Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Approved/Golden AMIs

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-028

Ensure that all the Amazon EC2 instances necessary for your application stack are launched from approved Amazon Machine Images (AMIs), also known as golden AMIs, in order to enforce consistency and save time when scaling your cloud applications. The AMI(s) approved by your organization must be defined in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

An approved/golden AMI is a base image that contains a pre-configured OS and a well-defined stack of server software fully configured to run your application. Using golden AMIs to create new Amazon EC2 instances within your AWS environment brings major benefits such as fast and stable application deployment and scaling, secure application stack upgrades, and versioning. You can go even further and automate your golden AMIs creation with open source tools like Packer and Netflix Aminator.

Audit

To determine if your Amazon EC2 instances are being launched using approved Amazon Machine Images (AMI), perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Approved/Golden AMIs conformity rule settings, and identify the ID(s) of the AMI(s) approved by your organization.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under Instances, choose Instances.

05 Select the Amazon EC2 instance that you want to examine.

06 Choose the Details tab from the console split panel to access the instance configuration information.

07 In the Instance details section, check the AMI ID attribute value to identify the ID of the image used to launch the selected instance. Cross-reference the AMI ID value with each ID defined in the conformity rule configuration, identified in step 1. If the AMI ID value is not found in the list of approved AMIs, in the conformity rule settings, the selected Amazon EC2 instance was not launched from an approved (golden) AMI. Therefore, the software configuration of the verified instance may not be secured.

08 Repeat steps no. 5 – 7 for each Amazon EC2 instance available within the current AWS cloud region.

09 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Approved/Golden AMIs conformity rule settings, and identify the ID(s) of the AMI(s) approved by your organization.

02 Run describe-instances command (OSX/Linux/UNIX) with custom output filters to list the IDs of the Amazon EC2 instances provisioned in the selected AWS cloud region: 

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested EC2 instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

04 Run describe-instances command (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to examine as the identifier and custom filtering to describe the ID of the image used to create the selected EC2 instance: 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0abcdabcdabcdabcd
	--query 'Reservations[*].Instances[*].ImageId[]'

05 The command output should return the requested image ID: 

[
	"ami-0abcd1234abcd1234"
]

Cross-reference the AMI ID returned by the describe-instances command output with each ID defined in the conformity rule configuration, identified in step 1. If the instance image ID is not found in the list of approved AMIs, in the conformity rule settings, the selected Amazon EC2 instance was not launched from an approved (golden) AMI. Therefore, the software configuration of the verified instance may not be secured.

06 Repeat steps no. 4 and 5 for each Amazon EC2 instance provisioned in the selected AWS cloud region.

07 Change the AWS region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To create a golden/approved Amazon Machine Image (AMI) and force your AWS cloud administrators to launch Amazon EC2 instances using approved AMIs only, perform the following operations:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Create the base EC2 instance
resource "aws_instance" "base-ec2-instance" {

	ami = "ami-0abcdabcdabcdabcd"
	instance_type = "t2.micro"
	key_name = "ssh-key"
	subnet_id = "subnet-abcd1234"
	vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]

	ebs_block_device {
		device_name = "/dev/xvda"
		volume_size = 30
		volume_type = "gp2"
	}

	user_data = <<-EOF
	#!/bin/bash
	sudo apt-get update -y
	sudo apt-get upgrade -y
	sudo apt install apache2 -y
	sudo systemctl start apache2
	sudo systemctl enable apache2
	EOF

	tags = {
		Name = "Base Instance"
	}

}

# Create the Golden/Approved AMI
resource "aws_ami_from_instance" "golden-ami" {

	name = "approved-ami"
	source_instance_id = aws_instance.base-ec2-instance.id

	tags = {
		Name = "Golden AMI"
	}

}

# Enforce users to create EC2 instances from Golden AMI only
resource "aws_iam_policy" "admin-policy" {
	name = "golden-image-enforcement-policy"
	policy = jsonencode({
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "EnforceGoldenAMI",
				"Action": [
					"ec2:RunInstances"
				],
				"Effect": "Allow",
				"Resource": "*",
				"Condition": {
					"StringEquals": {
						"ec2:ResourceTag/Name": "Golden AMI"
					}
				}
			}
		]
	})
}

# Attach the enforcement policy to the EC2 admin group
resource "aws_iam_group_policy_attachment" "attach-group-policy" {
	group = "ec2-admin-group"
	policy_arn = aws_iam_policy.admin-policy.arn
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, select Instances.

