# Integrate products and services in Image Builder
EC2 Image Builder integrates with AWS Marketplace and other AWS services and applications to help you create robust, secure custom machine images.
**Products**
Image Builder recipes can incorporate image products from AWS Marketplace and Image Builder managed components to provide specialized build and test functionality, as follows.
+ **AWS Marketplace image products** – Use an image product from AWS Marketplace as the base image in your recipe to meet organizational standards, such as CIS Hardening. When you create a recipe from the Image Builder console, you can choose from your existing subscriptions, or search for a specific product from AWS Marketplace. When you create a recipe from the Image Builder API, CLI, or SDK, you can specify an image product Amazon Resource Name (ARN) to use as your base image.
+ **Image Builder components** – Components that you specify in your recipes can perform build and test actions, for example, to install software or perform compliance validation. Some image products that you subscribe to from AWS Marketplace might include a companion component that you can use in your recipes. The CIS Hardened images include a matching AWSTOE component that you can use in your recipe to enforce CIS Benchmarks Level 1 guidelines for your configuration.
**Note**
For more information about compliance-related products, see [Compliance products for your Image Builder images](integ-compliance-products.md).
**Services**
Image Builder integrates with the following AWS services to provide detailed event metrics, logging, and monitoring. This information helps you track your activity, troubleshoot image build issues, and create automations based on event notifications.
+ **AWS Organizations** – AWS Organizations allows you to apply Service Control Policies (SCP) on accounts in your organization. You can create, manage, enable, and disable individual policies. Similar to all other AWS artifacts and services, Image Builder honors the policies defined in AWS Organizations. AWS provides template SCPs for common scenarios, such as enforcing constraints on member accounts to launch instances with only approved AMIs.
+ **AWS CloudTrail** – Monitor Image Builder events that are sent to CloudTrail. For more information about CloudTrail integration with Image Builder, see [Log Image Builder API calls using CloudTrail](log-cloudtrail.md).
To learn more about CloudTrail, including how to turn it on and find your log files, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+ **Amazon CloudWatch Logs** – Monitor, store, and access your Image Builder log files with CloudWatch. Optionally, you can save your logs to an S3 bucket. To learn more about CloudWatch integration with Image Builder, see [Monitor Image Builder logs with Amazon CloudWatch Logs](monitor-cwlogs.md).
For more information about CloudWatch Logs, see [What is Amazon CloudWatch Logs?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) in the *Amazon CloudWatch Logs User Guide*.
+ **Amazon Elastic Container Registry (Amazon ECR)** – Amazon ECR is a managed AWS container image registry service that is secure, scalable, and reliable. Container images that you create with Image Builder are stored in Amazon ECR in your source Region (where your build runs), and in any Regions where you distribute the container image. For more information about Amazon ECR, see the [Amazon Elastic Container Registry User Guide](https://docs.aws.amazon.com/AmazonECR/latest/userguide/).
+ **Amazon EventBridge** – Connect to a stream of real-time event data from Image Builder activities in your account. For more information about EventBridge, see [What Is Amazon EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) in the *Amazon EventBridge User Guide*.
+ **Amazon Inspector** – Discover vulnerabilities in your software and network settings with automatic scans for the EC2 test instance that Image Builder launches create a new image. Image Builder saves findings for your output image resource so that you can investigate and remediate after your test instance terminates. For more information about scans and pricing, see [What is Amazon Inspector?](https://docs.aws.amazon.com/inspector/v1/userguide/inspector_introduction.html) in the *Amazon Inspector User Guide*.
Amazon Inspector can also scan your ECR repositories if you configure enhanced scanning. For more information, see [Scanning Amazon ECR container images](https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html) in the *Amazon Inspector User Guide*.
**Note**
Amazon Inspector is a paid feature.
+ **AWS License Manager** – You can attach a License Manager self-managed license to an output AMI during the distribution process. The license that you specify for the destination Region must already exist in that Region. For more information about self-managed licenses, see [Self-managed licenses in License Manager](https://docs.aws.amazon.com/license-manager/latest/userguide/license-configurations.html).
+ **AWS Marketplace** – See a list of your current AWS Marketplace product subscriptions, and search for image products directly from Image Builder. You can also use an image product that you’ve subscribed to as the base image for an Image Builder recipe. For more information about managing AWS Marketplace subscriptions, see [Buying products](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-subscribing-to-products.html) in the *AWS Marketplace Buyer Guide*.
