Best practices for building AMIs - AWS Marketplace

Best practices for building AMIs

All Amazon Machine Images (AMIs) built and submitted to AWS Marketplace must adhere to all AWS Marketplace product policies. To share your AMI and verify that it meets all AWS Marketplace requirements, use the self-service AMI scanning tool. This page provides some best practices and references to help you build AMIs.


You are responsible for securing resell rights for non-free Linux distributions, with the exception of AWS-provided Amazon Linux, RHEL, SUSE, and Windows AMIs.

Building an AMI

Use the guidelines for building AMIs:

  • Ensure that your AMI meets all AWS Marketplace policies, including disabling root login.

  • Create your AMI in the US East (N. Virginia) Region.

  • Create products from existing, well-maintained AMIs backed by Amazon Elastic Block Store (Amazon EBS) with a clearly defined life cycle provided by trusted, reputable sources such as AWS Marketplace.

  • Build AMIs using the most up-to-date operating systems, packages, and software.

  • Ensure that all AMIs must start with a public AMI that uses hardware virtual machine (HVM) virtualization and 64-bit architecture.

  • Develop a repeatable process for building, updating, and republishing AMIs.

  • Use a consistent operating system (OS) user name across all versions and products. We recommend ec2-user.

  • Configure a running instance from your final AMI to the end-user experience you want and test all installation methods, features, and performance before submission to AWS Marketplace.

  • Check port settings.

    • For Linux-based AMIs, ensure that a valid SSH port is open. The default is 22.

    • For Windows-based AMIs, ensure that an RDP port is open. The default is 3389. Also, the WinRM port (5985 by default) must be open to


Creating Your Own AMI in the Amazon EC2 User Guide for Linux Instances

Creating a Custom Windows AMI in the Amazon EC2 User Guide for Windows Instances

How do I create an Amazon Machine Image (AMI) from an EBS-backed Windows instance?

Amazon Linux AMI

Amazon EC2 Instance Types and Instance Types

Securing an AMI

The following guidelines are recommended for creating secure AMIs:

  • Architect your AMI to deploy as a minimum installation to reduce the attack surface. Disable or remove unnecessary services and programs.

  • Whenever possible, use end-to-end encryption for network traffic. For example, use Secure Sockets Layer (SSL) to secure HTTP sessions between you and your buyers. Ensure that your service uses only valid and up-to-date certificates.

  • Use security groups to control inbound traffic access to your instance. Ensure that your security groups are configured to allow access only to the minimum set of ports required to provide necessary functionality for your services. Allow administrative access only to the minimum set of ports and source IP address ranges necessary.

  • Consider performing a penetration test against your AWS computing environment at regular intervals; or, consider employing a third party to conduct such tests on your behalf. For more information, including a penetration-testing request form, see AWS Penetration Testing.

  • Be aware of the top 10 vulnerabilities for web applications, and build your applications accordingly. To learn more, visit Open Web Application Security Project (OWASP) - Top 10 Web Application Security Risks. When new internet vulnerabilities are discovered, promptly update any web applications that ship in your AMI. Examples of resources that include this information are SecurityFocus and the NIST National Vulnerability Database.