CloudWiki

Amazon Web Service (AWS)

AMI

Storage
An Amazon Machine Image (AMI) is a template that is configured with operating system, application server and other software that is required to launch an EC2 instance.
aws_ami
AMI
attributes:
  • name - (Required) Region-unique name for the AMI.
  • boot_mode - (Optional) Boot mode of the AMI. For more information, see Boot modes in the Amazon Elastic Compute Cloud User Guide.
  • deprecation_time - (Optional) Date and time to deprecate the AMI. If you specified a value for seconds, Amazon EC2 rounds the seconds to the nearest minute. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
  • description - (Optional) Longer, human-readable description for the AMI.
  • ena_support - (Optional) Whether enhanced networking with ENA is enabled. Defaults to false.
  • root_device_name - (Optional) Name of the root device (for example, /dev/sda1, or /dev/xvda).
  • virtualization_type - (Optional) Keyword to choose what virtualization mode created instances will use. Can be either "paravirtual" (the default) or "hvm". The choice of virtualization type changes the set of further arguments that are required, as described below.
  • architecture - (Optional) Machine architecture for created instances. Defaults to "x86_64".
  • ebs_block_device - (Optional) Nested block describing an EBS block device that should be attached to created instances. The structure of this block is described below.
  • ephemeral_block_device - (Optional) Nested block describing an ephemeral block device that should be attached to created instances. The structure of this block is described below.
  • tags - (Optional) Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • tpm_support - (Optional) If the image is configured for NitroTPM support, the value is v2.0. For more information, see NitroTPM in the Amazon Elastic Compute Cloud User Guide.
  • imds_support - (Optional) If EC2 instances started from this image should require the use of the Instance Metadata Service V2 (IMDSv2), set this argument to v2.0. For more information, see Configure instance metadata options for new instances.

When virtualization_type is "paravirtual" the following additional arguments apply:

  • image_location - (Required) Path to an S3 object containing an image manifest, e.g., created by the ec2-upload-bundle command in the EC2 command line tools.
  • kernel_id - (Required) ID of the kernel image (AKI) that will be used as the paravirtual kernel in created instances.
  • ramdisk_id - (Optional) ID of an initrd image (ARI) that will be used when booting the created instances.


When virtualization_type is "hvm" the following additional arguments apply:

  • sriov_net_support - (Optional) When set to "simple" (the default), enables enhanced networking for created instances. No other value is supported at this time.


Nested ebs_block_device blocks have the following structure:

  • device_name - (Required) Path at which the device is exposed to created instances.
  • delete_on_termination - (Optional) Boolean controlling whether the EBS volumes created to support each created instance will be deleted once that instance is terminated.
  • encrypted - (Optional) Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with snapshot_id.
  • iops - (Required only when volume_type is io1 or io2) Number of I/O operations per second the created volumes will support.
  • snapshot_id - (Optional) ID of an EBS snapshot that will be used to initialize the created EBS volumes. If set, the volume_size attribute must be at least as large as the referenced snapshot.
  • throughput - (Optional) Throughput that the EBS volume supports, in MiB/s. Only valid for volume_type of gp3.
  • volume_size - (Required unless snapshot_id is set) Size of created volumes in GiB. If snapshot_id is set and volume_size is omitted then the volume will have the same size as the selected snapshot.
  • volume_type - (Optional) Type of EBS volume to create. Can be standard, gp2, gp3, io1, io2, sc1 or st1 (Default: standard).
  • kms_key_id - (Optional) Full ARN of the AWS Key Management Service (AWS KMS) CMK to use when encrypting the snapshots of an image during a copy operation. This parameter is only required if you want to use a non-default CMK; if this parameter is not specified, the default CMK for EBS is used
  • outpost_arn - (Optional) ARN of the Outpost on which the snapshot is stored.

Nested ephemeral_block_device blocks have the following structure:

  • device_name - (Required) Path at which the device is exposed to created instances.
  • virtual_name - (Required) Name for the ephemeral device, of the form "ephemeralN" where N is a volume number starting from zero.

Associating resources with a
AMI
Resources do not "belong" to a
AMI
Rather, one or more Security Groups are associated to a resource.
Create
AMI
via Terraform:
The following HCL creates an AMI that will start a machine whose root device is backed by an EBS volume populated from a snapshot. We assume that such a snapshot already exists with the id "snap-xxxxxxxx".
Syntax:

resource "aws_ami" "example" {
 name                = "terraform-example"
 virtualization_type = "hvm"
 root_device_name    = "/dev/xvda"
 imds_support        = "v2.0" # Enforce usage of IMDSv2. You can safely remove this line if your application explicitly doesn't support it.
 ebs_block_device {
   device_name = "/dev/xvda"
   snapshot_id = "snap-xxxxxxxx"
   volume_size = 8
 }
}

Create
AMI
via CLI:
Parametres:

create-image
[--block-device-mappings <value>]
[--description <value>]
[--dry-run | --no-dry-run]
--instance-id <value>
--name <value>
[--no-reboot | --reboot]
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-image \
   --instance-id i-1234567890abcdef0 \
   --name "My server" \
   --description "An AMI for my server"

Best Practices for
AMI

Categorized by Availability, Security & Compliance and Cost

Warning
AMI (Amazon Machine Images) not in use
Warning
AMI (Amazon Machine Images) not in use (12 months)
Critical
Ensure EC2 AMIs are not publicly accessible
Explore all the rules our platform covers
All Resources