+ **AWS Resource Access Manager (AWS RAM)** – With AWS RAM, you can share resources with any AWS account or through AWS Organizations. If you have multiple AWS accounts, you can create resources centrally and use AWS RAM to share those resources with other accounts. EC2 Image Builder allows sharing for the following resources: components, images, and image recipes. For more information about AWS RAM, see the [AWS Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html). For information about sharing Image Builder resources, see [Share Image Builder resources with AWS RAM](manage-shared-resources.md).
+ **Amazon Simple Notification Service (Amazon SNS)** – If configured, publish detailed messages about your image status to an SNS topic that you subscribe to. For more information about Amazon SNS, see [What is Amazon SNS?](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) in the *Amazon Simple Notification Service Developer Guide*.
**Topics**
+ [
# Amazon EventBridge integration in Image Builder
](integ-eventbridge.md)
+ [
# Amazon Inspector integration in Image Builder
](integ-inspector.md)
+ [
# AWS Marketplace integration in Image Builder
](integ-marketplace.md)
+ [
# Amazon SNS integration in Image Builder
](integ-sns.md)
+ [
# Compliance products for your Image Builder images
](integ-compliance-products.md)
# Amazon EventBridge integration in Image Builder
Amazon EventBridge is a serverless event bus service that you can use to connect your Image Builder application with related data from other AWS services. In EventBridge, a rule matches incoming events and sends them to targets for processing. A single rule can send an event to multiple targets, and these events then run in parallel.
With EventBridge, you can automate your AWS services and respond automatically to system events such as application availability issues or resource changes. Events from AWS services are delivered to EventBridge in near real time. You can set up rules that react to incoming events to initiate actions. For example, sending an event to a Lambda function when the status of an EC2 instance changes from pending to running. These are called *patterns*. To create a rule based on an event pattern, see [Creating Amazon EventBridge rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html) in the *Amazon EventBridge User Guide*.
Actions that can be automatically initiated include the following:
+ Invoke an AWS Lambda function
+ Invoke Amazon EC2 Run Command
+ Relay the event to Amazon Kinesis Data Streams
+ Activate an AWS Step Functions state machine
+ Notify an Amazon SNS topic or an Amazon SQS queue
You can also set up scheduling rules for the default event bus to perform an action at regular intervals, such as running an Image Builder pipeline to refresh an image on a quarterly basis. There are two types of schedule expressions:
+ **cron expressions** – The following example of a cron expression schedules a task to run every day at noon UTC\$10:
`cron(0 12 * * ? *)`
For more information about using cron expressions with EventBridge, see [Cron expressions](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html#eb-cron-expressions) in the *Amazon EventBridge User Guide*.
+ **rate expressions** – The following example of a rate expression schedules a task to run every 12 hours:
`rate(12 hour)`
For more information about using rate expressions with EventBridge, see [Rate expressions](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html#eb-rate-expressions) in the *Amazon EventBridge User Guide*.
For more information about how EventBridge rules integrate with Image Builder image pipelines, see [Use EventBridge rules with Image Builder pipelines](ev-rules-for-pipeline.md).
## Event messages that Image Builder sends
Image Builder sends event messages to EventBridge when there are significant changes in status for Image Builder resources. For example, when there's a state change for an image. The following examples show typical JSON event messages that Image Builder might send.
**Topics**
+ [
### EC2 Image Builder Image State Change
](#eb-event-state-change)
+ [
### EC2 Image Builder CVE Detected
](#eb-event-cve-detected)
+ [
### EC2 Image Builder Workflow Step Waiting
](#eb-event-wf-step-waiting)
+ [
### EC2 Image Builder Image Pipeline Automatically Disabled
](#eb-event-pipeline-disabled)
### EC2 Image Builder Image State Change
Image Builder sends this event when the state changes for an image resource during image creation. For example, when the image status changes from one state to another, as follows:
+ From `building` to `testing`
+ From `testing` to `distribution`
+ From `testing` to `failed`
+ From `integrating` to `available`
```
{
"version": "0",
"id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"detail-type": "EC2 Image Builder Image State Change",
"source": "aws.imagebuilder",
"account": "111122223333",
"time": "2024-01-18T17:50:56Z",
"region": "us-west-2",
"resources": ["arn:aws:imagebuilder:us-west-2:111122223333:image/cmkencryptedworkflowtest-a1b2c3d4-5678-90ab-cdef-EXAMPLE22222/1.0.0/1"],
"detail": {
"previous-state": {
"status": "TESTING"
},
"state": {
"status": "AVAILABLE"
}
}
}
```
### EC2 Image Builder CVE Detected
If you have CVE detection enabled for your image, Image Builder sends a message with the results whenever an image scan completes.
