AWS Marketplace
Providers Guide

Best Practices for Building AMIs

All AMIs built and submitted to AWS Marketplace must adhere to all product policies. To share your AMI and verify that it meets all AWS Marketplace requirements, use the self-service AMI scanning tool. The following are some best practices and references to help you build AMIs.

Rights

You are responsible for securing resell rights for non-free Linux distributions, with the exception of AWS-provided Amazon Linux, RHEL, SUSE, and Windows AMIs.

Building an AMI

  • Ensure that your AMI meets all AWS Marketplace policies, including disabling root login.

  • Create your AMI in the US East (N. Virginia) Region.

  • Create products from existing, well-maintained AMIs backed by Amazon EBS with a clearly defined life cycle provided by trusted, reputable sources such as AWS Marketplace.

  • Build AMIs using the most up-to-date operating systems, packages, and software.

  • All AMIs must start with a public AMI that uses hardware virtual machine (HVM) virtualization and 64-bit architecture.

  • Develop a repeatable process for building, updating, and republishing AMIs.

  • Use a consistent OS username across all versions and products. We recommend ec2-user.

  • Configure a running instance from your final AMI to the end-user experience you want and test all installation, features, and performance before submission to AWS Marketplace.

  • Ensure that for Linux-based AMIs that a valid SSH port is open (default is 22) and for Windows-based AMIs that an RDP port is open (default is 3389). WINRM (port 5985) must be open to 10.0.0.0/16.

Resources:

Creating Your Own AMI in the Amazon EC2 User Guide for Linux Instances

Creating a Custom Windows AMI in the Amazon EC2 User Guide for Windows Instances

How do I create an Amazon Machine Image (AMI) from an EBS-backed Windows instance?

Amazon Linux AMI

Amazon EC2 Instance Types and Instance Types

Securing an AMI

  • Architect your AMI to deploy as a minimum installation to reduce the attack surface. Disable or remove unnecessary services and programs.

  • Whenever possible, use end-to-end encryption for network traffic. For example, use Secure Socket Layer (SSL) to secure HTTP sessions between you and your customers. Ensure that your service uses only valid and up-to-date certificates.

  • Use security groups to control inbound traffic access to your instance. Ensure that your security groups are configured to allow access only to the minimum set of ports required to provide necessary functionality for your services. Allow administrative access only to the minimum set of ports and source IP address ranges necessary.

  • Consider performing a penetration test against your AWS computing environment at regular intervals; or, consider employing a third party to conduct such tests on your behalf. For more information, including a penetration-testing request form, see AWS Penetration Testing.

  • Be aware of the top 10 vulnerabilities for web applications and build your applications accordingly. To learn more, visit Open Web Application Security Project (OWASP) - Top 10 Web Application Security Risks. When new Internet vulnerabilities are discovered, promptly update any web applications that ship in your AMI. Examples of resources that include this information are SecurityFocus and the NIST National Vulnerability Database.

Resources: