Best practices for building AMIs - AWS Marketplace

Best practices for building AMIs

This topic provides some best practices and references to help you build Amazon Machine Images (AMIs) for use with AWS Marketplace. AMIs built and submitted to AWS Marketplace must adhere to all AWS Marketplace product policies.

Verifying your AMI

To help verify your AMI before submitting it as a new product or version, you can use self-service scanning.

From the AWS Marketplace Management Portal, choose Amazon Machine Image from the Assets menu. Click Add AMI to start the scanning process. You can see the scan status of AMIs by returning to this page.

Note

To learn about giving AWS Marketplace access to your AMI, see Giving AWS Marketplace access to your AMI.

Securing resell rights

You are responsible for securing resell rights for non-free Linux distributions, with the exception of AWS-provided Amazon Linux, RHEL, SUSE, and Windows AMIs.

Building an AMI

Use the following guidelines for building AMIs:

  • Ensure that your AMI meets all AWS Marketplace policies, including disabling root login.

  • Create your AMI in the US East (N. Virginia) Region.

  • Create products from existing, well-maintained AMIs backed by Amazon Elastic Block Store (Amazon EBS) with a clearly defined lifecycle provided by trusted, reputable sources such as AWS Marketplace.

  • Build AMIs using the most up-to-date operating systems, packages, and software.

  • Ensure that all AMIs must start with a public AMI that uses hardware virtual machine (HVM) virtualization and 64-bit architecture.

  • Develop a repeatable process for building, updating, and republishing AMIs.

  • Use a consistent operating system (OS) user name across all versions and products. We recommend ec2-user.

  • Configure a running instance from your final AMI to the end-user experience you want, and test all installation methods, features, and performance before submission to AWS Marketplace.

  • Check port settings as follows:

    • Linux-based AMIs – Ensure that a valid SSH port is open. The default SSH port is 22.

    • Windows-based AMIs – Ensure that an RDP port is open. The default RDP port is 3389. Also, the WinRM port (5985 by default) must be open to 10.0.0.0/16.

For more information about creating an AMI, see the following resources:

Creating Your Own AMI in the Amazon EC2 User Guide for Linux Instances

Creating a Custom Windows AMI in the Amazon EC2 User Guide for Windows Instances

How do I create an Amazon Machine Image (AMI) from an EBS-backed Windows instance?

Amazon Linux AMI

Amazon EC2 Instance Types and Instance Types

Verifying your software is running on your AWS Marketplace AMI

You may wish to have your software verify at runtime that it is running on an Amazon EC2 instance created from your AMI product.

To verify the Amazon EC2 instance is created from your AMI product, use the instance metadata service built into Amazon EC2. The following steps take you through this validation. For more information about using the metadata service, see Instance metadata and user data in the Amazon Elastic Compute Cloud User Guide.

  1. Obtain the instance identity document

    Each running instance has an identity document accessible from the instance that provides data about the instance itself. The following example shows using curl from the instance to retrieve the instance identity document.

    curl http://169.254.169.254/latest/dynamic/instance-identity/document { "accountId" : "0123456789", "architecture" : "x86_64", "availabilityZone" : "us-east-1e", "billingProducts" : null, "devpayProductCodes" : null, "marketplaceProductCodes" : [ "0vg0000000000000000000000" ], "imageId" : "ami-0123456789abcdef1", "instanceId" : "i-0123456789abcdef0", "instanceType" : "t2.medium", "kernelId" : null, "pendingTime" : "2020-02-25T20:23:14Z", "privateIp" : "10.0.0.2", "ramdiskId" : null, "region" : "us-east-1", "version" : "2017-09-30" }
  2. Verify the instance identity document

    You can verify that the instance identity is correct using the signature. For details about this process, see Instance identity documents in the Amazon Elastic Compute Cloud User guide.

  3. Verify the product code

    When you initially submit your AMI product for publishing, your product is assigned a product code by AWS Marketplace. You can verify the product code by checking the marketplaceProductCodes field in the instance identity document, or you can get it directly from the metadata service:

    curl http://169.254.169.254/latest/meta-data/product-codes 0vg0000000000000000000000

    If the product code matches the one for your AMI product, then the instance was created from your product.

You may also wish to verify other information from the instance identity document, such as the instanceId and the instance privateIp.

Securing an AMI

We recommend the following guidelines for creating secure AMIs:

  • Architect your AMI to deploy as a minimum installation to reduce the attack surface. Disable or remove unnecessary services and programs.

  • Whenever possible, use end-to-end encryption for network traffic. For example, use Secure Sockets Layer (SSL) to secure HTTP sessions between you and your buyers. Ensure that your service uses only valid and up-to-date certificates.

  • When adding a new version to your AMI product, configure security groups to control inbound traffic access to your instance. Ensure that your security groups are configured to allow access only to the minimum set of ports required to provide necessary functionality for your services. Allow administrative access only to the minimum set of ports and source IP address ranges necessary. For more information about how to add a new version to your AMI product, see Adding a new version.

  • Consider performing a penetration test against your AWS computing environment at regular intervals, or consider employing a third party to conduct such tests on your behalf. For more information, including a penetration testing request form, see AWS Penetration Testing.

  • Be aware of the top 10 vulnerabilities for web applications, and build your applications accordingly. To learn more, see Open Web Application Security Project (OWASP) - Top 10 Web Application Security Risks. When new internet vulnerabilities are discovered, promptly update any web applications that ship in your AMI. Examples of resources that include this information are SecurityFocus and the NIST National Vulnerability Database.

For more information related to security, see the following resources: