4.2.1. Hardened AMIs and Container Images

First Principle: Compute security starts at the image. Every EC2 instance and container inherits the security posture of its base image — a hardened golden AMI with no unnecessary packages eliminates entire categories of vulnerabilities before a single line of application code runs.

EC2 Image Builder automates secure AMI creation:

• Define image pipelines that build, test, and distribute AMIs on a schedule
• Start from AWS base AMIs, then apply hardening components (CIS benchmarks, STIG compliance)
• Run automated tests before distributing (e.g., verify no open ports, no default credentials)
• Distribute approved AMIs across accounts and Regions

Systems Manager for fleet-wide image compliance:

• State Manager: Enforce configuration baselines (ensure required agents are installed)
• Patch Manager: Apply OS and application patches to running instances
• Inventory: Track installed software and configurations across all managed instances

Container Image Security:

• Use minimal base images (Alpine, distroless) to reduce attack surface
• Scan images with Amazon Inspector during build (CI/CD integration)
• Sign images with Docker Content Trust or AWS Signer to verify integrity
• Store in Amazon ECR with image scanning enabled and immutable tags

⚠️ Exam Trap: Image Builder creates AMIs. Inspector scans them for vulnerabilities. These are complementary — Image Builder doesn't scan for CVEs, and Inspector doesn't create AMIs. Know which does what.

Scenario: A security team creates a hardened AMI pipeline using Image Builder that starts from the latest Amazon Linux 2023 AMI, applies CIS Level 2 hardening, removes unnecessary packages, and runs Inspector to verify zero critical/high CVEs before distribution.

Reflection Question: Why is building security into the image (shift-left) more effective than patching running instances (shift-right)?