- Knowledge Base
- Amazon Web Services
- Amazon EC2
- EC2 AMI Too Old
Ensure that your existing Amazon Machine Images (AMIs) are not older than 180 days in order to ensure their reliability and to meet cloud security and compliance requirements.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.
Security 
Reliability Using up-to-date AMIs to launch your Amazon EC2 instances brings major benefits to your AWS application stack, maintaining your EC2 deployments secure and reliable. You can go even further and automate your old AMI update process with AWS Systems Manager or open-source tools like Packer and Netflix Aminator.
The default value set for the maximum AMI age is 180 days. However, you can change the default threshold for this rule using the TrendAI Vision One™ Cloud Risk Management Dashboard and set your own value for the AMI age based on your application needs.
Audit
To determine if you have any outdated AMIs (i.e., older than 180 days) available within your AWS cloud account, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under Images, choose AMIs.
04 Select the Amazon Machine Image (AMI) that you want to examine.
05 Select the Details tab from the console split panel to access the AMI configuration information.
06 Check the Creation date attribute value to determine the age of the verified image. If the age of the selected Amazon Machine Image (AMI) is greater than 180 days, the AMI is considered outdated and requires updates.
07 Repeat steps no. 4 - 6 for each AMI available within the current AWS region.
08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-images command (OSX/Linux/UNIX) with custom output filters to describe the ID of each Amazon Machine Image (AMI) available in the selected AWS cloud region:
aws ec2 describe-images --region us-east-1 --owners self --output table --query 'Images[*].ImageId'
02 The command output should return the requested image identifiers (IDs):
--------------------------- | DescribeImages | +-------------------------+ | ami-0abcd1234abcd1234 | | ami-01234abcd1234abcd | | ami-0abcdabcdabcdabcd | +-------------------------+
03 Run describe-images command (OSX/Linux/UNIX) with the ID of the AMI that you want to examine as the identifier parameter and custom output filters to describe the creation date of the selected image:
aws ec2 describe-images --region us-east-1 --image-ids ami-0abcd1234abcd1234 --query 'Images[*].CreationDate'
04 The command output should return the image creation date in human readable format:
[ "2024-09-15T11:00:00.000Z" ]
Check the date (timestamp) returned by the describe-images command output to determine the age of the verified image. If the age of the selected Amazon Machine Image (AMI) is greater than 180 days, the AMI is considered outdated and requires updates.
05 Repeat steps no. 3 and 4 for each AMI available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To re-create outdated Amazon Machine Images (AMIs) with up-to-date software, perform the following operations:
Note: As an example, this rule demonstrates how to update an outdated Amazon Linux AMI.Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under Instances, select Instances.
04 Choose Launch instances and perform the following actions to launch your new Amazon EC2 instance:
- For Name and tags, provide a name tag for your instance in the Name box. (Optional) Choose Add additional tags to apply user-defined tags to your new EC2 instance. You can track compute cost and other criteria by tagging your instance.
- For Application and OS Images (Amazon Machine Image), select My AMIs tab, and choose the outdated AMI from the Amazon Machine Image (AMI) dropdown list.
- For Instance type, select the required instance type from the Instance type dropdown list.
- For Key pair (login), you can select an existing key pair from the Key pair name - required dropdown list or choose Create new key pair to create a new key pair for your instance.
- For Network settings, choose Select existing security group under Firewall (security groups), and select the appropriate security group(s) from the Common security groups dropdown list.
- For Configure storage, configure the storage device settings.
- For Advanced details, configure the advanced settings supported by your EC2 instance.
- For Summary, review the instance details, and choose Launch instance to deploy your new Amazon EC2 instance.
- Choose View all instances to view your new EC2 instance. Once the Instance State is set to Running, your new instance is ready to use.
05 As soon as your new Amazon EC2 instance is running, update the operating system (OS) and the rest of the software stack (including application stack) to the latest version.
06 Once the instance software is up to date, you can create the new (updated) Amazon Machine Image (AMI). To get started, select the new Amazon EC2 instance, choose Actions from the top-right menu, select Image and templates, and choose Create image.
07 On the Create image setup page, provide the following information:
- For Image name, type a unique name for your new Amazon Machine Image (AMI).
- (Optional) For Image description - optional, provide a short description that reflects the usage of the updated AMI.
- Select the Reboot instance setting checkbox to ensure data consistency. When this option is selected, Amazon EC2 reboots the instance so that data is at rest when snapshots of the attached volumes are taken.
- (Optional) For Tags - optional, choose Tag image and snapshots together, and use the Add new tag button to create and apply user-defined tags to the new image. Tags can be used to search and filter your cloud resources or track your AWS costs.
- Choose Create image to create your new, updated Amazon Machine Image (AMI).
08 (Optional) To stop incurring any charges for your EC2 instance, you must terminate it. To shut down the instance, perform the following actions:
- In the left navigation panel, under Instances, choose Instances.