```
{
"version": "0",
"id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"detail-type": "EC2 Image Builder CVE Detected",
"source": "aws.imagebuilder",
"account": "111122223333",
"time": "2023-03-01T16:59:09Z",
"region": "us-east-1",
"resources": [
"arn:aws:imagebuilder:us-east-1:111122223333:image/test-image/1.0.0/1",
"arn:aws:imagebuilder:us-east-1:111122223333:image-pipeline/test-pipeline"
],
"detail": {
"resource-id": "i-1234567890abcdef0",
"finding-severity-counts": {
"all": 0,
"critical": 0,
"high": 0,
"medium": 0
}
}
}
```
### EC2 Image Builder Workflow Step Waiting
Image Builder sends a message when a `WaitForAction` workflow step pauses to wait for an asynchronous action to complete.
```
{
"version": "0",
"id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"detail-type": "EC2 Image Builder Workflow Step Waiting",
"source": "aws.imagebuilder",
"account": "111122223333",
"time": "2024-01-18T16:54:44Z",
"region": "us-west-2",
"resources": ["arn:aws:imagebuilder:us-west-2:111122223333:image/workflowstepwaitforactionwithvalidsnstopictest-a1b2c3d4-5678-90ab-cdef-EXAMPLE22222/1.0.0/1", "arn:aws:imagebuilder:us-west-2:111122223333:workflow/build/build-workflow-a1b2c3d4-5678-90ab-cdef-EXAMPLE33333/1.0.0/1"],
"detail": {
"workflow-execution-id": "wf-a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"workflow-step-execution-id": "step-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"workflow-step-name": "TestAutoSNSStop"
}
}
```
### EC2 Image Builder Image Pipeline Automatically Disabled
If you've configured the `autoDisablePolicy` for your pipeline, then Image Builder disables the pipeline and sends an event message to EventBridge when the number of consecutive scheduled pipeline execution failures exceeds the maximum number that's allowed per the policy.
```
{
"version": "0",
"id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"detail-type": "EC2 Image Builder Image Pipeline Automatically Disabled",
"source": "aws.imagebuilder",
"account": "111122223333",
"time": "2025-09-18T16:54:44Z",
"region": "us-west-2",
"resources": ["arn:aws:imagebuilder:us-west-2:111122223333:image-pipeline/disabled-image-pipeline-name"],
"detail": {
"consecutive-failures": "5"
}
}
```
# Amazon Inspector integration in Image Builder
When you activate security scanning with Amazon Inspector, it continuously scans machine images and running instances in your account for operating system and programming language vulnerabilities. If activated, security scanning is automatic, and Image Builder can save a snapshot of the findings from your test instance when you create a new image. Amazon Inspector is a paid service.
When Amazon Inspector discovers vulnerabilities in your software or network settings, it takes the following actions:
+ Notifies you that there was a finding.
+ Rates the severity of the finding. The severity rating categorizes vulnerabilities to help you prioritize your findings, and includes the following values:
+ Untriaged
+ Informational
+ Low
+ Medium
+ High
+ Critical
+ Provides information about the finding, and links to additional resources for more detail.
+ Offers remediation guidance to help you resolve the issues that generated the finding.
**Configure security scans**
If you've activated Amazon Inspector for your account, Amazon Inspector automatically scans the EC2 instances that Image Builder launches to build and test a new image. Those instances have a short lifespan during the build and test process, and their findings would normally expire as soon as those instances shut down. To help you investigate and remediate findings for your new image, Image Builder can optionally save any findings that Amazon Inspector identified on your test instance during the build process as a snapshot.
To configure security scans for your pipeline, see [Configure security scans for Image Builder images in the AWS Management Console](image-security-findings.md#image-config-security-scans).
**Review security findings**
In the Image Builder console, you can view security findings for all of your Image Builder resources in one place. You can see all findings on the **Security findings** page in the **Security Overview** section, or you can group your findings by vulnerability, by image pipeline, or by image. The console defaults to display all security findings. The summary panel for the **All security findings** option shows the number of findings that you have for each severity level. For more information, see [Manage security findings for Image Builder images in the AWS Management Console](image-security-findings.md#image-manage-security-findings).
