Hubbry Logo
Amazon Machine ImageAmazon Machine ImageMain
Open search
Amazon Machine Image
Community hub
Amazon Machine Image
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Amazon Machine Image
Amazon Machine Image
Amazon Machine Image
View on Wikipedia
from Wikipedia

An Amazon Machine Image (AMI) is a special type of virtual appliance that is used to create a virtual machine within the Amazon Elastic Compute Cloud (EC2). It serves as the basic unit of deployment for services delivered using EC2.[1]

Overview

[edit]

Like all virtual appliances, the main component of an AMI is a read-only filesystem image that includes an operating system (e.g., Linux, Unix, or Windows) and any additional software required to deliver a service or a portion of it.[2]

An AMI includes the following:

  • A template for the root volume for the instance (for example, an operating system, an application server, and applications)
  • Launch permissions that control which AWS accounts can use the AMI to launch instances
  • A block device mapping that specifies the volumes to attach to the instance when it's launched

The AMI filesystem is compressed, encrypted, signed, split into a series of 10 MB chunks and uploaded into Amazon S3 for storage. An XML manifest file stores information about the AMI, including name, version, architecture, default kernel id, decryption key and digests for all of the filesystem chunks.

Current AMIs are available for hardware virtualized machines (HVM)[3] where the operating system is installed as it would be on real hardware. With the still available older paravirtualized virtual machines (PV),[4] an AMI did not include a kernel image, only a pointer to the default kernel id, which could be chosen from an approved list of safe kernels maintained by Amazon and its partners (e.g., Red Hat, Canonical, Microsoft). Users could choose kernels other than the default when booting an PVM AMI.[5]

Operating systems

[edit]

When it launched in August 2006, the EC2 service offered Linux and later Sun Microsystems' OpenSolaris and Solaris Express Community Edition. In October 2008, EC2 added the Windows Server 2003 and Windows Server 2008 operating systems to the list of available operating systems.[6][7] As of December 2010, it has also been reported to run FreeBSD;[8] in March 2011, NetBSD AMIs became available.[9] In November 2012, Windows Server 2012 support was added.[10]

Amazon Linux AMI

[edit]

Amazon has its own Linux distribution that is largely binary compatible with Red Hat Enterprise Linux.[11] This offering has been in production since September 2011, and in development since 2010.[12] The final release of the original Amazon Linux is version 2018.03[13] and uses version 4.14 of the Linux kernel. Amazon Linux 2 changed from System V init system to systemd boot.[14] It was announced in June 2018, and is updated on a regular basis.[15]

Amazon Linux 2023 was the next version, which launched alongside a new two-yearly release cadence. It comes with various kernel hardening features, and also enables kernel live patching.

Types of images

[edit]
  • Public: an AMI that can be used by anyone.
  • Paid: a for-pay AMI that is registered with Amazon DevPay and can be used by anyone who subscribes for it. DevPay allows developers to mark-up Amazon's usage fees and optionally add monthly subscription fees.
  • Shared: a private AMI that can only be used by Amazon EC2[16] users who are allowed access to it by the developer.

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Amazon Machine Image

View on Grokipedia
from Grokipedia
An Amazon Machine Image (AMI) is a pre-configured template that contains the software configuration required to launch and boot an instance in (Amazon EC2), including an operating system, application server, applications, and a template for the instance's root volume. Introduced as a core component of Amazon EC2 upon its launch in , an AMI enables users to deploy consistent virtual server environments in the AWS cloud with minimal setup effort. AMIs consist of two main elements: the software configuration, which includes the operating system and any pre-installed applications, and a block device mapping that specifies how block devices, such as Amazon Elastic Block Store (Amazon EBS) volumes or instance store volumes, are attached to the instance. Key characteristics of an AMI include its regional availability, supported operating system, processor architecture (such as x86 or ), root device storage type (EBS or instance store), and virtualization type ( or paravirtualization), all of which must align with the target EC2 instance type for compatibility. These attributes ensure that AMIs provide reliable, reproducible deployments tailored to specific workloads, from web servers to environments. In practice, AMIs are used to launch one or more EC2 instances, allowing for scalable infrastructure provisioning without rebuilding configurations from scratch each time. Users can select from AWS-provided AMIs, those available in the AWS Marketplace, community-shared options, or custom AMIs created from existing running instances via the EC2 console, AWS CLI, or SDKs. Custom AMIs support features like copying across AWS Regions for global deployments, sharing with other AWS accounts for collaboration, and even selling through the AWS Marketplace to monetize specialized images. This flexibility makes AMIs essential for practices, disaster recovery, and maintaining standardized environments across hybrid or multi-cloud setups.

