Build and keep your images up to date with AWS ImageBuilder
Often we happen to have to use customized AMIs based on our needs and having to create them based on the operating system and programs required. But if instead of doing this just for us, we had to do it for our customers and what if we have many customers? It would mean spending a lot of time creating, configuring and customizing images as well as always having to be ready to check and add new system updates available.
All this can now be simplified. Announced during the re: Invent 2019, EC2 ImageBuilder, is a service available in all commercial AWS Regions that makes it easy and fast to build and update images for Amazon Linux 2 and Microsoft Windows Server that can be used with both EC2 and on-premise, creating images in various formats such as eg. VMDK, OVF, VHDX, etc. The images can be protected to comply with applicable InfoSec regulations and operate in sectors regulated by security policies, satisfying the guidelines “STIG (Security Technical Implementation Guide). There are no costs related to the service but only to the resources used for creating, sharing and store the image.
The first thing to do is build a pipeline that is based on an image recipe.
The image recipe contains information regarding the Operating System, the components to be installed, including the possibility of installing system patches and software updates that may be released, and the tests to be performed on the image.
Let’s build the pipeline.
From the console homepage we click on Create Image Pipeline.
The first thing we are asked to choose is the type of operating system, Amazon Linux or Windows. Then we will have to choose the image we want to create by selecting a Managed Image or a custom AMI. Once the image has been selected we can put the check on Initiate a new image build when there are updates to your selected image version, in order to start the image creation pipeline as soon as updates are available for the chosen image.
Then we can select the components we want to include in the image. The components can be software to install, scripts to execute or settings to apply.
You can select those already made available by AWS, or, by clicking on Create build Component, create your own.
To create a component custom build, first we will have to choose the Operating System on which it will be installed, a name to assigne to the Component, an optional description, a version and a KMS key to encrypt the component. Finally we have the Definition document that contains the YAML document to define the actions that ImageBuilder will have to perform in the new image.
In this case I chose to use the components made available by AWS choosing to install Docker Community Edition and Python 3.
As the last step concerning the recipe, we will be able to choose the tests to apply to the image to validate it. Also in this case we can create a custom test or choose from those already made available by AWS.
For this article I decided to choose the Simple boot test linux, the Reboot test linux and the Inspector test linux which will proceed respectively to test the boot, the reboot and to evaluate if the image has possible vulnerabilities and respects best practices.
The next step is to configure the pipeline by assigning it a name, a description and a role that will be associated with the EC2 instance that will build the image. In this case I created a role with permissions to run the tests and install the selected components. One of the policies that we must use is AmazonSSMManagedInstanceCore to enable AWS System Manager to perform the necessary operations. Depending on the components you choose to install, you must also use the related permissions.
The pipeline can be started manually or scheduled by entering the start time of each day, a specific day of the week, a specific day of the month or using a CRON expression.
It is then possible to specify the type of instance to use to customize the image, by default a m5.large instance will be used, and an SNS topic for sending notifications related to the start, completion and possible errors of the pipeline.
As optional settings it is possible to choose which VPC to launch the instance, which subnet and security group to use, in which bucket s3 save the logs and which key pair to use to connect to the instance.
If the image we are using is linked to a license, you can specify it or create a new license configuration.
Afterwards we will have to choose the name and the tags to be given to the image, in which region to distribute the image, whether to make it private or public and specify any account numbers with which to share it.
The fourth step is related to the review of the pipeline, if everything is configured as we want, we can proceed with the creation by clicking on Create Pipeline.
In this article I chose to launch the pipeline automatically every first day of the month at 2:00 AM, but it is possible to start the pipeline manually by selecting Run pipeline from the Action menu.
Once the pipeline is started, we will receive an message if we are subscribed to the SNS topic.
Once the build has completed, the AMI will be ready to launch from the EC2 console.
ImageBuilder is a tool that will save us a lot of work and will avoid us many sleepless nights requiring only a few initial configuration steps.