2.1.3.4. Automating EC2 Instance & Container Image Builds (EC2 Image Builder)
2.1.3.4. Automating EC2 Instance & Container Image Builds (EC2 Image Builder)
Manually configuring AMIs — installing packages, applying patches, hardening the OS — guarantees that no two instances are identical. EC2 Image Builder automates this into a repeatable, testable pipeline.
Image Builder pipeline components:
- Recipe: Base image (Amazon Linux 2, Ubuntu, Windows) + ordered list of build components (install software, configure settings) + test components (validate the image works)
- Infrastructure configuration: Instance type, VPC/subnet, IAM role, and security group for the build instance
- Distribution settings: Target regions and accounts for the output AMI. Can share via AMI sharing, AWS RAM, or copy to specific accounts.
Build components use a YAML document format:
name: InstallNginx
schemaVersion: 1.0
phases:
- name: build
steps:
- name: InstallNginx
action: ExecuteBash
inputs:
commands:
- yum install -y nginx
- systemctl enable nginx
- name: validate
steps:
- name: TestNginx
action: ExecuteBash
inputs:
commands:
- nginx -t # Fails the build if config is invalid
CI/CD integration: Trigger Image Builder pipelines from CodePipeline when base AMI updates are available (via EventBridge rules on AMI creation events) or on a schedule (e.g., weekly patching). The pipeline builds a new AMI, runs tests, and distributes to target regions.
Container image builds follow a similar pattern using Docker and CodeBuild. Use multi-stage Dockerfiles to minimize image size, and scan with ECR's built-in Inspector scanning before promoting to production repositories.
Exam Trap: Image Builder instances need internet access to download packages (NAT Gateway or public subnet) and an instance profile with ec2:CreateImage, s3:PutObject, and any permissions needed by build components. Missing permissions cause silent build failures.