Introduction

Definition and Purpose

An Amazon Machine Image (AMI) is a pre-configured template that provides the software configuration, including the operating system, , and applications, required to launch and boot an (EC2) instance. AMIs serve as the foundational starting point for all EC2 instances, encapsulating the entire software stack to ensure that instances can be provisioned with identical setups across different environments. The primary purpose of an AMI is to enable the rapid deployment of consistent and scalable virtual servers in the AWS cloud, allowing users to launch multiple instances from a single image without manual reconfiguration. By acting as reusable snapshots of system states, AMIs support (IaC) practices, facilitating the automation and versioning of development, testing, and production environments through tools like and Terraform. Key benefits of AMIs include reduced setup time for new instances, as they eliminate the need to repeatedly install and configure software from scratch. They ensure compliance by promoting standardized images that maintain uniform security patches and configurations across an organization. Additionally, AMIs facilitate disaster recovery by providing full backups of instance configurations, enabling quick restoration through the launch of new instances in the event of failures. Their portability across AWS regions further enhances reproducibility, allowing images to be copied and shared for global deployments.

History

Amazon Machine Images (AMIs) were introduced alongside the public beta of (EC2) on August 25, 2006, providing pre-configured boot disks stored as objects to enable users to launch virtual servers with basic distributions such as , , and other supported open-source variants. Initially, AMIs focused on instance store-backed storage, where the root device was ephemeral and tied to the instance's lifecycle, limiting persistence but offering simplicity for early cloud workloads. The evolution accelerated with the introduction of EBS-backed AMIs on December 3, 2009, allowing the root device to use persistent Amazon Elastic Block Store (EBS) volumes for faster launches, easier management, and the ability to stop and restart instances without data loss. Support for Windows AMIs began in beta on October 23, 2008, with full production availability expanding in 2009 to include editions, broadening EC2's appeal for enterprise applications. In July 2010, the launch of Cluster Compute instances marked a shift toward hardware virtual machine (HVM) , improving performance for by emulating full hardware environments more efficiently than the initial paravirtual (PV) approach. In September 2010, AWS introduced the Amazon Linux AMI as a stable, AWS-optimized for EC2, with major versions following in 2017 (Amazon Linux 2) and 2023 (Amazon Linux 2023). Key milestones included the April 2012 launch of AWS Marketplace, which enabled the distribution and of commercial AMIs from third-party sellers, fostering an for pre-packaged software. Enhanced security features emerged in 2017 with the announcement of the AWS Nitro System at AWS re:Invent, integrating dedicated hardware for encryption, networking, and storage offloads to improve isolation and efficiency in AMI-based instances, with broader rollout through 2020 across instance families like C5 and M5. As of 2025, AWS continues monthly releases of updated Amazon Linux AMIs incorporating the latest security patches and optimizations, ensuring ongoing compliance and stability for production environments.

Components

Root Device

The root device serves as the primary block device volume in an Amazon Machine Image (AMI), functioning as a virtual hard drive that stores the operating system image and other essential boot files, which are mounted during the instance startup process. This device is integral to initializing the Amazon EC2 instance, providing the foundational storage from which the system loads the kernel and root filesystem. AMIs support two main backing options for the root device: Amazon Elastic Block Store (EBS) for persistent storage or instance store for ephemeral, high-performance temporary storage. EBS-backed root devices use modifiable volumes that retain data across instance stops and restarts, enabling features like snapshots for creating new AMIs from the current state. In contrast, instance store-backed root devices offer faster I/O but are non-persistent, with all data deleted upon instance termination or hardware failure. Instance store-backed instances cannot be stopped. They are suitable only for temporary workloads on specific older instance types like C3, M3, or R3. The root device is specified within the AMI's block device mapping, which defines its attachment point, such as /dev/xvda. EBS root devices typically initialize at a minimum size of 8 GiB, though volumes can be resized post-launch, and they are pre-formatted with appropriate filesystems such as for distributions or for Windows. Instance store root devices vary in based on the instance type but follow the same ephemeral deletion rules. For security, EBS-backed root devices support at rest using AWS Key Management Service (KMS) keys, which protect data on the volume and any derived snapshots without requiring additional infrastructure. This applies to both the root volume and attached EBS volumes, ensuring compliance with data protection standards during boot and runtime. When launching an EC2 instance from an AMI with an encrypted root device snapshot, the encryption status is preserved, and the option to disable encryption is greyed out in the console by design for security reasons. Encryption can be enabled from an unencrypted AMI, but it cannot be disabled from an encrypted one.

Block Device Mapping

A block device mapping in an Amazon Machine Image (AMI) is a configuration that defines the block devices—such as Elastic Block Store (EBS) volumes or instance store volumes—to be attached to an EC2 instance when launched from the AMI. This mapping specifies virtual device names and their associations with underlying storage resources, enabling consistent storage setups across instances derived from the AMI. For example, the root device, typically mapped to /dev/sda1 on instances, serves as the primary volume within this configuration. The mapping consists of key elements that detail each device's . The device name identifies the virtual interface exposed to the instance, such as /dev/sdb for additional data volumes on or corresponding drive letters on Windows. For EBS volumes, the configuration includes the volume size in GiB (which must be at least as large as any associated snapshot), the volume type (e.g., gp3 for general-purpose SSD), a delete-on-termination (true by default for the volume to automatically delete the volume upon instance termination, and false for others), and status (enabled or disabled, with AWS-managed keys by default if enabled). Instance store volumes use virtual names like ephemeral0 instead of EBS . NoDevice can be specified to exclude a device from the mapping. These elements are structured in a JSON-like format within the AMI metadata. Functionally, block device mappings allow for the attachment of multiple volumes at instance launch, supporting flexible storage architectures such as separating the root volume from data volumes for better performance or scalability. EBS volumes can be initialized from snapshots included in the AMI, ensuring pre-configured data is available immediately upon boot. This enables scenarios like attaching additional EBS volumes for databases or caching, or instance store volumes for temporary high-I/O workloads, all predefined in the AMI to streamline deployments. Users can customize block device mappings during AMI creation by attaching volumes to the source instance and registering the AMI with the desired configuration, such as adding extra EBS volumes for persistent data or adjusting instance store mappings to optimize operations. This process preserves EBS data via snapshots while allowing tailored storage profiles without altering the base AMI image. Limitations include a maximum of 27 volumes per instance for many Nitro-based instance types, though this varies by instance family and size; mappings must align with the capabilities of the target instance type to avoid attachment failures. NVMe-based instance store volumes are automatically enumerated and may ignore explicit mappings, and device names can differ from specified values due to the block device driver.

