Best practices for building AMIs for use with AWS Marketplace
This topic provides best practices and references to help you build Amazon Machine Images (AMIs) for use with AWS Marketplace. AMIs built and submitted to AWS Marketplace must adhere to all AWS Marketplace product policies. For more information, see the following sections.
Topics
Securing resell rights
You are responsible for securing resell rights for non-free Linux distributions, with the exception of AWS-provided Amazon Linux, RHEL, SUSE, and Windows AMIs.
Building an AMI
Use the following guidelines for building AMIs:
-
Ensure that your AMI meets all AWS Marketplace policies, including disabling root login.
-
Create your AMI in the US East (N. Virginia) Region.
-
Create products from existing, well-maintained AMIs backed by Amazon Elastic Block Store (Amazon EBS) with a clearly defined lifecycle provided by trusted, reputable sources such as AWS Marketplace.
-
Build AMIs using the most up-to-date operating systems, packages, and software.
-
Ensure that all AMIs must start with a public AMI that uses hardware virtual machine (HVM) virtualization and 64-bit architecture.
-
Develop a repeatable process for building, updating, and republishing AMIs.
-
Use a consistent operating system (OS) user name across all versions and products. We recommend ec2-user.
-
Configure a running instance from your final AMI to the end-user experience you want, and test all installation methods, features, and performance before submission to AWS Marketplace.
-
Check port settings as follows:
-
Linux-based AMIs – Ensure that a valid SSH port is open. The default SSH port is 22.
-
Windows-based AMIs – Ensure that an RDP port is open. The default RDP port is 3389. Also, the WinRM port (5985 by default) must be open to 10.0.0.0/16 and 10.2.0.0/16.
-
For more information about creating an AMI, see the following resources:
-
Creating Your Own AMI in the Amazon EC2 User Guide
-
Creating a Custom Windows AMI in the Amazon EC2 User Guide
-
How do I create an Amazon Machine Image (AMI) from an EBS-backed instance?
Preparing and securing your AMI for AWS Marketplace
We recommend the following guidelines for creating secure AMIs:
-
Use the Guidelines for Shared Linux AMIs in the Amazon EC2 User Guide
-
Architect your AMI to deploy as a minimum installation to reduce the attack surface. Disable or remove unnecessary services and programs.
-
Whenever possible, use end-to-end encryption for network traffic. For example, use Secure Sockets Layer (SSL) to secure HTTP sessions between you and your buyers. Ensure that your service uses only valid and up-to-date certificates.
-
When adding a new version to your AMI product, configure security groups to control inbound traffic access to your instance. Ensure that your security groups are configured to allow access only to the minimum set of ports required to provide necessary functionality for your services. Allow administrative access only to the minimum set of ports and source IP address ranges necessary. For more information about how to add a new version to your AMI product, see Add a new version.
-
Consider performing a penetration test against your AWS computing environment at regular intervals, or consider employing a third party to conduct such tests on your behalf. For more information, including a penetration testing request form, see AWS Penetration Testing
. -
Be aware of the top 10 vulnerabilities for web applications, and build your applications accordingly. To learn more, see Open Web Application Security Project (OWASP) - Top 10 Web Application Security Risks
. When new internet vulnerabilities are discovered, promptly update any web applications that ship in your AMI. Examples of resources that include this information are SecurityFocus and the NIST National Vulnerability Database .
For more information related to security, see the following resources:
Scanning your AMI for publishing requirements
To help verify your AMI before submitting it as a new product or version, you can use self-service scanning. The self-service scanner will check for unpatched common vulnerabilities and exposures (CVEs) and verify security best practices are followed. For more information, see Preparing and securing your AMI for AWS Marketplace
From the AWS Marketplace Management Portal, choose Amazon Machine Image from the Assets menu. Choose Add AMI to start the scanning process. You can see the scan status of AMIs by returning to this page.
Note
To learn about giving AWS Marketplace access to your AMI, see Giving AWS Marketplace access to your AMI.
Verifying your software is running on your AWS Marketplace AMI
You may wish to have your software verify at runtime that it is running on an Amazon EC2 instance created from your AMI product.
To verify the Amazon EC2 instance is created from your AMI product, use the instance metadata service built into Amazon EC2. The following steps take you through this validation. For more information about using the metadata service, see Instance metadata and user data in the Amazon Elastic Compute Cloud User Guide.
-
Obtain the instance identity document
Each running instance has an identity document accessible from the instance that provides data about the instance itself. The following example shows using curl from the instance to retrieve the instance identity document.
curl http://169.254.169.254/latest/dynamic/instance-identity/document { "accountId" : "0123456789", "architecture" : "x86_64", "availabilityZone" : "us-east-1e", "billingProducts" : null, "devpayProductCodes" : null, "marketplaceProductCodes" : [ "0vg0000000000000000000000" ], "imageId" : "ami-0123456789abcdef1", "instanceId" : "i-0123456789abcdef0", "instanceType" : "t2.medium", "kernelId" : null, "pendingTime" : "2020-02-25T20:23:14Z", "privateIp" : "10.0.0.2", "ramdiskId" : null, "region" : "us-east-1", "version" : "2017-09-30" }
-
Verify the instance identity document
You can verify that the instance identity is correct using the signature. For details about this process, see Instance identity documents in the Amazon Elastic Compute Cloud User guide.
-
Verify the product code
When you initially submit your AMI product for publishing, your product is assigned a product code by AWS Marketplace. You can verify the product code by checking the
marketplaceProductCodes
field in the instance identity document, or you can get it directly from the metadata service:curl http://169.254.169.254/latest/meta-data/product-codes 0vg0000000000000000000000
If the product code matches the one for your AMI product, then the instance was created from your product.
You may also wish to verify other information from the instance identity document, such as
the instanceId
and the instance privateIp
.