AWS Compute Services: Amazon Machine Images (AMI)
An Amazon Machine Image (AMI) is a supported and maintained image provided by AWS that provides the information required to launch an instance. You must specify an AMI when you launch an instance. You can launch multiple instances from a single AMI when you need multiple instances with the same configuration.
The Real-World Analogy
Think of an AMI as a “Golden Master” or a “Cookie Cutter.” If you want to bake 100 cookies that look and taste exactly the same, you don’t hand-sculpt each one; you use a mold. The AMI is that mold, containing the OS, software, and configuration needed to stamp out identical EC2 instances in seconds.
Core Concepts & Configuration
Every AMI includes the following components:
- Root Volume Template: A template for the root volume (OS, application server, and applications).
- Launch Permissions: Controls which AWS accounts can use the AMI to launch instances (Public, Private, or Shared).
- Block Device Mapping: Specifies the volumes to attach to the instance when it’s launched.
AMI Types and Comparison
| Feature | EBS-Backed AMI | Instance Store-Backed AMI |
|---|---|---|
| Storage | Amazon EBS Volume | S3 (Template stored in S3) |
| Boot Time | Fast (usually < 1 min) | Slower (usually > 5 mins) |
| Instance Persistence | Can be stopped and restarted | Cannot be stopped (only Terminate/Reboot) |
| Data Persistence | Data persists after stop | Data lost if instance fails/terminates |
Security & Portability
AMIs are Regional resources. If you create an AMI in us-east-1, you cannot use it in eu-west-1 unless you first copy the AMI to that destination region. For security, you can encrypt the EBS snapshots associated with an AMI using AWS KMS. When you copy an unencrypted AMI, you can choose to encrypt the copy during the process.
Decision Matrix: If-Then Guide
- If you need to move a workload to a new region… Then Copy the AMI to the target region.
- If you need to share an encrypted AMI with another account… Then Share the AMI AND the custom KMS key used for encryption.
- If you want to ensure consistent software versions… Then Create a “Golden Image” AMI with all updates pre-installed.
- If you need to reduce launch time for complex apps… Then Use an AMI instead of User Data scripts for heavy installations.
Exam Tips and Gotchas
- The Snapshot Link: Deregistering an AMI does not delete the underlying EBS snapshots. You must delete snapshots manually to stop incurring costs.
- Encryption: You cannot share an AMI that is encrypted with the default AWS Managed Key (
aws/ebs). You must use a Customer Managed Key (CMK) to share encrypted AMIs. - Cross-Region: When copying an AMI, the new AMI gets a unique
AMI ID, even if it’s an exact replica of the source. - Marketplace: You can sell your custom AMIs on the AWS Marketplace to other users.
Topics covered:
Summary of key subtopics covered in this guide:
- AMI Components (Root volume, Permissions, Block Device Mapping)
- EBS-backed vs. Instance Store-backed architectures
- AMI Lifecycle (Create, Copy, Share, Deregister)
- Cross-Region replication and AMI ID uniqueness
- Encryption requirements for sharing and copying
- Cost optimization via snapshot management
The AMI Lifecycle: From Instance to Scalable Fleet
Security & IAM
Use IAM Policies to restrict who can CreateImage or ModifyImageAttribute. Always use KMS for sensitive data at rest.
Fast Launch
Pre-installing software into an AMI (Baking) is faster than installing via User Data scripts during boot (Bootstrapping). Use EC2 Image Builder for automation.
Snapshot Costs
AMIs are free to store, but the EBS Snapshots they point to are billed per GB/month. Clean up old AMIs AND their snapshots regularly.
Production Use Case: Disaster Recovery
A company maintains a “Golden AMI” in Region A. Every night, a Lambda function copies this AMI to Region B. In the event of a regional outage, Auto Scaling groups in Region B use the copied AMI to restore services instantly with identical configurations.