Types

Backing Storage

Amazon Machine Images (AMIs) are categorized based on their backing storage, which determines the persistence, performance characteristics, and suitability for different workloads. The root device of an AMI specifies whether it uses instance store or Elastic Block Store (EBS) as the underlying storage mechanism. Instance store-backed AMIs, also known as S3-backed AMIs, utilize ephemeral instance store volumes that are physically attached to the host server and are supported only for Linux operating systems on previous-generation instance types such as C1, C3, M1, M2, M3, and R3. These volumes employ SSD or HDD storage and are ideal for temporary data such as caches, buffers, or scratch space in high-throughput applications. However, data on instance store volumes is lost upon instance stop, termination, or hardware failure, making them unsuitable for workloads requiring long-term persistence. In contrast, EBS-backed AMIs rely on persistent EBS volumes, which are block storage devices designed for durability and flexibility. These allow instances to be stopped and restarted without on the , and they support features like snapshots for versioning and backup. EBS volumes also enable encryption at rest and dynamic resizing, enhancing security and adaptability for production environments. The following table compares key aspects of instance store-backed and EBS-backed AMIs:
AspectInstance Store-Backed AMIsEBS-Backed AMIs
PersistenceEphemeral; data lost on stop/terminationPersistent; survives stop/start, deleted on termination by default
PerformanceHigher potential and throughput due to direct attachment, but varies by instance typeConsistent performance with configurable (up to 256,000 for io2 Block Express); network-attached
DurabilityLow; no against hardware failureHigh; 99.999% , supports multi-AZ
SnapshotsNot supportedSupported for backups and versioning
EncryptionNot natively supportedSupported at rest and in transit
ResizingNot supportedSupported; volumes can be modified while detached
SuitabilityTemporary workloads like caching or high-throughput temporary processingGeneral-purpose, persistent applications requiring reliability
Instance store-backed AMIs generally provide superior I/O performance for short-lived tasks but lack the durability and advanced management features of EBS-backed options. It is possible to migrate from an instance store-backed AMI to an EBS-backed AMI by launching an instance from the original AMI, copying its contents to a new EBS volume, creating a snapshot of that volume, and registering a new AMI from the snapshot. This process, while manual, allows users to transition to more persistent storage without rebuilding from scratch. As of 2025, EBS-backed AMIs dominate due to their persistence and compatibility with modern instance types, while instance store-backed AMIs are considered end of life and primarily used for legacy or specialized high-performance caching scenarios. AWS recommends EBS-backed AMIs for all new deployments to ensure faster launch times (under 1 minute) and broader support.

Virtualization

Amazon Machine Images (AMIs) in Amazon EC2 utilize two primary virtualization types: hardware virtual machine (HVM) and paravirtual (PV). HVM provides full virtualization by emulating a complete set of hardware, allowing the guest operating system to run directly on the virtual hardware without modifications, which enables support for any compatible OS and advanced features like GPU acceleration and nested . In contrast, PV is a legacy paravirtualization approach where the guest OS is aware of the , enabling optimized interactions that reduce overhead through modified drivers and kernels, though this limits compatibility to specific older configurations. HVM AMIs boot using the (MBR) of the root device by default but can be configured for boot mode to enable features such as Secure Boot and support for requiring . PV AMIs, however, rely on a specialized that chain-loads the kernel from a , and they are restricted to previous-generation instance types such as M1 and C1, with no support on current-generation families. HVM requires hardware-assisted extensions provided by the underlying platform, while PV does not but necessitates guest OS adaptations for optimal operation. In terms of performance, HVM AMIs leverage Single Root I/O Virtualization (SR-IOV) to enable enhanced networking and storage acceleration, delivering higher bandwidth, increased packets per second, and reduced latency compared to traditional virtual interfaces, making them ideal for modern workloads involving accelerated computing. When equipped with paravirtual drivers for networking and storage, HVM instances achieve performance that matches or surpasses PV setups, while PV historically offered lighter I/O overhead in legacy environments due to direct communication. PV support is limited to select previous-generation instance types and AWS Regions, with current-generation instances like C5 requiring HVM exclusively for compatibility and optimal resource utilization. The virtualization type for an AMI is selected during creation based on the target instance family and workload needs; for example, compute-optimized instances such as C5 mandate HVM to access hardware extensions and ensure broad OS compatibility. This choice impacts instance launch compatibility, as PV AMIs cannot run on HVM-only instance types, guiding users toward HVM for future-proofing against evolving EC2 offerings.

