By Sujit Singh, Partner Management Solutions Architect – AWS
By Kevin RisonChu, Co-Founder and CTO – Stratus10


Amazon Machine Images (AMIs) are templates used to launch instances in Amazon Elastic Compute Cloud (Amazon EC2). While they allow quick deployment, managing multiple customized AMIs can be complex.

EC2 Image Builder simplifies building, testing, and deploying virtual machine (VM) and container images for Amazon Web Services (AWS) and on-premises use. The graphical interface, automation, and AWS security settings reduce the effort to keep images up-to-date and secure. However, manually building and maintaining multiple custom AMIs with EC2 Image Builder still requires additional effort.

In this post, we explain how the Image Management Solution (IMS) from Stratus10 addresses the core challenges of custom AMI management and helps customers streamline the AMI management process.

Stratus10 is an AWS Specialization Partner and AWS Marketplace Seller that enables customers to take advantage of what AWS has to offer and accelerate their journey to the cloud.

Challenges of Managing AMIs

As an AWS customer, you likely have numerous workloads to maintain in AWS. For workloads running on Amazon EC2 instances, it’s imperative to keep them up-to-date, secure, and consistent. Doing this manually for every security update or a new application version can be cumbersome and time-consuming.

Common challenges IT teams face in managing AMIs include:

  • Manual processes: Many AMI management tasks are still performed manually, which can be complex, susceptible to errors, and prone to security issues. Additionally, maintaining complete documentation to create a new AMI becomes a burden for teams to manage.
  • Proliferation of AMIs: Organizations often end up creating a large number of AMIs, each with a slightly different configuration, making it difficult to track, manage, and secure all AMIs.
  • Lack of visibility: It can be difficult to get a clear view of all AMIs in use, leading to duplicate and unused AMIs, as well as AMIs that are not properly configured or secured.
  • Security and compliance: Keeping workloads secure and adhering to compliance requirements is non-negotiable. New images need to be built when there are updates, security patches, or new internal application versions. Organizations also need to comply with a variety of regulations, such as HIPAA and PCI DSS, which may impose specific requirements on how AMIs are managed.
  • Lack of automation: Scaling AMI management through automation is a common challenge for teams managing multiple AMIs, especially for EC2 Image Builder to run when new releases for applications are made available in AWS CodeCommit.
  • Cost control: AMIs can be expensive to store and manage, and without careful monitoring can lead to unnecessary costs.

With the growing need for rapid iteration and secure application deployment comes the need for an automated way to build customized, secure hardened AMIs.

AMI Automation Solution

One new approach to overcome the challenges associated with building, maintaining, and distributing AMIs is the Image Management Solution (IMS) developed by Stratus10. Available via AWS Solutions Library, the IMS provides automation on top of EC2 Image Builder, enabling you to streamline the process of building and maintaining AWS images and bake your application code into the image.

The IMS provides automation that can be plugged into your current deployment process and help you build, test, manage, and distribute your AMIs in a more efficient way. Ultimately, you build hardened images while ensuring best practices.

The benefits of implementing this AMI automation solution include:

  • Consistency and standardization: Whether you’re a one-person shop or have multiple teams creating images, the IMS allows you to define a baseline recipe (such as security patches, and authentication) that ensures all images conform to organization standards.
  • Integration into current deployment process: Teams can hook up their AWS CodeCommit repositories to have new AMIs created when new application versions are released.
  • Infrastructure as code: By managing AMIs as code, you enhance risk management, increase accountability, and reduce configuration inconsistency.
  • Improved visibility and management: As your organization grows and requirements change, the solution enables you to track changes over time and roll back in the event of misconfigured recipes.
  • Reduced costs: Organizations save time and money by automating labor intensive tasks. The IMS handles the heavy lifting required to build and manage images so engineers don’t have to spend hours or days of manual effort on it.

Without the need for manual effort in building and maintaining AMIs, engineering teams can instead focus their efforts on innovation and other core business activities.

To get started with the Stratus10 Image Management Solution, your team will work with Stratus10 cloud experts to identify the base AMIs, set up initial configuration of packages, build tests and validation steps, and establish trigger pipelines.

The detailed technical process and associated architecture diagrams of the automation solution are outlined below.

