{"id":75544,"date":"2025-09-05T18:39:02","date_gmt":"2025-09-05T13:09:02","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=75544"},"modified":"2025-09-17T11:48:48","modified_gmt":"2025-09-17T06:18:48","slug":"ec2-image-builder-in-action-from-ami-creation-to-cross-account-sharing","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/ec2-image-builder-in-action-from-ami-creation-to-cross-account-sharing\/","title":{"rendered":"EC2 Image Builder in Action: From AMI Creation to Cross-Account Sharing"},"content":{"rendered":"

Introduction<\/h2>\n

EC2 Image Builder is an AWS service that automates creating, updating, and deploying your Amazon Machine Images (AMIs).<\/p>\n

EC2 Image Builder creates a pipeline for Linux or Windows Server images for use with Amazon EC2. The pipeline manages all stages, including image creation, maintenance, validation, sharing, and deployment.<\/p>\n

Image Builder is free to use, except for the cost of the AWS resources needed to create, store, and share the images.<\/p>\n

Refer to this blog to know more about EC2 Image Builder – Packer Alternative: Migrating to AWS EC2 Image Builder for Automated AMI Pipelines<\/strong><\/a><\/p>\n

 <\/p>\n

Scenarios in Action<\/h2>\n

1. Using EC2 Image builder service and its sub-resources to build an EC2 Image Pipeline to automate AMI creation and AMI sharing to the destination AWS Account via CFN template only.<\/strong><\/p>\n

Here, we\u2019ll install a CloudWatch Agent and the Testing Component Script, which will validate if the CW agent is running or not. If the CloudWatch agent status is not in the running stage, break the AMI build process.<\/p>\n

\"EC2

EC2 Image Builder<\/p><\/div>\n

Prerequisites before deploying the EC2 Image Builder CFN Stack<\/h3>\n

IAM Role – Permission of the S3 bucket and SNS Notification. Here, Image Builder download scripts from the S3 bucket and sends a notification to SNS.<\/p>\n

VPC and subnet (private only) – EC2 launch via Image builder privately, and access to the internet is required to download the packages.<\/p>\n

KMS key – To encrypt the AWS EBS volume, the best practice is to follow.<\/p>\n

Note<\/strong> –\u00a0The above resources mentioned in the prerequisite are not part of the CFN template. They are passed as a parameter in the template.<\/p>\n

Deploy the CFN template to create resources<\/h3>\n

CFN Template GitHub URL – Click Here<\/a>
\nComponent Scripts – Click Here<\/a><\/p>\n

Once the CFN template is deployed, the EC2 Image Pipeline is created, and it clubs all the resources within the pipeline to build in CI\/CD pipeline. It builds, validates and on successful share the AMI to other accounts.<\/p>\n

Stack Output –<\/strong><\/p>\n

\"CFN

CFN Stack Output<\/p><\/div>\n

EC2 Image Pipeline –<\/strong><\/p>\n

\"EC2

EC2 Image Pipeline<\/p><\/div>\n

Distribution of the AMI –<\/strong><\/p>\n

\"AMI

AMI Distribution<\/p><\/div>\n

\"AMI

AMI Distribution<\/p><\/div>\n

It\u2019s important to do unit testing on our end to validate if the agents are up and running. Launch an EC2 Instance via a custom AMI and check the CW agent status using the command below.<\/p>\n

Command:<\/strong>\u00a0sudo systemctl status amazon-cloudwatch-agent<\/p>\n

\"CloudWatch

CloudWatch Agent<\/p><\/div>\n

 <\/p>\n

2. To validate the package’s installation via the EC2 image builder itself using a custom component script<\/strong><\/p>\n

    \n
  • Here we are configuring and installing the CloudWatch agent, but before creating an AMI, there must be a testing process to validate if the agent is running or not.<\/li>\n
  • If the agent status is not running, break the build pipeline because we don\u2019t want to share a broken AMI with a misconfigured agent setup.<\/li>\n
  • In Scenario 01, it successfully configures the agent. Let\u2019s try to break the build process on failure.<\/li>\n
  • In the Script InstallLinuxComponent.sh script, after the installation, let\u2019s STOP the CloudWatch agent.<\/li>\n
  • Add a command at the end of a script – sudo systemctl stop amazon-cloudwatch-agent<\/li>\n
  • Upload the updated script to the S3 bucket path.<\/li>\n
  • Execute the EC2 Image Pipeline<\/li>\n<\/ul>\n
    \"Build

    Build Workflow<\/p><\/div>\n

    Here is the flow: when the validation script checks for the CloudWatch agent service status, it’s not running, which returns the exit code. The exit code can be any number except 0, due to which the Build workflow failed because the agent is not UP and Running and breaks the build process.<\/p>\n

    \"Workflow

    Workflow ID logs<\/p><\/div>\n

     <\/p>\n

    3. SNS Integration in EC2 Image Builder to receive pass\/success status of the AMI.<\/strong><\/p>\n

    Once AMI is created, Image Pipeline sends a huge Raw JSON, which can be filtered via a lambda, and the lambda can send the output to a new SNS as an input to receive a pass\/fail status.<\/p>\n

    \"AMI

    AMI Notification<\/p><\/div>\n

     <\/p>\n

    Once the AMI is in an available or fail state, it triggers the SNS configured in the Infrastructure configurations in EC2 Image builder via a CFN template.
    \nConfigure AWS Lambda and a custom Python script to filter the Raw JSON sent by the pipeline to deliver filtered and formatted key: values to the stakeholders\/team.<\/p>\n

    Key Notes<\/h2>\n
      \n
    • The Pipeline fetches the latest AMI, always using the x.x.x semantic versioning. It\u2019ll always pick the latest Major, Minor, and Patch version whenever the EC2 image pipeline gets triggered.<\/li>\n
    • It requires no other AWS service dependency to trigger the pipeline. It has a cron expression scheduler built in.<\/li>\n
    • It can share AMIs across accounts, SSM parameters, update the launch template and so on.<\/li>\n
    • The components in the recipe are executed in the sequence order in which they are defined.<\/li>\n<\/ul>\n

      Wrapping Up<\/h2>\n

      While learning and implementing EC2 Image Builder, I realised that we can achieve much more with this service than I initially thought. Don\u2019t stop here\u2014explore new scenarios and possibilities with it.<\/p>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      Introduction EC2 Image Builder is an AWS service that automates creating, updating, and deploying your Amazon Machine Images (AMIs). EC2 Image Builder creates a pipeline for Linux or Windows Server images for use with Amazon EC2. The pipeline manages all stages, including image creation, maintenance, validation, sharing, and deployment. Image Builder is free to use, […]<\/p>\n","protected":false},"author":1658,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":39},"categories":[2348],"tags":[248,4252,8012,8070,7943,7895],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/75544"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1658"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=75544"}],"version-history":[{"count":6,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/75544\/revisions"}],"predecessor-version":[{"id":76357,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/75544\/revisions\/76357"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=75544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=75544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=75544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}