To learn more about Amazon Inspector vulnerability findings, see [Understanding findings in Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html) in the *Amazon Inspector User Guide*.
# AWS Marketplace integration in Image Builder
AWS Marketplace is a curated digital catalog where you can find and subscribe to third-party software, data, and services that help you build solutions to fit your business needs. AWS Marketplace brings authenticated buyers and registered sellers together with software listings from popular categories such as security, networking, storage, machine learning, and more.
An AWS Marketplace seller can be an independent software vendor (ISV), a reseller, or an individual who has something to offer that works with AWS products and services. When the seller submits a product in AWS Marketplace, they define the price of the product, and the terms and conditions of use. Buyers agree to the pricing, terms, and conditions set for the offer. To learn more about AWS Marketplace, see [What is AWS Marketplace?](https://docs.aws.amazon.com/marketplace/latest/buyerguide/what-is-marketplace.html)
**AWS Marketplace integration features**
Image Builder integrates with AWS Marketplace to provide the following capabilities directly from the Image Builder console:
+ Search for image products that are available in AWS Marketplace.
+ Search for AWS Marketplace image products that deliver components.
+ See a list of your current AWS Marketplace product subscriptions.
+ Use an AWS Marketplace image product that you've subscribed to as the base image for an Image Builder recipe.
+ Use AWS Marketplace components that you've subscribed to in an Image Builder recipe.
Image Builder integrates with AWS Marketplace to show image products and components that you've subscribed to. You can also search for AWS Marketplace image products and components from the **Discover products** page without leaving the Image Builder console.
The output AMI that Image Builder creates includes the product codes from AWS Marketplace image products and components. You can have up to four product codes for your final customized image.
## AWS Marketplace subscriptions in Image Builder
The **Subscriptions** page in the AWS Marketplace section of the Image Builder console shows you a list of the AWS Marketplace products that you're currently subscribed to. Each subscribed product shows the following details:
+ The product name. This is linked to the product detail page in AWS Marketplace. The product detail page for your subscribed product opens in a new tab in your browser.
+ The **Publisher**. This is linked to the publisher detail page in AWS Marketplace. The publisher detail page opens in a new tab in your browser.
+ The **Version** that you subscribed to.
+ If there are any **Associated components** included with your subscribed product, Image Builder displays a link to the component detail.
At the top of the page, you can search for a specific product by name, or you can page through your results with the pagination controls. To use a subscribed image product in a new recipe, select a subscribed product and choose **Create new recipe**. Image Builder pre-selects the first product in your list by default.
**Note**
If you're looking for a product that you just subscribed to, and you don't see it in the list, use the refresh button at the top of the tab to refresh your results. It might take a few minutes for a new subscription to appear in the list.
## Discover AWS Marketplace image products from the Image Builder console
This section focuses on AWS Marketplace image products to use as a base image in your recipe. For products that include associated software components, you can filter on the product owner in the console and in the API, SDK, and CLI. For more information, see [List Image Builder components](component-details.md#list-components). For more information about finding, subscribing to, and using AWS Marketplace components, see [Use AWS Marketplace components to customize your image](use-marketplace-components.md).
**Discover products**
To find an AWS Marketplace image product from the Image Builder console, follow these steps:
1. Open the EC2 Image Builder console at [https://console.aws.amazon.com/imagebuilder/](https://console.aws.amazon.com/imagebuilder/).
1. From the navigation pane, choose **Discover products** in the **AWS Marketplace** section.
1. You can search for image products in the **Image products** tab on the **Discover products** page.
Image Builder pre-filters products from AWS Marketplace to focus on machine images that you can use in your Image Builder recipes. For more information about AWS Marketplace integration with Image Builder, choose the tab that matches what you want to see.
This tab contains two panels. On the left, the **Refine results** panel helps you filter your results to find the products that you want to subscribe to. On the right, the **Search products** panel shows the products that meet your filter criteria, and also gives you the option to search by product name.
**Refine results**
The following list shows just a few of the filters that you can apply to your product search:
+ Select one or more product categories, such as infrastructure software or machine learning.
+ Choose the operating systems for your image product or choose all products for a specific operating system platform, for example **All Linux/Unix**.
+ Choose one or more publishers to display their available products. Select the **Show All** link to display all of the publishers that have products that fit the filters that you've applied.
**Note**
Publisher names are not in alphabetical order. If you're looking for a specific publisher, like `Center for Internet Security`, you can enter part of the name in the search box at the top of the **All publishers** dialog. You should spell out the name, as an abbreviation, such as `CIS` might not produce the results that you're looking for.
