Best practices for shared Windows AMIs

Use the following guidelines to reduce the attack surface and improve the reliability of the AMIs you create.

• No list of security guidelines can be exhaustive. Build your shared AMIs carefully and take time to consider where you might expose sensitive data.

• Develop a repeatable process for building, updating, and republishing AMIs.

• Build AMIs using the most up-to-date operating systems, packages, and software.

• For instances launched from current generation AMIs, ensure that the latest launch agent is installed. For more information, see Configure launch settings for Amazon EC2 instances.

  For legacy instances running Windows operating systems prior to Windows 2016, see Install the latest version of EC2Config. However, we recommend that you migrate to an AMI with an operating system version that supports the latest launch agent (Windows Server 2016 and later).

• Verify the settings for your launch agent to ensure that you've set your administrative account password, that Windows is activated, and that user data is handled. Settings vary by agent, as follows:

  • EC2Launch v2 – Configure the following tasks: setAdminAccount and activateWindows. User data is handled by default.

  • EC2Launch v1 – Configure the following settings: adminPasswordType and handleUserData. Activation runs by default.

  • EC2Config – Enable the following settings: Ec2SetPassword, Ec2WindowsActivate, and Ec2HandleUserData.

• Verify that no guest accounts or Remote Desktop user accounts are present.

• Disable or remove unnecessary services and programs to reduce the attack surface of your AMI.

• Remove instance credentials, such as your key pair, from the AMI (if you saved them on the AMI). Store the credentials in a safe location.

• Ensure that the administrator password and passwords on any other accounts are set to an appropriate value for sharing. These passwords are available for anyone who launches your shared AMI.

• Test your AMI before you share it.