Creation and Management

Creating an AMI

Creating an Amazon Machine Image (AMI) involves capturing the configuration, software, and data of an Amazon EC2 instance or its associated EBS volumes to produce a reusable template for launching new instances. This process ensures consistency across deployments by bundling the instance's root volume and any attached block devices into snapshots, which form the basis of the new AMI. AMIs created this way are EBS-backed by default in modern usage, allowing for persistent storage and easier management compared to instance store-backed alternatives. To create an AMI from an existing EC2 instance, first launch an instance from a base AMI and customize it by installing and configuring software, attaching additional EBS volumes if needed, and applying necessary updates. Once customized, use the AWS Management Console, AWS CLI, or to initiate the creation: in the Console, select the instance, choose "Image and templates" > "Create image," provide a name and description, and optionally select "No reboot" to avoid powering down the instance; via CLI, run the command aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyServerImage" --description "Custom AMI for [web server](/page/Web_server)". The process creates snapshots of the root volume and all attached EBS volumes, which can take several minutes to complete for small instances, though larger volumes may extend this to an hour or more. Before creating the AMI, prepare the instance to optimize performance, security, and reliability: remove sensitive data such as shell history (e.g., using shred -u ~/.*history), remove SSH host keys to ensure each launched instance generates unique host keys, avoiding verification issues (e.g., sudo shred -u /etc/ssh/*_key /etc/ssh/*_key.pub), disable password-based logins by editing /etc/ssh/sshd_config to set PermitRootLogin without-password, and lock the account with [sudo](/page/Sudo) passwd -l [root](/page/Root). For automation, tools like Packer can script these steps, launching temporary instances, applying configurations via provisioners, and invoking the create-image to generate the AMI reproducibly. Alternatively, create an AMI directly from an EBS snapshot, which is useful for versioning configurations without running a full instance: first create snapshots of the and volumes using the Console (Snapshots > Create snapshot) or CLI (aws ec2 create-snapshot --volume-id vol-049df61146c4d7901 --description "Root volume backup"), then register the AMI with aws ec2 register-image --name "VersionedAMI" --architecture x86_64 --root-device-name /dev/xvda --block-device-mappings '[{"DeviceName":"/dev/xvda","Ebs":{"SnapshotId":"snap-0668776718e604fb7","VolumeSize":8}}]', specifying block device mappings for volumes (as detailed in the Components section). This method leverages existing snapshots for quicker iteration in development workflows. The resulting AMI is assigned a unique ID in the format ami-0abcdef1234567890 and is private by default, visible only in the AWS where it was created. Creation itself incurs no direct fees, but EBS snapshot storage costs apply at $0.05 per GB-month for standard storage, billed incrementally based on the retained until snapshots are deleted.

Copying and Sharing

Copying an Amazon Machine Image (AMI) enables users to replicate it within the same AWS or across Regions, resulting in a new AMI with a independent of the source. This process supports consistent instance configurations for , , and global deployment. Copies can be performed using the AWS Console, AWS (CLI), or . For instance, the CLI command aws ec2 copy-image --source-ami-id ami-1234567890abcdef0 --source-region us-east-1 --region us-west-2 --name "MyCopiedAMI" --description "Copied for West Region" initiates a cross-region copy, optionally specifying with a KMS key via the --encrypted and --kms-key-id parameters. Since November 21, 2024, AWS provides AMI lineage information to trace the source of copied or derived AMIs, accessible via the AWS Console, CLI, or SDKs, aiding in and compliance. For EBS-backed AMIs, copying involves duplicating the underlying EBS snapshots, with initial cross-region copies being complete and subsequent ones incremental to optimize efficiency. The process copies the AMI and its associated EBS snapshots, but launch permissions, tags (unless explicitly specified during the copy), and certain settings are not automatically copied and must be reapplied as needed in the destination Region. status can be modified during the copy—for example, enabling on an unencrypted source or changing the KMS key—but encrypted AMIs cannot be copied to an unencrypted state. If the source AMI uses a custom KMS key, a different key must be specified for the destination Region, as KMS keys are Region-specific. Only user-defined tags from the owner's account can be copied; system tags and tags from other accounts are not included. Cross-account copying requires the source AMI to be shared with the target account, granting read access to the backing EBS snapshots; the resulting AMI is owned by the copying account and incurs storage costs for the copier, while data transfer fees apply to the source owner. Permissions for copying include the ec2:CopyImage IAM action on the source AMI, plus ec2:CreateTags for tagging the new AMI and snapshots, and additional S3 actions for instance store-backed (S3-backed) AMIs. Costs include standard EBS snapshot storage and cross-Region data transfer charges, with no additional charge for the copy itself unless using time-based copying with a deadline. Limitations include that AMIs created on AWS Outposts cannot always be copied cross-Region, and cross-account copies require sharing the AMI first. Each copied AMI counts toward the default quota of 50,000 AMIs per , which can be increased via a service quota request. Resource-level permissions for CopyImage have been supported since October 28, 2024, allowing finer control over specific AMIs. Sharing an AMI grants other AWS users or accounts permission to launch instances from it without transferring ownership. Owners can share privately with specific 12-digit AWS account IDs or make the AMI for broader access. Modifications occur via the AWS Console's Permissions tab for the selected AMI or the CLI command aws ec2 modify-image-attribute --image-id ami-1234567890abcdef0 --launch-permission '{"Add":[{"UserId":"123456789012"}]}', with permissions revocable at any time using similar commands to remove access. Private sharing enables direct account-to-account distribution outside the AWS Marketplace, where the owner adds the grantee account ID to allow launches but not modifications or deletions. Shared AMIs remain regional, requiring a copy to the target before sharing there. Security features ensure that shared AMIs inherit the encryption of their EBS volumes or S3 templates; for encrypted EBS-backed AMIs, owners must share the KMS key via resource-based policies to enable grantees to decrypt and launch. Fine-grained access is managed through IAM policies, with the ec2:DescribeImages action needed to view shared AMIs and ec2:RunInstances for launching. Launch permissions and tags from the source are not automatically copied, requiring manual application post-copy.

