EC2 Image Builder: makes server builds easy!

Moha Alsouli
3 min readOct 8, 2020
Build and maintain secure images

Back in March, I wrote a post on how to build Golden Images using Packer on AWS CodeBuild. Today, let me show you how to do even better builds with AWS EC2 Image Builder!

We’ve been using Packer at Tigerspike for quite a while now to build servers (if we’re not deploying serverless applications!) so we’re comfortable with it. It works great and does the job perfectly. But I couldn’t stop there, I had to try the recently introduced EC2 Image Builder. So, I tried it the other day, loved it, and now using it to deploy a service to production, and I think we’ll be using it from now on!

TL;DR

EC2 Image Builder is faster, cheaper and more secure and reliable than Packer. That is not to say Packer is slow nor expensive at all, but it’s the -er suffix that we’re after in Tech! Find a link to CloudFormation templates examples at the bottom of this post to try EC2 Image Builder yourself.

What is EC2 Image Builder?

As AWS puts it, EC2 Image Builder is a service that makes it easier and faster to build and maintain secure images. Image Builder simplifies the creation, patching, testing, distribution, and sharing of Linux or Windows Server images.

Why is it faster?

Well, it’s serverless. When using EC2 Image Builder, you are not relying on another server to orchestrate your builds. The EC2 Image Builder service orchestrates the builds and tests for you directly on EC2 instances. It also takes care of distributing the image for you across accounts.

Why is it cheaper?

For the same reason above, you don’t need an extra server to orchestrate the builds. So, you’re only paying for the resources you use to build, test and store the AMIs, not the overhead.

Why is it more secure?

Since it’s an AWS service, it works well with IAM Roles and Permissions. For example, you do not need to open your security groups so the orchestrator server can reach the build instances (like you need for Packer). Instead, you only need IAM Roles with the right Policies. Nothing need to traverse the internet anymore - everything stays within your VPC!

Why is it more reliable?

Well, where do I start?!

  • As with all AWS managed services, you will always get the latest updates and features.
  • Besides image recipes, you can automate image builds though Pipelines, as explained in this blog.
  • Access to AWS-provided components (templates), e.g. update-windows, update-linux, php-7–2-ubuntu, dotnet-core-hosting-bundle-windows, amazon-cloudwatch-agent-linux, etc.
  • You can develop and test your own components locally.
  • Components are managed centrally and can be versioned, e.g. 1.0.3, so you can reuse them across different image pipelines.
  • Each component can include Build, Validate and Test phases. These are used to install applications and modify the OS, then validate the build before the AMI creation, then test the AMI after it’s created.
  • Components, recipes and images can be shared across AWS regions, Accounts or Organizations.
  • Compliance assessment and Hardening validation offering.

That’s probably enough reasons for now!

EC2 Image Builder is Golden!

Try EC2 Image Builder yourself. I’ve uploaded example CloudFormation templates for both Linux and Windows AMI builders to my GitHub. Both take simple parameters and are ready to deploy. Otherwise, see the official EC2 Image Builder User Guide for more.

That’s it folks! Till the next time..

--

--