Introducing Our Serverless AMI Bakery Accelerator

In many IT shops, teams continue to tackle the process of creating resources, like Amazon Machine Images (AMIs), by hand in a time-consuming, error-prone process that can result in inconsistent security across Amazon Web Services (AWS) environments. Helping organizations with this process, today we’re introducing our Serverless AMI Bakery Accelerator (SABA) that empowers teams to automate the AMI build and deployment processes.

What is SABA?

In addition to creating and deploying AMIs easily and consistently, SABA is also a great starting point to simplify and secure the process of deploying and maintaining AMIs. SABA automates the deployment process across AWS accounts and regions allowing you to customize AMIs with common agents, tools, security settings and custom applications before distributing them.

How does it work?
SABA uses serverless AWS services to minimize operational overhead and is deployed using AWS CloudFormation templates to reduce deployment time and ease maintenance. It comes complete with an Ansible playbook to configure Ubuntu 18 to meet Center for Internet Security (CIS) guidelines with a framework to test compliance.


Amazon Elastic Compute Cloud (Amazon EC2) Image Builder, courtesy of AWS

Specifically, SABA can expect an AWS Image Builder that is configured to build, harden, test, and distribute AMIs. We also include an Ansible playbook and a test framework to harden Ubuntu 18 according to the CIS Benchmark Level 1 or Level 2 — depending on customer need — so that the customer can achieve fine-grained control over which CIS rules are applied.

A CIS test report is generated by Allure (the multi-language test report tool) and stored in Amazon Simple Storage Service (Amazon S3) for trackable compliance. We then configure AWS Image Builder to distribute images to other AWS Accounts and Regions on a scheduled basis to ensure updated and hardened images are consistently made available. AWS EC2 Image Builder is deployed using AWS CloudFormation so that it can be quickly and consistently deployed. Last, the source code is stored in the customer’s AWS CodeCommit repository for easy maintenance.

Increase Security

SABA makes it easy for AMI users to deploy applications with approved Golden AMIs and application AMIs. Standard AMIs like these benefit the organization as they provide a standard machine image approved by the IT Operations team that meets the company’s security and compliance requirements. These pre-vetted AMIs benefit organizations as once the ideal template is set-up, administrators need only replicate it, thus saving time, eliminating potential errors from creating new AMIs from scratch, and ensuring environmental consistency.

Lower Maintenance

SABA reduces maintenance needs by helping automate the customization and distribution of AMIs. AMIs are comprised of templates for the root volume for the instance, launch permissions, and a block device mapping that specifies the volumes to attach to the instance when it’s launched. Yet, these elements may need customization from time-to-time. For example, if you continuously assess the security posture of your active golden AMIs and discover an update should be made, SABA can help automate the change and distribute the revised template as needed, saving resources and ensuring that active AMIs are up to date.

Lower Cost

In the process of decreasing maintenance and ensuring security needs are met, organizations gain productivity gains that lower cost of operations. Moreover, SABA customers are able to achieve CIS compliance at the cost of using standard AWS AMIs.

We are excited to bring you SABA via the AWS Marketplace.