Usage

Launching Instances

Launching an Amazon EC2 instance from an Amazon Machine Image (AMI) involves selecting the AMI and configuring various parameters to define the instance's environment and behavior. In the AWS Management Console, users begin by navigating to the EC2 dashboard, choosing "Launch instance," and selecting the desired AMI under the "Application and OS Images" section. They then choose an instance type, such as t3.micro for general-purpose workloads, which determines the compute, memory, and networking resources allocated to the instance. Network settings are configured next, including the (VPC), subnet, and security groups to control inbound and outbound traffic. A key pair is selected or created for secure access via SSH or RDP, and optional user data scripts can be provided to automate initial configuration. Finally, tags are added for resource organization, and the instance is launched after reviewing the summary. If the Allowed AMIs feature is enabled on the account (introduced December ), only AMIs from specified owners or aliases are visible and usable for launching, helping enforce and compliance policies. For command-line launches, the AWS CLI uses the run-instances command with the --image-id parameter specifying the AMI ID, such as ami-12345678abcdef0. Essential parameters include --instance-type (e.g., t3.micro), --key-name for the key pair, --security-group-ids for network access, --subnet-id for placement, and --user-data for bootstrap scripts. A basic example is:

aws ec2 run-instances --image-id ami-12345678abcdef0 --count 1 --instance-type t3.micro --key-name MyKeyPair --security-group-ids sg-903004f8 --subnet-id subnet-6e7f829e

aws ec2 run-instances --image-id ami-12345678abcdef0 --count 1 --instance-type t3.micro --key-name MyKeyPair --security-group-ids sg-903004f8 --subnet-id subnet-6e7f829e

This command launches one instance with the specified configuration. At launch time, several customizations can override or extend the AMI's defaults. Block device mappings from the AMI can be overridden in the console's advanced details or via the --block-device-mappings CLI parameter to adjust storage volumes, such as adding or resizing EBS volumes. When launching from an AMI with an encrypted root snapshot, the encryption option for the root volume is greyed out in the console and cannot be disabled; this is by design for security reasons. Encryption can be enabled when launching from an unencrypted AMI, but not disabled from an encrypted one. For additional volumes, encryption can be configured independently via block device mappings. Tags can be applied using the --tag-specifications CLI option or the console's tagging section to add metadata like Name or Environment for management. An Elastic IP address can be associated post-launch through the EC2 console or API to provide a static public IPv4 address. User data scripts enable bootstrapping; for Linux instances, these are typically shell scripts starting with #!/bin/bash, such as one to update packages and start a service (example for Amazon Linux 2023):

#!/bin/bash dnf update -y systemctl start [httpd](/page/Httpd) systemctl enable [httpd](/page/Httpd)

#!/bin/bash dnf update -y systemctl start [httpd](/page/Httpd) systemctl enable [httpd](/page/Httpd)

The script runs automatically during . The AMI must be compatible with the selected instance type's and requirements to ensure successful launch. AMIs are built for specific processor architectures, such as x86_64 (/) or arm64 (), so the instance type must match—for instance, an x86_64 AMI cannot launch on an ARM-based type like m6g.large. Similarly, the AMI's type—Hardware Virtual Machine (HVM) for modern instances or Paravirtual (PV) for legacy support—must align with the instance type; current-generation types like C5 require HVM AMIs. For scaling multiple instances from the same AMI, Auto Scaling groups use launch templates or configurations that reference the AMI ID, instance type, and other settings to automatically adjust capacity based on demand or health checks. Post-launch, the instance boots from the AMI's root device volume, transitioning from a pending state to running as the operating system initializes. Monitoring occurs via Amazon CloudWatch, which collects metrics like CPU utilization and network traffic in near real-time, with options for basic (5-minute intervals) or detailed (1-minute) monitoring.

