AWS EC2 Image Builder is newly launched service in AWS re:Invent 2019.

Let’s take some overview on this & dig into it.

Keeping server images up-to-date can be time-consuming, resource intensive & error-prone. EC2 Image Builder makes it easier & faster to build and maintain secure image both for use with Amazon EC2 & on-premises.

Introducing EC2 Image Builder, a service that simplifies the creation, maintenance, validation, sharing, and deployment of Linux or Windows Server images for use with Amazon EC2 and on-premises.

What is EC2 Image Builder?

Amazon Elastic Compute Cloud Image Builder is a fully managed AWS service that makes it easier to automate the creation, management, and deployment of customized, secure, and up-to-date “golden” server images that are pre-installed and pre-configured with software and settings to meet specific IT standards.

The images you build are created in your account and you can configure them for operating system patches on an ongoing basis.

So what are basic features of this newly launched service?

Features:

1- Basically Image Builder reduces the amount of work involved in creating and managing images at scale by automating your build pipelines. You can automate your builds by providing your build execution schedule preference

2- Using built-in integrations with AWS Organizations, Image Builder enables you to enforce policies that restrict accounts to run instances only from approved AMIs.

Image Builder supports Amazon Linux & Windows Server 2019/2016/2012 R2 operating systems & Supported Image Formats are existing AWS AMI & EBS snapshot.

Concepts using in Image Builder:

Let’s take a look on basic terminology used in Image Builder service.

1st Basic concept we are using is AMI(Amazon Machine Image).

AMI: As we know about AMI, An Amazon Machine Image (AMI) is the basic unit of deployment in Amazon EC2. An AMI is a pre-configured VM image that contains the OS and pre-installed software to deploy EC2 instances.

2nd Concept is little bit new i.e Image Pipeline.

Image Pipeline: An image pipeline is the automation configuration for building secure OS images on AWS. The Image Builder image pipeline is associated with an image recipe(will describe in next point) that defines the build, validation, and test phases for an image build lifecycle.

Image Recipe: An Image Builder image recipe is a document that defines the source image and the components to be applied to the source image to produce the desired configuration for the output image.

Source Image: The source image is the selected image and OS used in your image recipe document along with the components.

Build Components: Build components are orchestration documents that define a sequence of steps for downloading, installing, and configuring software packages.

Document: A declarative document( input to a configuration management application) that uses the YAML format to list the execution steps for build, validation, and test of an AMI on an instance.

So the next question comes into your mind for sure, How EC2 Image Builder Works, let’s checkout it.

How Image Builder Works

When you use the Image Builder console to create a golden image, you will go through the following steps. Let’s check the above picture step by step.

Select source image. You select a source OS image, for example, an existing AMI or an Amazon EBS snapshot.

Create image recipe. You add components to create an image recipe for your image pipeline. Components are the building blocks that are consumed by an image recipe, for example, packages for installation, security hardening steps, and tests. The selected OS and components make up an image recipe.

Output. Image Builder creates an OS image in the selected output format.

Distribute. You distribute your image to selected AWS Regions after it passes tests in the image pipeline.

Let’s get our hands dirty with Hands-On.

The following prerequisites must be verified in order to create an image pipeline with EC2 Image Builder.

1- EC2 Image Builder uses Auto Scaling groups to launch instances during build and test phases of the image pipeline. To create an image with EC2 Image Builder, you must create an Amazon EC2 Auto Scaling group at least one time. When you use Amazon EC2 Auto Scaling, a required service-linked role is created in your account.

2- EC2 Image Builder uses a service-linked role to grant permissions to other AWS services on your behalf. You don’t need to manually create a service-linked role. When you create your first Image Builder resource in the AWS Management Console, the AWS CLI, or the AWS API, Image Builder creates the service-linked role for you.

Go to AWS Console & search for EC2 Image Builder.

EC2 Image Builder Main Page

Click on Create Image Pipeline.

Define Recipe

On the Define Recipe page, create an image recipe, which includes your source image and components.

Choose your source image. The source image includes the image OS and the image to configure. After selecting your image OS, you have three options to select an image to configure.

Select an image from the managed images, which includes Image Builder images to help you get started, images that you have already created, and images that have been shared with you. To select an image, enter the image ARN in the text box, or select Browse images to view managed images.

Use a custom AMI by entering the AMI ID.

Select the Build components. Components are installation packages, security hardening steps, and tests to be consumed by the image recipe when building your image. After an image recipe has been created, its components cannot be modified or replaced. If you want to update the components in an image recipe, create a new image recipe or image recipe version. Components include two component types.

Build components: Build components are installation packages and security hardening steps. You can enter a component ARN or browse and select from a list of Image Builder components to help you get started. To create a new component, select Create Component.

Tests: Test components are tests to perform on the output image built by your image pipeline. Enter a test component ARN or browse and select from a list of Image Builder test components to help you get started. To create a new component, select Create Component.

Configure Pipeline

Provide the following specifications under Pipeline details.

Enter a Name for your image pipeline. You must use a unique name for your image pipeline.

Provide an optional Description for your image deployment pipeline.

Select an IAM role to associate with the instance profile or Create a new role. If you create a new role, Image Builder will take you to the IAM console. As a starting point, you can use the following IAM role policy: “EC2InstanceProfileForImageBuilder”.

Build Schedule

Select a Build schedule to run your image pipeline.

If you select Manual, you can choose when to run the pipeline. When you want to run the pipeline.

Select an Instance type. The instance type selected should adhere to the requirements of the software that you plan to run on your instance.

If you want to receive notifications and alerts from Image Builder regarding any steps performed in your image pipeline, you can enter an SNS topic ARN to be notified by the AWS Simple Notification Service (SNS).

Under Troubleshooting settings:

Select an existing key pair from the drop-down list or create a new one.

Select whether or not you want to Terminate your instance upon failure by selecting the check box. If you want to be able to troubleshoot the instance when the image build fails, then make sure the check box is not checked.

Under S3 Logs, select the S3 bucket to which you want to send your instance log files. To browse and select your Amazon S3 bucket locations, select Browse S3.

Under Advanced Settings, provide the following information if you want to select a VPC to launch your instance.

Under Associate license configuration to AMI, you can choose to associate the output AMI with a pre-existing license configuration that you created with AWS License Manager.

Provide the specifications under Output AMI.

On the Review and create page, you can review all of your settings before you create your image pipeline. Review your Recipe details, your Pipeline configuration details, and your Additional settings.

Pipeline Created.

When your image pipeline creation succeeds, you are taken to the Image pipelines page. From here, you can manage, delete, disable, view details about, and run your image pipeline.

Let’s Run Pipeline.

Pipeline execution initiated successfully.

When you’ll go to EC2 Instance dashboard, able to see instance.

Security in EC2 Image Builder:

For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM), so that each user is given only the permissions necessary to fulfill their job duties.

TroubleShoot:

EC2 Image Builder integrates with AWS services for monitoring and troubleshooting to help you troubleshoot image build issues. EC2 Image Builder tracks and displays the progress for each step in the image building process. Logs are exported to an Amazon S3 location that you provide.

— → Automate OS Image Build Pipelines with EC2 Image Builder← — -