This blog post was written by, Glenn Chia Jin Wee, Associate Cloud Architect at AWS and Randall Han, Associate Professional Services Consultant at AWS.
In some situations, you may be required to manually validate the Amazon Machine Image (AMI) built from an Amazon Elastic Compute Cloud (Amazon EC2) Image Builder pipeline before sharing this AMI to other AWS accounts or to an AWS Organization. Currently, Image Builder provides an end-to-end pipeline that automatically shares AMIs after they’ve been built.
In this post, we will walk through the steps to enable approval notifications before AMIs are shared with other AWS accounts. Having a manual approval step could be useful if you would like to verify the AMI configurations before it is shared to other AWS accounts or an AWS Organization. This reduces the possibility of incorrectly configured AMIs being shared to other teams which in turn could lead to downstream issues if applications are installed using this AMI. This solution uses serverless resources to send an email with a link that automatically shares the AMI with the specified AWS accounts. Users select this link after they’ve verified that the AMI is built according to specifications.
- In this solution, an Image Builder Pipeline is run that builds a Golden AMI in Account A. After the AMI is built, Image Builder publishes data about the AMI to an Amazon Simple Notification Service (Amazon SNS) topic.
- This SNS Topic passes the data to an AWS Lambda function that subscribes to it.
- The Lambda function that subscribes to this topic retrieves the data, formats it, and sends a customized email to another SNS Topic.
- The second SNS Topic has an email subscription with the Approver’s email. The approver will receive the customized email with a URL that interacts with the next set of Serverless resources.
- Selecting the URL makes a GET request to Amazon API Gateway, thereby passing the AMI ID in the query string.
- API Gateway then triggers another Lambda function and passes the AMI ID to it.
- The Lambda function obtains the AMI ID from the query string parameter of the API Gateway request, and then shares it with the provided target account.
For this walkthrough, you will need the following:
- Two AWS accounts – one to host solution resources, and the second with which to share the built AMI.
- AWS Serverless Application Model (AWS SAM) installed, and AWS credentials configured for Account A. Refer to AWS docs: Installing the AWS SAM CLI for the installation and configuration steps.
- A new Amazon Virtual Private Cloud (Amazon VPC) will be created from the stack. Make sure that you have fewer than five VPCs in the selected Region.
In this section, we will guide you through the steps required to deploy the Image Builder solution that utilizes Serverless resources. The solution is deployed with AWS SAM.
In this scenario, we deploy the solution within the approver’s account. The approval email will be sent to a predefined email address for manual approval, before the newly created AMI is shared to target accounts.
Once the approver selects the approval link, an email notification will be sent to the predefined target account email address, notifying that the AMI has been successfully shared.
The high-level steps we will follow are:
- In Account A, deploy the provided AWS SAM template. This includes an example Image Builder Pipeline, Amazon SNS topics, API Gateway, and Lambda functions.
- Approve the SNS subscription from your supplied email address.
- Run the pipeline from the Amazon EC2 Image Builder Console.
- [Optional] After the pipeline runs, launch an Amazon EC2 instance from the built AMI to conduct manual tests
- An Amazon SNS email will be sent to you with an API Gateway URL. When clicked, an AWS Lambda function shares the AMI to the Account B.
- Log in to Account B and verify that the AMI has been shared.
Step 1: Launch the AWS SAM template
- Clone the SAM templates from this GitHub repository.
- Run the following command to deploy the templates via SAM. Replace <approver email> with the Approver’s email and <AWS Account B ID> with the AWS Account ID of your second AWS Account.
sam deploy \
–template-file template.yaml \
–stack-name ec2-image-builder-approver-notifications \
–capabilities CAPABILITY_IAM \
ApproverEmail=<approver email> \
TargetAccountEmail=<target account email> \
TargetAccountlds=<AWS Account B ID>
Step 2: Verify your email address
- After running the deployment, you will receive an email prompting you to confirm the Subscription at the approver email address. Choose Confirm subscription.
- This leads to the following screen, which shows that your subscription is confirmed.
- Repeat the previous 2 steps for the target email address.
Step 3: Run the pipeline from the Image Builder console
- In the Image Builder console, under Image pipelines, select the checkbox next to the Pipeline created, choose Actions, and select Run pipeline.
Note that the pipeline takes approximately 20 to 30 minutes to complete.
Step 4: [Optional] Launch an Amazon EC2 instance from the built AMI
There could be a requirement to manually validate the AMI before sharing it to other AWS accounts or to the AWS organization. With this requirement, approvers will launch an Amazon EC2 instance from the built AMI and conduct manual tests on the EC2 instance to make sure that it is functional.
- In the Amazon EC2 console, under Images, choose AMIs. Validate that the AMI is created.
- Follow AWS docs: Launching an EC2 instances from a custom AMI for steps on how to launch an Amazon EC2 instance from the AMI.
Step 5: Select the approval URL in the email sent
- When the pipeline is run successfully, you will receive another email with a URL to share the AMI.
2. Selecting this URL results in the following screen which shows that the AMI share is successful.
Step 6: Verify that the AMI is shared to Account B
- Log in to Account B.
- In the Amazon EC2 console, under Images, choose AMIs. Then, in the dropdown, choose Private images. Validate that the AMI is shared.
3. Verify that a success email notification was sent to the target account email address provided.
This section provides the necessary information for deleting various resources created as part of this post.
1. Deregister the AMIs created and shared.
a. Log in to Account A and follow the steps at AWS documentation: Deregister your Linux AMI.
2. Delete the SAM stack with the following command. Replace <region> with the Region of choice.
|sam delete –stack-name ec2-image-builder-approver-notifications –no-prompts –region <region>|
3. Delete the CloudWatch log groups for the Lambda functions. You’ll identify it with the name `/aws/lambda/ec2-image-builder-approve*`.
4. Consider deleting the Amazon S3 bucket used to store the packaged Lambda artifact.
In this post, we explained how to use Serverless resources to enable approval notifications for an Image Builder pipeline before AMIs are shared to other accounts. This solution can be extended to share to more than one AWS account or even to an AWS organization. With this solution, you will be notified when new golden images are created, allowing you to verify the correctness of their configuration before sharing them to for wider use. This reduces the possibility of sharing AMIs with misconfigurations that the written tests may not have identified.
We invite you to experiment with different AMIs created using Image Builder, and with different Image Builder components. Check out this GitHub repository for various examples that use Image Builder. Also check out this blog on Image builder integrations with EC2 Auto Scaling Instance Refresh. Let us know your questions and findings in the comments, and have fun!