Finding and Selecting AMIs

Users can discover and select Amazon Machine Images (AMIs) through the AWS Management Console, (CLI), or , enabling targeted searches based on workload requirements such as operating system, , and storage type. In the AWS Console, AMIs are accessible via the EC2 Launch Wizard or the dedicated Images page. The Launch Wizard offers Quick Start options for common operating systems and applications, while the full catalog under Application and OS Images allows browsing by name, ID, or description. Filters on the Images page refine results by (public images, owned by Amazon, or shared), platform (e.g., or Windows), (e.g., x86_64 or arm64), root volume type (EBS or instance store), and tags for community-contributed AMIs. For programmatic access, the AWS CLI and provide the describe-images command or equivalent DescribeImages call to query available AMIs. Users specify the --owners to limit results to specific providers, such as amazon for AWS-provided AMIs, aws-marketplace for options, or self for private ones. Additional --filters narrow searches by attributes like (Name=architecture,Values=x86_64), platform (Name=platform,Values=Linux/UNIX), virtualization type (Name=virtualization-type,Values=hvm), or root device type (Name=root-device-type,Values=ebs). For example, the command aws ec2 describe-images --owners amazon --filters "Name=[architecture](/page/Architecture),Values=x86_64" "Name=platform,Values=Linux/UNIX" retrieves Amazon-owned Linux AMIs compatible with x86_64 instances. When selecting an AMI, key criteria ensure compatibility and performance. First, verify regional availability, as AMIs are region-specific and must be copied across regions if needed. Next, match the (e.g., 64-bit / or ) and type (HVM for modern instances or paravirtual for legacy) to the target instance type. Assess the root device size and type through the AMI's block device mapping, typically detailed in the . Review launch permissions to confirm (, explicit sharing, or account-owned) and examine the for included software, supported operating systems (such as Amazon Linux or , as outlined in the Supported Operating Systems section), and any prerequisites. AWS Quick Starts provide pre-configured AMIs for popular operating systems and workloads, accessible directly in the Launch Wizard under the AWS-provided owner filter. Community AMIs can be discovered using tag-based filters, such as Name=tag:OS=[Ubuntu](/page/Ubuntu), to identify shared images from trusted sources. Best practices for selection emphasize security and optimization: prioritize recent AMIs to incorporate the latest patches and updates, verify compatibility with intended instance types (e.g., ensuring architecture for processors), and test the AMI in a non-production environment to confirm workload performance.

Supported Operating Systems

Amazon Linux

Amazon Linux is a operating system developed by (AWS) and optimized for use on (EC2) instances. It is provided at no additional charge and serves as a stable, secure foundation for cloud workloads, with versions tailored to incorporate the latest AWS integrations and performance enhancements. The distribution is derived from established Linux upstreams: Amazon Linux 2 (AL2), released in 2017, is based on and (RHEL), while Amazon Linux 2023 (AL2023), released on March 15, 2023, draws from and 9 as its upstream sources for a more modern package ecosystem. Key features of Amazon Linux include a tuned optimized for EC2 performance, including support for AWS Nitro System instances, which enable enhanced networking and storage capabilities through dedicated hardware offloads. Pre-installed tools such as the AWS (CLI) and AWS SDKs facilitate seamless integration with AWS services, while package management is handled via YUM for AL2 and DNF for AL2023. Both versions offer an Extras repository—amazon-linux-extras for AL2 and equivalent modular repositories for AL2023—providing access to additional software packages like EPEL without requiring third-party sources. is prioritized with preconfigured SELinux policies in AL2023 and regular patches, ensuring compliance for enterprise applications. Official Amazon Machine Images (AMIs) for are available in all AWS regions, allowing users to launch instances directly from the EC2 console or AWS CLI, with options for minimal installations to reduce footprint. Updates are delivered through region-hosted repositories, including monthly security patches and bug fixes, which can be applied via automated tools like yum update or dnf update. AL2023 introduces a biannual major release cadence with frequent minor updates under user control, promoting deterministic environments for pipelines. The lifecycle of Amazon Linux versions emphasizes long-term stability: Amazon Linux 1 reached end-of-life (EOL) on December 31, 2023, ceasing all security updates and bug fixes thereafter. AL2 provides (LTS) until June 30, 2026, after which no further updates will be issued. In contrast, AL2023 is supported until June 30, 2029, with standard support until June 30, 2027 and maintenance support thereafter, emphasizing containerized and architectures. Amazon Linux is ideal for general-purpose workloads such as web servers, application hosting, and development environments, as well as deployed via or ECS, due to its native optimizations and reduced overhead compared to third-party distributions.

