Building AWS Golden Image with EC2 Image Builder

Overview:

EC2 Image Builder is a fully managed and automated AWS service for the creation, management, and deployment of customized Images. This service also simplifies the automation to develop and distribute golden images conforming to the security standards of the organization. Image builder pipelines can be configured to build images on a schedule or/and on updates to the source image.

Pricing:

Image Builder is offered at no cost, except for the cost of using underlying AWS resources like EC2 instances, AWS Inspector, S3 to create, test and store images.

How it works?

Image Builder lets you create an automated pipeline and all the related configuration to create images using the AWS console, AWS CLI, or API’s. 

The automated pipeline executes below steps:

1. Source Image: Select source image defined in the image recipe and launch image builder instance.
2. Customize software on source image:  Install the software on the source image. These are defined as build components in the image recipe. At least one build component is required in an image recipe. Examples of customized software include 1/ Applications (build environments, business productivity tools, and databases) 2/ OS Updates 3/ Security patches. 
3. Secure image: Select AWS managed templates or create and use custom templates to harden images. These can be added as build components in an image recipe.
4. Test image: Run tests on the new image to ensure stability. Tests appear as test components in an image recipe and they are optional. Examples of the test include: 1/ Test that AMI can boot, 2/ Test that sample application can be run, 3/ Test specific patch has been applied, 5/ Test security policy.
5. Distribute Customized image: Share AMI with other AWS regions and accounts using the distribution configuration for the image pipeline.

For more details, check EC2 Image Builder.

Advantage:

Image management for both AWS and on-premises: EC2 Image Builder works not only with Amazon EC2 but also with on-premise infrastructure connected through AWS Outposts. Creating EC2 images that are ready to deploy becomes a simple process because it can now be done through a GUI(graphical user interface).

Built-in validation support: The latest images can also be tested with the Image Builder to validate our applications on the updated builds. We can also subscribe to notifications via SNS queues for pending updates to images built with the Image Builder. We can use these notifications as triggers to build new images.

Centralized policy enforcement: With EC2, images are automatically kept up-to-date and whenever there is a pending update (e.g., source AMI updates, security updates, updates to compliance, new tests, etc.), triggers get generated. Based on those triggers, new images are configured.

Simple to secure: Another big advantage of using EC2 Image Builder is the way it simplifies securing your VMs. You can, for instance, configure images to include only the essential components. Image Builder can recommend components that can be removed safely.

Improved IT productivity: Keeping server images up-to-date can be time-consuming, resource-intensive, and error-prone. Currently, customers either manually update and snapshot VMs or have teams that build automation scripts to maintain images.

The real benefit of using EC2 Image Builder, however, can be felt when you start managing hundreds of images. That’s when keeping images up-to-date and maintaining your repository of images become complicated when done manually.

Eliminates manual steps completely: The automation pipeline is also not needed—you don’t have to develop custom scripts for your CI/CD cycles or applications. Since the lack of proprietary scripts also means no code maintenance, image management and maintenance become incredibly efficient.

Limitations:

1. Image Builder natively supports only Amazon Linux 2 and Windows Server 2012 R2, 2016, and 2019.  For other Linux flavors like RHEL/Ubuntu, the custom AMI option could be used as a workaround. But, this would need the source image to have SSM agent, AWSCLI and WGET installed for the unsupported types.
2. EC2 Image Builder is not supported by AWS CloudFormation or Terraform. Hence, you would have to rely on AWS CLI or API to create and manage your configuration with image builder which means additional time and effort to build and maintain tooling to orchestrate image pipelines.
3. The image builder shows the status of the image pipeline in the image builder console. For an image pipeline that is running, you can see the current step (Building, Testing, or Distributing) in the status but there is no step by step indication of progress or streaming of logs.

Comparison of EC2 Image Builder with Packer:

Note: EC2 Image Builder does not offer any additional benefits over Packer and given its limitation with supported OS types and build/pipeline orchestration, it’s best to continue with Packer if you are already using it.