Under the Hood: Stratus10’s IMS

To automate the process of building new Amazon EC2 images when application updates are released in AWS CodeCommit, Stratus10’s Image Management Solution integrates EC2 Image Builder with CodeCommit.

IMS takes advantage of the integration between AWS CodePipeline and AWS Lambda functions to create automation that triggers EC2 Image Builder runs to build new AMIs when new code is committed to CodeCommit.

The diagram below shows the building of an AMI when a new release is posted, whether that’s a new tag or pushing a single commit. Here, you can use CodeCommit to trigger the creation of a new hardened image. This is useful for teams that want to provide baseline AMIs to build their own custom images.


Figure 1 – Stratus10 image management solution.

Components of the Image Management Solution

The EC2 Image Builder automation process is made up of the following components:

  • AWS Identity and Access Management (IAM):
    • The Lambda Trigger IAM role enables AWS Lambda to invoke EC2 Image Builder pipeline runs and writes logs to AWS CloudWatch logs.
    • Image Builder Service role allows EC2 Image Builder to manage EC2 instances to build, validate, and test the images it creates. It also distributes the image based on distribution details.
    • EC2 Instance Profile contains permissions to allow entities on the EC2 instance to access AWS services such as Amazon Simple Storage Service (Amazon S3), AWS Secrets Manager, and AWS Key Management Service (AWS KMS) that could be used during the creation and testing of images.
  • AWS CodePipeline: Serves as the glue between AWS CodeCommit and EC2 Image Builder.
  • AWS Lambda: A Lambda function is invoked by AWS CodePipeline on commits to a specific branch to use for the CodeCommit repository. The Lambda function then invokes EC2 Image Builder pipeline runs.
  • Amazon S3: Stores artifacts from AWS CodePipeline and EC2 Image Builder; these are primarily logs, but can also be used to pass artifacts between stages and steps.
  • Amazon CloudWatch logs: Stores logs and metrics from the Lambda function and EC2 Image Builder.
  • EC2 Image Builder: Contains pipelines with all configurations for managing AMIs. In the backend, it uses System Manager Automation for running stages to build and validate EC2 instances as well as create and distribute AMIs.
  • AWS CodeCommit: This is the Git repository for storing code and other artifacts that can trigger the process for creating AMIs.

Solution Walkthrough

Next, we demonstrate how Startus10’s Image Management Solution is used to create baseline AMIs and custom images with an application being baked into the AMI.

We start the solution by making a commit in AWS CodeCommit.


Figure 2 – AWS CodePipeline triggered by commit.

After code is committed, it automatically initiates the AWS CodePipeline run and invokes your Lambda function.


Figure 3 – AWS CodePipeline triggers the Lambda function.

Inspecting AWS logs, we can see that our Lambda function ran successfully and initiated an EC2 Image Builder pipeline run.


Figure 4 – Lambda triggers Image Builder pipeline.

A few seconds later, EC2 Image Builder pipeline runs and builds our AMI.


Figure 5 – EC2 Image Builder creates custom AMI.

Once EC2 Image Builder finishes running, we can see our AMI is available.


Figure 6 – AMI build successful.

By orchestrating EC2 Image Builder pipelines through commits, the solution maintains an up-to-date environment, eliminating manual initiation and image creation. The work was completed in minutes, compared to hours (or days) of manual labor it used to take to build, validate, test, and distribute AMIs.


The Stratus10 Image Management Solution (IMS) has redefined Amazon EC2 image management. This post explained how AMI automation is not just about addressing challenges, but rather about transforming operations. Without the burdens of manual image creation, costs are significantly reduced as hours of labor transform into moments of automation.

Additionally, Stratus10’s IMS secures the entire image creation process. Vulnerabilities are identified and compliance is upheld automatically. The integration of AWS CodePipeline and AWS Lambda for automatic EC2 Image Builder runs reinforces this security by minimizing human intervention and potential errors.

Moreover, the consistency and standardization embedded in the image creation process provide a solid foundation for every deployment, ensuring that each instance adheres to organization-wide best practices.

To get started with automation for EC2 Image Builder, contact Stratus10. You can also learn more about Stratus10 in AWS Marketplace.


Stratus10 – AWS Partner Spotlight

Stratus10 is an AWS Specialization Partner that enables customers to take advantage of what AWS has to offer and accelerate their journey to the cloud.

Contact Stratus10 | Partner Overview | AWS Marketplace