Third-Party Distributions

Third-party distributions refer to Amazon Machine Images (AMIs) based on operating systems developed and maintained by vendors outside of AWS, such as , , and , which are optimized and certified for use on Amazon EC2 instances. These AMIs provide users with familiar ecosystems, enterprise-grade features, and broad software compatibility while leveraging AWS infrastructure. Unlike AWS-native options, third-party distributions emphasize vendor-specific tooling, cycles, and integration with existing on-premises environments. For Linux distributions, popular choices include from , which offers official AMIs for versions like 24.04 LTS (Noble Numbat), available across AWS regions with minimal configurations for quick deployment. (RHEL) is certified for AWS through partnerships, providing pre-tuned AMIs for versions 8 and 9 that integrate seamlessly with AWS services like EC2 and support enterprise workloads. , as an upstream development platform for RHEL, delivers continuously updated AMIs, such as 9, suitable for testing and development. , maintained by the Debian Project, supplies official AMIs for stable releases like 12 (Bookworm), emphasizing security and flexibility for cloud environments. These Linux options are certified for AWS compatibility via tools like AWS Launch Wizard, which validates them for specific workloads such as deployments. Windows distributions are provided directly by Microsoft through AWS, including server editions like Windows Server 2019, 2022, and 2025, as well as desktop variants such as Windows 10 and 11 for remote access scenarios. These AMIs include Microsoft licensing and are updated monthly to incorporate the latest security patches and optimizations for EC2 hardware. Certification for third-party AMIs involves rigorous testing by AWS partners to ensure compatibility with EC2 instance types, networking, and storage; for instance, Ubuntu Pro extends this with up to 10 years of security maintenance tailored for AWS AMIs, covering expanded compliance standards like CIS benchmarks. AMI sources primarily come from official vendor repositories—for example, Canonical publishes specific AMI IDs for the latest Ubuntu 24.04 in each region via their EC2 locator tool—while users can create custom builds using cloud-init to automate instance initialization, package installation, and configuration without altering the base OS. Support for these distributions relies on vendor-specific update mechanisms, such as Canonical's for or Red Hat's for RHEL patching, while AWS handles underlying hardware compatibility and provides assistance for integration issues. AWS does not perform OS-level , leaving that to the vendors to ensure timely security and feature updates. As of 2025, trends in third-party distributions highlight expanding ARM64 support for processors, with distributions like 24.04, RHEL 9, 9, and 12 offering native arm64 AMIs for cost-efficient, high-performance workloads.

Marketplace and Community

AWS Marketplace AMIs

AWS Marketplace serves as a digital catalog where independent software vendors (ISVs) can publish pre-configured (AMIs) bundled with specialized software, such as databases and applications, enabling customers to quickly deploy ready-to-use solutions on Amazon EC2. Launched in April 2012, it functions as an online store integrated with AWS services, allowing sellers to monetize their offerings while providing buyers with seamless access to vetted software. Sellers publish AMIs by creating product listings in AWS , where they define pricing models such as hourly usage-based fees, upfront payments, monthly subscriptions, or annual contracts, with AWS automatically integrating these charges into the customer's EC2 instance billing for a unified . This process ensures that software costs are billed alongside infrastructure expenses without additional setup. For instance, sellers can offer AMIs for enterprise software like , , and Splunk Enterprise, including options in the AWS Free Tier for trial usage. Customers subscribe to these AMIs directly through the AWS Console with a one-click process, launching EC2 instances that automatically apply the selected licensing model, including Bring Your Own (BYOL) for existing software entitlements or AWS-managed licensing for metered usage. All AMIs undergo mandatory security scans by AWS to detect vulnerabilities, ensuring compliance with standards like PCI DSS and HIPAA where applicable, while sellers provide ongoing updates through new AMI versions to maintain security and feature enhancements. As of 2025, thousands of AMIs are available, supporting enterprise-scale via integration with AWS Organizations, which enables centralized of subscriptions across multiple accounts.

Public and Shared AMIs

Public AMIs are Amazon Machine Images that are owned by AWS or contributed by the community and made discoverable to all AWS users across accounts. These include base operating system images provided directly by AWS, such as those for Amazon Linux, Ubuntu, and other distributions, which serve as starting points for instance launches without additional cost. Amazon and the EC2 community maintain a large selection of such public AMIs to facilitate rapid deployment of standardized environments. In contrast, shared AMIs are privately distributed between specific AWS accounts and remain invisible to the broader public. They are typically created by organizations for internal use, enabling consistent deployments across teams or development environments within the same or related accounts. Use of shared AMIs carries inherent risks, as AWS does not guarantee their security or integrity, emphasizing that recipients assume responsibility for validation. Community contributions play a key role in expanding public AMIs, with users able to publish their own by granting access to all AWS accounts through the EC2 console or API. Platforms like AWS re:Post serve as forums where users exchange recommendations on reliable public AMIs from trusted contributors. AWS encourages tagging public AMIs with descriptive metadata to enhance discoverability during searches. However, public and community AMIs have been associated with significant security risks. In May 2024, security firm Mitiga identified a community AMI containing malicious that ran an unidentified miner, highlighting vulnerabilities in unvetted images. More recently, in February 2025, researchers disclosed the "whoAMI" attack, which exploits name in public AMIs to achieve execution on EC2 instances launched from seemingly legitimate images. In response to such threats, AWS introduced the "Allowed AMIs" feature in December 2024, an account-wide setting that limits the discovery and use of AMIs to a predefined allowlist, helping mitigate these risks. When utilizing public or shared AMIs, best practices include scanning for vulnerabilities using tools like AWS Inspector and verifying the owner's reputation to mitigate risks such as embedded or unauthorized access credentials. For Linux-based AMIs, it is essential to check for and remove any pre-installed SSH keys or passwords before launch to prevent unintended access. Creators of shared AMIs should disable password logins, regenerate host keys, and minimize installed packages to reduce the . As of 2025, AWS enforces compliance with its for all public AMIs, prohibiting content that facilitates illegal activities or violates . To curb potential abuse, AWS provides the block public access feature for AMIs, which is enabled by default for new accounts and prevents unauthorized public sharing unless explicitly disabled. Users are advised to re-enable this setting after any necessary sharing to maintain .