- Select the Amazon EC2 instance that you want to terminate.
- Choose Instance state and select Terminate (delete) instance.
- In the Terminate (delete) instance confirmation box, review the instance details, then choose Terminate (delete) to terminate the selected EC2 instance.
09 Repeat steps no. 4 - 8 for each outdated AMI available within the current AWS cloud region.
10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Perform run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the outdated Amazon Machine Image (AMI) that you want to update:
aws ec2 run-instances
--region us-east-1
--image-id ami-0abcdabcdabcdabcd
--count 1
--instance-type t2.micro
--key-name cc-project5-ssh-key
--security-group-ids sg-0abcd1234abcd1234
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=cc-project5-prod-instance}]'
--query 'Instances[]'
02 The command output should return the configuration information for the newly created EC2 instance:
[
{
"Architecture": "x86_64",
"BlockDeviceMappings": [],
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"NetworkInterfaces": [
{
"Attachment": {
"AttachTime": "2025-07-01T11:50:48+00:00",
"AttachmentId": "eni-attach-01234abcd1234abcd",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attaching",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupId": "sg-0abcd1234abcd1234",
"GroupName": "cc-project5-security-group"
}
],
"Ipv6Addresses": [],
"NetworkInterfaceId": "eni-01234abcd1234abcd",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
"PrivateIpAddress": "172.20.30.40",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
"PrivateIpAddress": "172.20.30.40"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-01234abcd1234abcd",
"VpcId": "vpc-0abcd1234abcd1234",
"InterfaceType": "interface",
"Operator": {
"Managed": false
}
}
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupId": "sg-0abcd1234abcd1234",
"GroupName": "cc-project5-security-group"
}
],
"SourceDestCheck": true,
"StateReason": {
"Code": "pending",
"Message": "pending"
},
"Tags": [
{
"Key": "Name",
"Value": "cc-project5-prod-instance"
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"MetadataOptions": {
"State": "pending",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
},
"EnclaveOptions": {
"Enabled": false
},
"BootMode": "uefi-preferred",
"PrivateDnsNameOptions": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"MaintenanceOptions": {
"AutoRecovery": "default",
"RebootMigration": "default"
},
"CurrentInstanceBootMode": "legacy-bios",
"Operator": {
"Managed": false
},
"InstanceId": "i-0abcd1234abcd1234",
"ImageId": "ami-0abcdabcdabcdabcd",
"State": {
"Code": 0,
"Name": "pending"
},
"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
"PublicDnsName": "",
"StateTransitionReason": "",
"KeyName": "cc-project5-ssh-key",
"AmiLaunchIndex": 0,
"ProductCodes": [],
"InstanceType": "t2.micro",
"LaunchTime": "2025-07-01T11:50:48+00:00",
"Placement": {
"GroupName": "",
"Tenancy": "default",
"AvailabilityZone": "us-east-1a"
},
"Monitoring": {
"State": "disabled"
},
"SubnetId": "subnet-01234abcd1234abcd",
"VpcId": "vpc-0abcd1234abcd1234",
"PrivateIpAddress": "172.20.30.40"
}
]
03 As soon as your new Amazon EC2 instance is running, update the operating system (OS) and the rest of the software stack (including application stack) to the latest version.
04 Once the instance software is up to date, you can create the new (updated) Amazon Machine Image (AMI). Run create-image command (OSX/Linux/UNIX) to create a new AMI using the Amazon EC2 instance deployed in the previous steps. Include the --no-reboot command parameter to ensure data consistency. When this parameter is included, Amazon EC2 reboots the instance so that data is at rest when snapshots of the attached volumes are taken:
aws ec2 create-image --region us-east-1 --instance-id i-01234123412341234 --name "Project5 Prod Updated AMI" --description "Project5 Web Stack AMI version 2.0" --no-reboot
05 The command output should return the ID of the new Amazon Machine Image (AMI):
{
"ImageId": "ami-0abcdabcdabcdabcd"
}
06 (Optional) You can terminate the EC2 instance in order to stop incurring charges for it. To shut down the instance, run terminate-instances command (OSX/Linux/UNIX) with the source instance ID as the identifier parameter:
aws ec2 terminate-instances --region us-east-1 --instance-ids i-01234abcd1234abcd
07 The output should return the terminate-instances command request information:
{
"TerminatingInstances": [
{
"InstanceId": "i-01234abcd1234abcd",
"CurrentState": {
"Code": 32,
"Name": "shutting-down"
},
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
08 Repeat steps no. 1 – 7 for each outdated AMI available in the selected AWS cloud region.
09 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Amazon Machine Images (AMI)
- Creating an Amazon EBS-Backed Linux AMI
- Getting Started with Amazon EC2 Linux Instances
- Setting Up with Amazon EC2
- AWS Command Line Interface (CLI) Documentation
- describe-images
- run-instances
- create-image
- terminate-instances