can be shared outside Image Builder via version control systems.
Troubleshooting and debugging
How do I troubleshoot and debug issues with the Image Builder?
Image Builder tracks and displays the progress for each step in the image building process. In addition, Image Builder can be made to emits logs to S3. For advanced troubleshooting, you can run arbitrary commands and scripts using the SSM runCommand interface.