AdvLab4: Building Golden AMI

Author: Dean Suzuki (Last Updated: 4/1/20)


In the cloud with the Infrastructure as Code (IaC) model, many customers are rebuilding their infrastructure on a continuous basis as new releases are deployed.

To facilitate this process, customers build a golden Amazon Machine Image (AMI) that is used as a basis to build other servers. The process to build this golden AMI usually starts by taking an AMI which has the base operating system and adding the necessary build components (e.g. security, compliance, and security tools) as required by the organization. Once this image is built, then the image is run through a series of tests to validate that the image performs as expected. Then, when new updates to the operating system, agents, or tools on the AMI are released, then this build and test process can be repeated.

EC2 Image Builder was created to help customers with this process (shown below). You start with a source image (AMI). You add components and configurations to build the image. Then, you can specify test components to test the image. Next, the image can be distributed to the appropriate AWS regions or AWS accounts. The process can be repeated as necessary. Please note that all Image Builder operations occur within your account. To learn more about EC2 Image Builder, please see this RE:Invent 2019 presentation (here).

Some common scenarios where EC2 Image Builder is used are:

  • To use images that were created on-premises as the starting point and build upon them in AWS. You will need to use the AWS VM Import/Export tool to import the image into AWS.

  • When you have a central team building the golden AMI which meets the company security and compliance standards. Then, they share this AMI with other teams. Other teams can use this golden AMI and build their own EC2 Image Builder pipeline to add their business app and test scenarios to build their own app AMI.

  • To build a golden AMI that will be used in AWS as well as on-premises. To export the AMI to on-premises, use the VM Import/Export tool.


The lab requires a base VPC that exists.

Build the Golden AMI

In this hands-on lab, you will walkthrough and build your own AMI pipeline using EC2 Image Builder.

  1. Open the AWS Console. Type Image Builder into the services search box and go to the EC2 Image Builder console.

  2. Make sure that you are in the “N. Virginia” region in the upper right. If not, change the region to N. Virginia.

  3. On Image Builder screen, select Create image pipeline

  4. Under Source Image, select Windows.

  5. Select Browse Images button.

  6. Review the list of images provided by Amazon. Notice that next to the search box, you can search for images Created by me and Shared with me as well.

  7. Select the Windows Server 2019 English Full Base image. At the time of the lab, it was on the 3rd page. Pick Choose.

  8. Select Always build latest version. Notice that when you select it, it puts a x.x.x at the end of the image so that image builder will use the latest version of that image.

  9. Under Build components, select Browse build components. This is where you specify what you want to build on the base image. AWS provides some out of the box build components that are shown on this screen. You can also create your own Build components. For more information on building your own build components, please see the AWS documentation (here)

  10. Select the following two build components: update-windows and stig-build-windows-medium.

  11. Select Choose.

  12. Select Browse test. In this option, you can specify what tests that you want to perform on the image after the build components were installed. AWS provides some out of the box tests. You can also create your own test components.

  13. Select inspector-test-windows. Click Choose.

  14. Press Next.

  15. On the Configure pipeline page,

    a. For Name: ECImageBuilder-Test

    b. For IAM role, select Create new instance profile role. You will need to create an IAM role to give the appropriate rights to the EC2 instance to perform the Image Builder pipeline tasks.

    c. On the IAM screen, select Roles.

    d. Select Create role button.

    e. Select AWS service. Then EC2. Press Next.

    f. Search and select EC2InstanceProfileForImageBuilder.

    g. Search and select AmazonSSMManagedInstanceCore.

    h. Press Next.

    i. On Add tag, press Next.

    j. For Role name: EC2ImageBuilder-Role.

    k. Select Create role.

  16. Switch back to the EC2 Image Builder tab, select the EC2ImageBuilder-Role that you just created. You may need to hit the refresh button for it to show up.

  17. Under Build Schedule, explore the schedule options at which to rerun the build pipeline. For this lab, select Schedule builder and set it to a time.

  18. Under Infrastructure settings – optional, review the optional settings. Press Next.

  19. Under Output AMI, enter: Windows2019-AMI.

  20. Review the other settings on the screen, press Review.

  21. Press Create Pipeline.

  22. On the next screen, select the pipeline that you created and then select Actions > Run Pipeline.

  23. Open a new tab in the browser and go to the System Manager console.

  24. Select Automation in the left hand menu. You should see the Image Builder process running.

  25. Select the in progress execution item. You will see the job running.

  26. The process will take about 20-25 minutes to complete. This is a good time to take a break. After the pipeline finishes, you should see something similar to below.

  27. Open a tab to the EC2 console. Select AMIs in the left hand navigation. You should see your new AMI. In the lab, you named it Windows-2019-AMI-. Notice that EC2 Image Builder appends the date/time suffix to the name.


You have just used EC2 Image Builder to automate the build of a Golden AMI. As you experienced, you could schedule this pipeline to occur on a recurring basis (e.g. Every Wednesday at 11:30 UTC). You can also created your own custom build and test components that are used in the pipeline.