References

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
  2. https://aws.amazon.com/blogs/aws/happy-15th-birthday-amazon-ec2/
  3. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/LaunchingAndUsingInstances.html
  4. https://aws.amazon.com/blogs/hpc/customizing-your-hpc-environment-building-amis-for-aws-parallel-computing-service/
  5. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html
  6. https://aws.amazon.com/blogs/containers/introducing-launch-template-and-custom-ami-support-in-amazon-eks-managed-node-groups/
  7. https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/ec2-backup.html
  8. https://aws.amazon.com/blogs/aws/amazon_ec2_beta/
  9. https://aws.amazon.com/blogs/aws/new-amazon-ec2-feature-boot-from-elastic-block-store/
  10. https://aws.amazon.com/blogs/aws/big-day-for-ec2/
  11. https://aws.amazon.com/blogs/aws/the-new-amazon-ec2-instance-type-the-cluster-compute-instance/
  12. https://aws.amazon.com/blogs/aws/introducing-amazon-linux-ami/
  13. https://aws.amazon.com/blogs/aws/aws-marketplace-update-the-first-90-days/
  14. https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-amazon-ec2-bare-metal-instances-preview/
  15. https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-patch-management.html
  16. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html
  17. https://docs.aws.amazon.com/ebs/latest/userguide/ebs-using-volumes.html
  18. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
  19. https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html
  20. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-block-device-mapping.html
  21. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html
  22. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_BlockDeviceMapping.html
  23. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html
  24. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html
  25. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/volume_limits.html
  26. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html
  27. https://docs.aws.amazon.com/ebs/latest/userguide/what-is-ebs.html
  28. https://repost.aws/knowledge-center/instance-store-vs-ebs
  29. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_ConvertingS3toEBS.html
  30. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-ami-boot-mode.html
  31. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html
  32. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html
  33. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
  34. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html
  35. https://aws.amazon.com/ebs/pricing/
  36. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html
  37. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/how-ami-copy-works.html
  38. https://aws.amazon.com/about-aws/whats-new/2024/11/amazon-ec2-lineage-information-amis/
  39. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/copy-ami-permissions.html
  40. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-quotas.html
  41. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
  42. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html
  43. https://aws.amazon.com/about-aws/whats-new/2024/12/amazon-ec2-allowed-amis-enhance-ami-governance/
  44. https://docs.aws.amazon.com/cli/latest/userguide/cli-services-ec2-instances.html
  45. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-block-device-mapping.html
  46. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html
  47. https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-ec2-wizard.html
  48. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html
  49. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html
  50. https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html
  51. https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2.html
  52. https://aws.amazon.com/amazon-linux-2/
  53. https://aws.amazon.com/linux/amazon-linux-2023/
  54. https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html
  55. https://aws.amazon.com/amazon-linux-2/faqs/
  56. https://docs.aws.amazon.com/linux/al2/ug/al2-extras.html
  57. https://docs.aws.amazon.com/linux/al2023/ug/epel.html
  58. https://aws.amazon.com/amazon-linux-ami/
  59. https://github.com/amazonlinux/amazon-linux-2023
  60. https://docs.aws.amazon.com/linux/al2023/ug/what-is-amazon-linux.html
  61. https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/
  62. https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al1.html
  63. https://docs.aws.amazon.com/linux/al2023/ug/release-cadence.html
  64. https://aws.amazon.com/linux/
  65. https://aws.amazon.com/blogs/aws/amazon-linux-2023-a-cloud-optimized-linux-distribution-with-long-term-support/
  66. https://docs.aws.amazon.com/marketplace/latest/userguide/what-is-marketplace.html
  67. https://docs.aws.amazon.com/marketplace/latest/userguide/pricing-ami-products.html
  68. https://docs.aws.amazon.com/marketplace/latest/userguide/ami-products.html
  69. https://aws.amazon.com/marketplace/pp/prodview-l6oos72bsyaks
  70. https://docs.aws.amazon.com/sap/latest/sap-netweaver/ami-orc-sap-nw-lx.html
  71. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/paid-amis.html
  72. https://docs.aws.amazon.com/marketplace/latest/userguide/product-and-ami-policies.html
  73. https://www.kerno.io/learn/creating-aws-ami-amazon-machine-image
  74. https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-marketplace.html
  75. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharing-amis.html
  76. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
  77. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-best-practices.html
  78. https://www.mitiga.io/blog/security-advisory-verify-aws-community-amis
  79. https://thehackernews.com/2025/02/new-whoami-attack-exploits-aws-ami-name.html
  80. https://securitylabs.datadoghq.com/articles/whoami-a-cloud-image-name-confusion-attack/
  81. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-confirm.html
  82. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-public-access-to-amis.html
Add your contribution
Related Hubs
User Avatar
No comments yet.