EC2 AMI catalog consists of more than 160k public AMIs — a mix of Images created by users, published by vendors, and provided by AWS.
So how to ensure that an AMI comes from the verified vendor or that is an official AMI published by AWS?
How to find the trusted AMI among them all when you’re about to launch an EC2 Instance?
On AWS, it’s typical that something can be made or done in several ways — that’s awesome. Some of them work better than others, some methods are official, and some you can use just for fun (check that).
In this article, I will describe five ways of getting the official and verified AMI for your next EC2 Instance launch.
When launching an EC2 Instance from a Management Console, you can apply the “Verified Provider” filter for the Community AMIs tab to ensure you get an AMI from a verified provider.
The “Verified provider” label means an AMI is owned by an Amazon verified account.
In the following example, I want to make sure that the Ubuntu 20.04 AMI comes from the verified source:
In the past, you had to compare the AMI Owner ID with the publicly shared list of verified Owner IDs for every region.
Not rocket science, but it takes time. So now it’s much more straightforward, thanks to the “Verified Provider” label.
This feature also works great when you are creating a Launch Template. For example, if you want to create a fleet of macOS Instances with AutoScaling.
The Launch Template creation wizard seamlessly guides you from itself to the AMI Catalog (where you can search and pick the AMI) and back again.
Another interface in the Management Console acts as the AMI browser. It does not have any fancy name except for the “AMIs page”, but you probably already know about it: it looks like a list of AMIs, and you can see it when you click on the “AMIs” menu item on the left side of the EC2 page menu.
The AMI page allows you to leverage the API filters to narrow down the search, and the “Owner alias” filter is the one you need to ensure that an AMI comes from a trusted owner.
Here is how it looks for my search of the official Amazon Linux 2 AMI:
AMIs shared by verified sources have
amazon (for AWS) or
aws-marketplace (for AWS partners) as the value for the Owner alias filter.
Finding the official AMI with Terraform is also simple — the aws_ami data source does the job.
For example, here is how you can find the same Amazon Linux 2 AMI by specifying the
amazon as the value for the
owner argument of the data source:
Compare that with the filters on the AMI page — it looks similar, right? This is because of how Terraform works: it translates your code into API calls and sends them to AWS API endpoints.
If you’re very new to Terraform, I suggest reading this article to understand the basic concepts: Terraform explained in English
Sometimes you might need to get the AMI from CLI to pass it along as an argument downstream of the pipeline.
This can be done with the ec2 describe-images command of the AWS CLI
The API filters I mentioned before also work here — use them to narrow your search.
Another way that involves AWS CLI is the ssm get-parameter command:
It reveals one helpful feature of the Systems Manager — the Public parameters.
Systems Manager Public parameters are how AWS distributes some widely used artifacts related to their services.
For example, you can find official AMIs for many distributives there: Amazon Linux, Windows, macOS, Bottlerocket, Ubuntu, Debian, and FreeBSD.
Read more at the Finding public parameters documentation page if you want to know more.
The “Verified provider” badge can be earned by a third party only when an AMI developer is registered as a Seller on the AWS Marketplace.
Additionally, there are specific policies and review processes apply to all AMIs submitted to the Marketplace.
So it is okay to trust the third-party vendors with the “Verified” badge on a certain level. However, it is also always good to have additional scans and validation of the software you use. 🪲 😉