04 Choose Launch instances to create your base Amazon EC2 instance. During the launch process you can pass user data (shell scripts, cloud-init directives, etc.) or use configuration management tools to automatically install server software on the new EC2 instance. To launch the base Amazon EC2 instance perform the following actions:

  1. For Name and tags, provide a name tag for your instance in the Name box. (Optional) Choose Add additional tags to apply user-defined tags to your new EC2 instance. You can track compute cost and other criteria by tagging your instance.
  2. For Application and OS Images (Amazon Machine Image), choose the Amazon Machine Image (AMI) required to launch your new Amazon EC2 instance. You can select an AMI provided by AWS, AWS user community, or AWS Marketplace.
  3. For Instance type, select the required instance type from the Instance type dropdown list.
  4. For Key pair (login), you can select an existing key pair from the Key pair name - required dropdown list or choose Create new key pair to create a new key pair for your instance.
  5. For Network settings, choose Select existing security group under Firewall (security groups), and select the appropriate security group(s) from the Common security groups dropdown list.
  6. For Configure storage, configure the storage device settings.
  7. For Advanced details, configure the advanced settings supported by your EC2 instance.
  8. For Summary, review the instance details, and choose Launch instance to deploy your new Amazon EC2 instance.
  9. Choose View all instances to view your new EC2 instance. Once the Instance State is set to Running, your new instance is ready to use.

05 As soon as your new Amazon EC2 instance is running, install and configure the necessary software to run your applications, secure the operating system (OS) and the software stack, and upload your applications. Test the entire software stack to make sure that the new Amazon EC2 instance qualifies for the golden Amazon Machine Image (AMI).

06 Once the instance software is installed, you can create the golden (approved) Amazon Machine Image (AMI). To get started, select the new Amazon EC2 instance, choose Actions from the top-right menu, select Image and templates, and choose Create image.

07 On the Create image setup page, provide the following information:

  1. For Image name, type a unique name for the golden AMI.
  2. (Optional) For Image description - optional, provide a short description that reflects the usage of the AMI.
  3. Select the Reboot instance setting checkbox to ensure data consistency. When this option is selected, Amazon EC2 reboots the instance so that data is at rest when snapshots of the attached volumes are taken.
  4. (Optional) For Tags - optional, choose Tag image and snapshots together, and use the Add new tag button to create and apply user-defined tags to the new image. Tags can be used to search and filter your cloud resources or track your AWS costs.
  5. Choose Create image to create your golden (approved) Amazon Machine Image (AMI).

08 Once the golden AMI is ready for use, update the access permissions of your AWS cloud administrator in order to enforce creating Amazon EC2 instances from the golden AMI only. To enforce this restriction, you must create a custom IAM policy and attach it to the AWS cloud administrators group. To create the required policy, perform the following actions:

  1. Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.
  2. In the left navigation panel, under Access management, choose Policies.
  3. Choose Create policy and perform the following actions to create the required IAM policy:
    1. In the Policy editor section, choose JSON and paste the following policy document. Replace the highlighted information with your own information, i.e., the name of the AWS region and the ARN of the snapshot associated with your golden AMI: 
      {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"ec2:RunInstances"
			],
			"Effect": "Allow",
			"Resource": "*",
			"Condition": {
				"ArnEquals": {
					"ec2:ParentSnapshot": "arn:aws:ec2:<aws-region>::snapshot/<ami-snapshot-id>"
				}
			}
		}
	]
}
    2. Choose Next and use the Name and Description boxes to assign a unique name and a description for the IAM policy. Choose Create policy to create your new IAM policy.

09 To attach the custom IAM policy create in the previous step to the AWS cloud administrators group, perform the following actions:

  1. In the left navigation panel, under Access management, choose User groups.
  2. Click on the name (link) of the IAM group that you want to configure.
  3. Select the Permissions tab, choose Add permissions, and select Attach policies.
  4. Select the custom IAM policy created in step no. 8 and choose Attach policies to attach the policy to the selected IAM group.

10 Repeat steps no. 3 - 9 to create more golden AMIs within the current AWS cloud region.

11 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Perform run-instances command (OSX/Linux/UNIX) to create your base Amazon EC2 instance. Choose a base Amazon Machine Image (AMI) to create the new EC2 instance. You can use a secure AMI provided by AWS, AWS Marketplace, or another trusted provider: 

aws ec2 run-instances
	--region us-east-1
	--image-id ami-0abcdabcdabcdabcd
	--count 1
	--instance-type t2.micro
	--key-name cc-project5-ssh-key
	--security-group-ids sg-0abcd1234abcd1234
	--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=cc-project5-prod-instance}]'
	--query 'Instances[]'

