Ensure that all the AWS EC2 instances necessary for your application stack are launched from your approved base Amazon Machine Images (AMIs), known as golden AMIs in order to enforce consistency and save time when scaling your application.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
An approved/golden AMI is a base EC2 machine image that contains a pre-configured OS and a well-defined stack of server software fully configured to run your application. Using golden AMIs to create new EC2 instances within your AWS environment brings major benefits such as fast and stable application deployment and scaling, secure application stack upgrades and versioning. You can go even further and automate your golden AMIs creation with open source tools like Packer https://www.packer.io/ and Netflix Animator (https://github.com/Netflix/animator).
Audit
To determine if your EC2 instances are being launched using approved Amazon Machine Images (AMI), perform the following:
Remediation / Resolution
To create golden/approved machine images and enforce your AWS administrators to launch EC2 instances using only these images, perform the following:
References
- AWS Documentation
- Amazon EC2 FAQs
- Getting Started with Amazon EC2 Linux Instances
- Setting Up with Amazon EC2
- Creating an Amazon EBS-Backed Linux AMI
- Tutorial: Create and Attach Your First Customer Managed Policy
- AWS Command Line Interface (CLI) Documentation
- ec2
- iam
- describe-instances
- describe-images
- create-key-pair
- create-security-group
- run-instances
- create-image
- create-policy
- attach-group-policy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Approved/Golden AMIs
Risk level: Medium