Module 1: Create an InfoSec approved secure golden image

You will be using an EC2 Image Builder wizard which will walk you through from the beginning to the end. It is the easiest way to get started.

  1. From the EC2 Image Builder landing page, select Create image pipeline.
  2. On the Define Recipe page, create an image recipe, which includes your source image and components.
  3. Under Source image, select Windows for OS.
  4. For image, choose Select managed images and click Browser images. Select Windows Server 2019 English Full Base x86 with the latest version.
  5. Check the option, Always build latest version.
  6. For Build components, click Browse build components. Select stig-build-windows-low with the latest version then click Choose. Click Browse build components again, select update-windows and click Choose. Ensure the order of the component shown is in the order that was selected (Stig-build-windows-low then update-windows).
  7. For Test components, select reboot-test-windows.
  8. Click Next.
  9. On the Configure pipeline page, name the pipeline and enter its description. For IAM role, click Create new instance profile role which open IAM console in a new tab. You are going to create an EC2 instance role with EC2InstanceProfileForImageBuilder and AmazonSSMManagedInstanceCore managed policy attached.
  10. Click Roles in the left menu and click Create role button. Choose AWS service for trusted entity then select EC2. Click Next: Permission.
  11. Under Attach permissions policies, search for the policy mentioned in #9 then check the checkbox in front of it. Click Next: Tags
  12. You can enter the tag here. Click Next: Review
  13. Review your configuration then click Create role.
  14. Now go back to EC2 Image Builder Configuration pipeline. For IAM role, select the role created in the previous step. If it does not show up in the dropdown, click the refresh button next to it.
  15. For Build schedule, select Manual.
  16. You will skip the infrastructure settings and leave it with the default value. Click Next.
  17. Skip Associate license configuration to AMI as well.
  18. For Output AMI, enter the name and tags.
  19. For AMI distribution settings, us-east-1 is already select. Add us-east-2. Click Review.
  20. Review the configuration then click Create Pipeline.
  21. Check the checkbox in front of the pipeline, click the Action dropdown on the top left then select Run pipeline.
  22. After the pipeline execution has been initiate, you can click the Pipeline name which will lead to the pipeline information. You can also see the status of the running pipeline here.
  23. After the Status changed to available, explore the new image that just created under Images.
  24. Go to EC2 Management Console and create a new instance from this AMI.