02 The command output should return the configuration information for the newly created EC2 instance: 

[
	{
		"Architecture": "x86_64",
		"BlockDeviceMappings": [],
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"NetworkInterfaces": [
			{
				"Attachment": {
					"AttachTime": "2025-07-01T11:50:48+00:00",
					"AttachmentId": "eni-attach-01234abcd1234abcd",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attaching",
					"NetworkCardIndex": 0
				},
				"Description": "",
				"Groups": [
					{
						"GroupId": "sg-0abcd1234abcd1234",
						"GroupName": "cc-project5-security-group"
					}
				],
				"Ipv6Addresses": [],
				"NetworkInterfaceId": "eni-01234abcd1234abcd",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
				"PrivateIpAddress": "172.20.30.40",
				"PrivateIpAddresses": [
					{
						"Primary": true,
						"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
						"PrivateIpAddress": "172.20.30.40"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-01234abcd1234abcd",
				"VpcId": "vpc-0abcd1234abcd1234",
				"InterfaceType": "interface",
				"Operator": {
					"Managed": false
				}
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupId": "sg-0abcd1234abcd1234",
				"GroupName": "cc-project5-security-group"
			}
		],
		"SourceDestCheck": true,
		"StateReason": {
			"Code": "pending",
			"Message": "pending"
		},
		"Tags": [
			{
				"Key": "Name",
				"Value": "cc-project5-prod-instance"
			}
		],
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 1,
			"ThreadsPerCore": 1
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"MetadataOptions": {
			"State": "pending",
			"HttpTokens": "required",
			"HttpPutResponseHopLimit": 2,
			"HttpEndpoint": "enabled",
			"HttpProtocolIpv6": "disabled",
			"InstanceMetadataTags": "disabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		},
		"BootMode": "uefi-preferred",
		"PrivateDnsNameOptions": {
			"HostnameType": "ip-name",
			"EnableResourceNameDnsARecord": false,
			"EnableResourceNameDnsAAAARecord": false
		},
		"MaintenanceOptions": {
			"AutoRecovery": "default",
			"RebootMigration": "default"
		},
		"CurrentInstanceBootMode": "legacy-bios",
		"Operator": {
			"Managed": false
		},
		"InstanceId": "i-0abcd1234abcd1234",
		"ImageId": "ami-0abcdabcdabcdabcd",
		"State": {
			"Code": 0,
			"Name": "pending"
		},
		"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
		"PublicDnsName": "",
		"StateTransitionReason": "",
		"KeyName": "cc-project5-ssh-key",
		"AmiLaunchIndex": 0,
		"ProductCodes": [],
		"InstanceType": "t2.micro",
		"LaunchTime": "2025-07-01T11:50:48+00:00",
		"Placement": {
			"GroupName": "",
			"Tenancy": "default",
			"AvailabilityZone": "us-east-1a"
		},
		"Monitoring": {
			"State": "disabled"
		},
		"SubnetId": "subnet-01234abcd1234abcd",
		"VpcId": "vpc-0abcd1234abcd1234",
		"PrivateIpAddress": "172.20.30.40"
	}
]

03 As soon as your new Amazon EC2 instance is running, install and configure the necessary software to run your applications, secure the operating system (OS) and the software stack, and upload your applications. Test the entire software stack to make sure that the new Amazon EC2 instance qualifies for the golden Amazon Machine Image (AMI).

04 Once the instance software is installed, you can create the golden (approved) Amazon Machine Image (AMI). To get started, run create-image command (OSX/Linux/UNIX) to create your golden AMI from the base instance created and configured in the previous steps. Include the --no-reboot command parameter to ensure data consistency. When this parameter is included, Amazon EC2 reboots the instance so that data is at rest when snapshots of the attached volumes are taken: 

aws ec2 create-image
	--region us-east-1
	--instance-id i-01234abcd1234abcd
	--name "Golden Amazon Machine Image (AMI)"
	--description "Organization Approved-Golden Secure AMI"
	--no-reboot

05 The command output should return the ID of the golden Amazon Machine Image (AMI): 

{
	"ImageId": "ami-0abcdabcdabcdabcd"
}

06 Once the golden AMI is ready for use, update the access permissions of your AWS cloud administrator in order to enforce creating Amazon EC2 instances from the golden AMI only. To enforce this restriction, you must create a custom IAM policy and attach it to the AWS cloud administrators group. To create the required policy and implement the restriction, perform the following actions:

  1. Paste the following IAM policy document to a JSON file named cc-enforce-approved-image.json. Replace the highlighted information with your own information, i.e., the name of the AWS region and the ARN of the snapshot associated with your golden AMI: 
    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"ec2:RunInstances"
			],
			"Effect": "Allow",
			"Resource": "*",
			"Condition": {
				"ArnEquals": {
					"ec2:ParentSnapshot": "arn:aws:ec2:<aws-region>::snapshot/<ami-snapshot-id>"
				}
			}
		}
	]
}
  2. Run create-policy command (OSX/Linux/UNIX) to create the IAM policy that will force your AWS cloud administrators to create Amazon EC2 instances using the golden AMI only: 
    aws iam create-policy
	--policy-name cc-approved-image-policy
	--policy-document file://cc-enforce-approved-image.json
  3. The command output should return the information available for the new IAM policy: 
    {
	"Policy": {
		"PolicyName": "cc-approved-image-policy",
		"CreateDate": "2025-07-08T16:00:00.000Z",
		"AttachmentCount": 0,
		"IsAttachable": true,
		"DefaultVersionId": "v1",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:policy/cc-approved-image-policy",
		"UpdateDate": "2025-07-08T16:00:00.000Z"
	}
}
  4. Run attach-group-policy command (OSX/Linux/UNIX) to attach the IAM policy created in the previous steps to the AWS cloud administrators group (the command does not produce an output): 
    aws iam attach-group-policy
	--policy-arn arn:aws:iam::123456789012:policy/cc-approved-image-policy
	--group-name cc-ec2-admin-group

07 Repeat steps no. 1 - 6 to create more golden AMIs in the selected AWS cloud region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 2, 2016

Related EC2 rules