Updating Base AMIs in Wellcome Collection AWS Accounts

Last updated: 27/06/24

Context

We use a number of base AMIs in our AWS accounts to provide a consistent starting point for our EC2 instances. These AMIs are based on the latest Amazon Linux 2 releases and must be updated regularly to ensure security and compatibility with our applications.

There are a number of agents installed on these base AMIs, including the SSM agent, all of which need to be able to report their status and health back to our monitoring systems.

AWS Image Builder

We will use AWS Image Builder to automate the creation and maintenance of our base AMIs. This service allows us to define a pipeline that builds, tests, and distributes AMIs based on our specifications. This infrastructure is terraformed in the platform account and described here: https://github.com/wellcomecollection/platform-infrastructure/tree/main/images/terraform/image-builder

Images are distributed from the platform account to the other accounts using Image Builder distribution pipelines. This allows us to maintain a single source of truth for our base AMIs while ensuring that all accounts have access to the latest versions.

AMI Consumers

The following teams and services consume the base AMIs:

  • Archivematica Infrastructure: Base AMIs for container hosts and bastion hosts.

  • Goobi Infrastructure: Base AMIs for container hosts and bastion hosts.

  • Digirati Infrastructure: Base AMIs for container hosts and bastion hosts.

Decision

We will use AWS Image Builder to automate the creation and maintenance of our base AMIs. This will allow us to:

  • Ensure that all base AMIs are built consistently and reliably.

  • Reduce the time and effort required to update and maintain base AMIs.

  • Improve the security and compliance posture of our EC2 instances by ensuring that they are always running the latest, patched versions of the underlying operating system and software.

  • Provide a clear and auditable process for updating base AMIs.

AMIs will be re-built at least every 3 months, or more frequently if security vulnerabilities are identified that require immediate attention. The process will include:

  • Updating the base AMI with the latest Amazon Linux 2 release.

  • Installing the latest versions of the SSM agent and other required software.

  • Running tests to ensure that the AMI is functioning correctly.

  • Distributing the updated AMI to all relevant accounts using Image Builder distribution pipelines.

  • Ensuring that all EC2 instances using the base AMI are updated to the latest version within a reasonable timeframe, typically within 2 weeks of the new AMI being available.

PreviousAPI faceting principles & expectationsNextUsing C4 Model at Container Level for Service Documentation

Last updated