This topic provides best practices and references to help you build Amazon Machine Images (AMIs) for use with AWS Marketplace. AMIs built and submitted to AWS Marketplace must adhere to all AWS Marketplace product policies. For more information, see the following sections.
Topics
Securing resell rights
For non-free Linux distributions, you are responsible for securing resell rights for them with the exception of AWS-provided Amazon Linux, RHEL and SUSE. You don’t need to secure resell rights for Windows AMIs.
Building an AMI
Use the following guidelines for building AMIs:
-
Ensure that your AMI meets all AWS Marketplace policies.
-
Create your AMI in the US East (N. Virginia) Region.
-
Create products from existing, well-maintained AMIs backed by Amazon Elastic Block Store (Amazon EBS) with a clearly defined lifecycle provided by trusted, reputable sources such as AWS Marketplace.
-
Build AMIs using the most up-to-date operating systems, packages, and software.
-
Ensure that your AMI is based on a public Amazon EC2 AMI, that uses hardware virtual machine (HVM) virtualization and 64-bit architecture.
-
Develop a repeatable process for building, updating, and republishing AMIs.
-
Use a consistent operating system (OS) user name across all versions and products. The recommended default user names are
ec2-userfor Linux and other Unix-like systems, andAdministratorfor Windows. -
Before submitting a final AMI to AWS Marketplace publishing, launch and test an instance from your AMI to verify the intended end-user experience. Test all installation methods, features, and performance on this instance.
-
Check port settings as follows:
-
As a best practice security configuration
against open firewalls, reverse proxies, and SSRF vulnerabilities, the IMDS support option must be set to IMDSv2 only. The following CLI can be used when registering a new AMI at the final build phase: aws ec2 register-image --name my-image --root-device-name /dev/xvda --block-device-mappings DeviceName=/dev/xvda,Ebs={SnapshotId=snap-0123456789example} --architecture x86_64 --imds-support v2.0
-
For more information about creating an AMI, see the following resources:
-
Create an Amazon EBS-backed AMI in the Amazon EC2 User Guide
-
Create an Amazon EC2 AMI using Windows Sysprep in the Amazon EC2 User Guide
-
How do I create an Amazon Machine Image (AMI) from an EBS-backed instance?
-
Configuring an AMI for IMDS V2 use by default
Preparing and securing your AMI for AWS Marketplace
We recommend the following guidelines for creating secure AMIs:
-
Use the Guidelines for Shared Linux AMIs in the Amazon EC2 User Guide
-
Architect your AMI to deploy as a minimum installation to reduce the attack surface. Disable or remove unnecessary services and programs.
-
Whenever possible, use end-to-end encryption for network traffic. For example, use Secure Sockets Layer (SSL) to secure HTTP sessions between you and your buyers. Ensure that your service uses only valid and up-to-date certificates.
-
When documenting your AMI product, provide security group recommendations for buyers to control inbound traffic access to their instances. Your recommendations should specify the following:
-
The minimum set of ports required for your services to function.
-
The recommended ports and source IP address ranges for administrative access.
These security group recommendations help buyers implement proper access controls. For more information about how to add a new version to your AMI product, see Add a new version.
-
-
Consider performing a penetration test against your AWS computing environment at regular intervals, or consider employing a third party to conduct such tests on your behalf. For more information, including a penetration testing request form, see AWS Penetration Testing
. -
Be aware of the top 10 vulnerabilities for web applications, and build your applications accordingly. To learn more, see Open Web Application Security Project (OWASP) - Top 10 Web Application Security Risks
. When new internet vulnerabilities are discovered, promptly update any web applications that ship in your AMI. Examples of resources that include this information are SecurityFocus and the NIST National Vulnerability Database .
For more information related to security, see the following resources:
Scanning your AMI for publishing requirements
To verify your AMI before submitting it as a new version, use the Test 'Add Version' feature in the AWS Marketplace Management Portal. Test 'Add Version' will check for unpatched common vulnerabilities and exposures (CVEs) and verify that your AMI follows security best practices. For more information, see Preparing and securing your AMI for AWS Marketplace
From the AWS Marketplace Management Portal, choose Amazon Machine Image from the Assets menu. Choose Add AMI to start the scanning process. You can see the scan status of AMIs by returning to this page.
Note
To learn about giving AWS Marketplace access to your AMI, see Giving AWS Marketplace access to your AMI.
Verifying your software is running on your AWS Marketplace
AMI
You may wish to have your software verify at runtime that it is running on an Amazon EC2 instance created from your AMI product.
To verify the Amazon EC2 instance is created from your AMI product, use the instance metadata service built into Amazon EC2. The following steps take you through this validation. For more information about using the metadata service, see Instance metadata and user data in the Amazon Elastic Compute Cloud User Guide.
-
Obtain the instance identity document
Each running instance has an identity document accessible from the instance that provides data about the instance itself. The following example shows using curl from the instance to retrieve the instance identity document.
IMDSv2: (Recommended)
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document { "accountId" : "0123456789", "architecture" : "x86_64", "availabilityZone" : "us-east-1e", "billingProducts" : null, "devpayProductCodes" : null, "marketplaceProductCodes" : [ "0vg0000000000000000000000" ], "imageId" : "ami-0123456789abcdef1", "instanceId" : "i-0123456789abcdef0", "instanceType" : "t2.medium", "kernelId" : null, "pendingTime" : "2020-02-25T20:23:14Z", "privateIp" : "10.0.0.2", "ramdiskId" : null, "region" : "us-east-1", "version" : "2017-09-30" }IMDSv1:
curl http://169.254.169.254/latest/dynamic/instance-identity/document{ "accountId" : "0123456789", "architecture" : "x86_64", "availabilityZone" : "us-east-1e", "billingProducts" : null, "devpayProductCodes" : null, "marketplaceProductCodes" : [ "0vg0000000000000000000000" ], "imageId" : "ami-0123456789abcdef1", "instanceId" : "i-0123456789abcdef0", "instanceType" : "t2.medium", "kernelId" : null, "pendingTime" : "2020-02-25T20:23:14Z", "privateIp" : "10.0.0.2", "ramdiskId" : null, "region" : "us-east-1", "version" : "2017-09-30" } -
Verify the instance identity document
You can verify that the instance identity is correct using the signature. For details about this process, see Instance identity documents in the Amazon Elastic Compute Cloud User guide.
-
Verify the product code
When you initially submit your AMI product for publishing, your product is assigned a product code by AWS Marketplace. You can verify the product code by checking the
marketplaceProductCodesfield in the instance identity document, or you can get it directly from the metadata service:IMDSv2:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/product-codesIf the product code matches the one for your AMI product, then the instance was created from your product.
You may also wish to verify other information from the instance identity document, such as
the instanceId and the instance privateIp.
