Description:

An Amazon Machine Image (AMI) is a template that contains the software configuration ( operating system, application server, and applications) required to launch your instance. 

An Amazon Machine Image (AMI) is a supported and maintained image provided by AWS that provides the information required to launch an instance. You must specify an AMI when you launch an instance. You can launch multiple instances from a single AMI when you require multiple instances with the same configuration. You can use different AMIs to launch instances when you require instances with different configurations. 


Rationale:

An outdated AMI check means, the templates we use as an instance are not older than x days, here the x days are determined by the organizations it may be 60, 90 120, or 180 days anyone options consider for this policy for best practices we consider x days is 60 days. It is very good to use an instance through up-to-date AMIs.


Impact:

Up-to-date AMI contains the latest templates configuration in this security patches are also updated. It maintains your EC2 instance and is secure and reliable to use with updated AMI.


Default Value:

By default, AMI will never expire.


Pre-Requisite:

  • Sign in as admin or IAM user with required permissions


Remediation:

Test Plan:

  • Log in to the AWS Management Console 

  • Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/

  • In the left navigation pane under the Images, section click on AMIs

  • Select the image that you want to examine

  • Click on the Detail tab at the bottom of the dashboard panel, In the Detail panel, you can see the Creation date of the AMI

  • If the age of the selected Amazon Machine Image is greater than 60 days, the AMI is considered outdated and it must be updated.


Using AWS CLI:

To Describe the images in the particular region with query creation date

aws ec2 describe-images
  --region <rgion>
  --image-ids ami-xxxxxxxx
  --query 'Images[*].CreationDate'

Implementation Steps:

To re-create each outdated AWS AMI with an up-to-date software stack, perform the following:

  1. Log in to the AWS Management Console 

  2. Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. In the left navigation panel, under the IMAGES section, choose AMIs.




4.  Select the old image that you want to recreate.


• Click Launch instance from AMI button from the AMI dashboard top menu to initiate the launch process using the selected AMI.

  • On Choose an Instance Type page, select the appropriate EC2 instance type, then click Next: Configure Instance Details button.

  • On Configure Instance Details page, configure any options available, based on your application requirements. Click Next: Add Storage and go through the next pages until you reach the Review and Launch page, without changing any configuration settings.

  • On the Review Instance Launch page, review your EC2 instance configuration details, then click Launch.

  • In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the key pair associated with the AMI that you want to recreate. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.



 Note :- If you select Create key pair in dialog box (Steps needed to be followed).

  1. For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters. It can’t include leading or trailing spaces.

  2. For Key pair type, choose either RSA or ED25519.

  3. For Private key file format, choose the format in which to save the private key. To save the private key in a format that can be used with OpenSSH, choose pem. To save the private key in a format that can be used with Putty, choose ppk.

  4. To add a tag to the public key, choose Add tag, and enter the key and value for the tag. Repeat for each tag.

  5. Choose Create key pair

  6. The private key file is automatically downloaded by your browser. The base file name is the name that you specified as the name of your key pair, and the file name extension is determined by the file format that you chose. Save the private key file in a safe place.

           


  • Click View Instances to return to the Instances page.

  • Now that the instance is ready, it’s time to create the new (updated) AMI. Choose Instances from the navigation panel and select the newly created EC2 instance.

  • Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.



  • Inside Create Image dialog box, perform the following:

    1. Enter a name for the new AMI in the Image Name box.

    2. In the Image description box, provide a description of the software stack installed, the purpose of the image and the version.

    3. Leave No reboot option unchecked so the AWS can guarantee the file system integrity for the new image.

    4. If required, update the image volume size and/or type inside the Instance Volumes section.

      

  • Click Create Image to submit the request to create the image. 

  • Click Close to return to the EC2 dashboard. The image creation process may take few minutes. Once the process is complete the AMI status should change from pending to available. The description defined for the new AMI should contain the image version, necessary for resource management.


(Optional) Terminate instances

If an instance that you launched from the AMI is no longer required, you can terminate it.

  1. In the navigation pane, choose Instances, and then select the instance to terminate.

  2. Choose Instance state, Terminate instance. When prompted for confirmation, choose Terminate.


AWS CLI Commands:

1. To create an instance

 aws run-instances
--image-id <ami-xxxxxxx>
--count <no of instances to run>
--instance-type <value>
--key-name <value>
--security-group-ids <value>


Note: key-name = Enter existing key pair.

          security-group-ids = Enter default security group id from VPC  or create new security group id.

2. To create an image

 aws ec2 create-image
--instance-id <value>
--name "my image"
--description "An AMI for my server"



Backout Plan:

If the image is not required you can delete the image

  • In the left navigation pane under the Images, section click on AMIs

  • Select the image, that needs to delete.

  • Click on the Action menu button and click on Deregister AMI.

  • For confirmation to deregister these older images click on the Continue button.

    AWS CLI Commands:

    To deregister the AMI.

    aws ec2 deregister-image
    --image-id <value>



Reference:

  1. Amazon Machine Images (AMI) - Amazon Elastic Compute Cloud