01
Sign in to the AWS Management Console.
02
Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03
In the left navigation panel, under INSTANCES section, choose Instances.
04
Click Launch Instance button from the EC2 dashboard top menu and create your base Linux/Windows instance. During the instance creation process you have the option to pass user data (shell scripts, cloud-init directives, etc) or use configuration management tools such as Chef or Puppet to install server software automatically after the EC2 instance starts.
05
Once the instance is running, install and configure the necessary software to run your application, secure the OS and the software stack and upload your application. Test the entire software stack (including your application) to make sure that the EC2 instance qualifies for the golden image (AMI).
06
Now that the instance is ready, it’s time to create the AMI. Choose Instances from the navigation panel and select the newly created EC2 instance.
07
Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.
08
Inside Create Image dialog box, perform the following:
- Enter a name for the new AMI in the Image Name box.
- In the Image description box, provide a description of the software stack installed, the purpose of the image and the version.
- Leave No reboot option unchecked so the AWS can guarantee the file system integrity for the new image.
- If required, update the image volume size and/or type inside the Instance Volumes section.
09
Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The image creation process may take few minutes. Once the process is complete the AMI status should change from pending to available.
10
Now that the golden AMI is ready for use, update your EC2 administrator(s) access permissions to force him/them to create EC2 instances from the new (approved) AMI only. To implement this restriction you need to create a custom IAM policy and attach it to the EC2 administrators IAM group. To create the policy, perform the following:
- Go to IAM dashboard at https://console.aws.amazon.com/iam/.
- In the left navigation panel, choose Policies and click Create Policy button from the dashboard top menu.
- On the Create Policy page, select Create Your Own Policy to create the necessary policy.
- On the Review Policy page, enter the following information:
- In the Policy Name box, enter a name for your custom policy. Choose a unique name that will reflect the policy usage (e.g. ApprovedAMIPolicy).
- In the Description textbox, enter a short description for the policy (optional).
- In the Policy Document textbox, paste the following data and replace the highlighted details with your own details. The highlighted identifier represents the image EBS snapshot ID - you can find this ID in your AMI description panel, under Block Devices:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1464769334076",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ArnEquals": {
"ec2:ParentSnapshot":
"arn:aws:ec2:region::snapshot/snap-c5c0a423
"
}
}
}
]
}
- Click Validate Policy button to validate the policy document then click Create Policy to save it.
11
To attach the custom policy created at the previous step to the necessary IAM group, perform the following actions:
- In the navigation panel, choose Groups and click on the EC2 administrators group to access its configuration page.
- On the group configuration page, select the Permissions tab and click Attach Policy button to attach the IAM custom policy created earlier.
- Select Customer Managed Policies from the Filter dropdown menu and select your newly created policy.
- Click Attach Policy to attach the selected policy to the IAM group.
- On the Review page, review the new group configuration then click Create Group.