You can also browse the publisher names page by page.
Filter choices are dynamic. Each choice that you make affects your options for all of the other categories. There are thousands of products available in AWS Marketplace, so the more you can filter, the more likely you are to find what you want.
**Search products**
To find a specific product by name, you can enter part of the name in the search bar at the top of this panel. Each product result includes the following details:
+ The product name and logo. Both of these are linked to the product detail page in AWS Marketplace. The detail page opens in a new tab in your browser. From there, you can subscribe to the image product if you want to use it in an Image Builder recipe. For more information, see [Buying products](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-subscribing-to-products.html) in the *AWS Marketplace Buyer Guide*.
If you subscribe to the image product in AWS Marketplace, switch back to the Image Builder tab in your browser, and refresh your list of subscribed image products to see it.
**Note**
It might take a few minutes before your new subscription is available.
+ The publisher name. This is linked to the publisher detail page in AWS Marketplace. The publisher detail page opens in a new tab in your browser.
+ The product version.
+ The product star rating, and direct links to the review section of the product detail page in AWS Marketplace. The detail page opens in a new tab in your browser.
+ The first few lines of the product description.
Directly below the search bar, you can see how many results your search produced and what subset of those results is currently displayed. You can use additional controls on the right side of the panel to adjust your settings for the number of products to display at one time, and the sort order to apply to your results. You can also use the pagination control to page through your results.
## Use an AWS Marketplace image product in Image Builder recipes
Open the **Create recipe** page and select an AWS Marketplace image product to use as your base image, as follows.
1. Open the EC2 Image Builder console at [https://console.aws.amazon.com/imagebuilder/](https://console.aws.amazon.com/imagebuilder/).
1. From the navigation pane, choose **Image recipes** in the **AWS Marketplace** section. This shows you a list of image recipes that you've created.
1. Choose **Create image recipe**. This opens the **Create recipe** page.
1. Enter your recipe **Name** and **Version** in the **Recipe details** section as usual.
1. In the **Base image** section, choose the **AWS Marketplace images** option. This shows you a list of the AWS Marketplace image products that you’ve subscribed to in the **Subscriptions** tab. You can choose your base image from the list.
You can also search for other image products that are available in AWS Marketplace directly from the **AWS Marketplace** tab. Choose **Add products**, or open the **AWS Marketplace** tab directly. For more information about how to set filters and search in the AWS Marketplace, see [Discover AWS Marketplace image products from the Image Builder console](#integ-marketplace-find).
1. Enter remaining details as usual. If any or your product subscriptions include build components, you can select them from the **Build components** list. Select `AWS Marketplace` from the component owner type list to see them, or select `Third party managed` for the CIS component.
1. Choose **Create recipe**.
Your final image can contain up to four product codes from AWS Marketplace image products and components. If your selected base image and components contain more than four product codes, Image Builder returns an error when you try to create the recipe.
# Amazon SNS integration in Image Builder
Amazon Simple Notification Service (Amazon SNS) is a managed service that provides asynchronous message delivery from publishers to subscribers (also known as producers and consumers).
You can specify an SNS topic in your infrastructure configuration. When you create an image or run a pipeline, Image Builder can publish detailed messages about your image status to this topic. When the image status reaches one of the following states, Image Builder publishes a message:
+ `AVAILABLE`
+ `FAILED`
For an example SNS message from Image Builder, see [SNS message format](#integ-sns-message). If you want to create a new SNS topic, see [Getting started with Amazon SNS](https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.html) in the *Amazon Simple Notification Service Developer Guide*.
## Encrypted SNS Topics
If your SNS topic is encrypted, you must grant permission in the AWS KMS key policy for the Image Builder service role to perform the following actions:
+ `kms:Decrypt`
+ `kms:GenerateDataKey`
**Note**
If your SNS topic is encrypted, the key that encrypts this topic must reside in the account where the Image Builder service runs. Image Builder can't send notifications to SNS topics that are encrypted with keys from other accounts.
**Example KMS key policy addition**
The following example shows the additional section that you add to the KMS key policy. Use the Amazon Resource Name (ARN) for the IAM service-linked role that Image Builder created under your account when you first created an Image Builder image. To learn more about the Image Builder service-linked role, see [Use IAM service-linked roles for Image Builder](image-builder-service-linked-role.md).
```
{
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
}]
}
```
You can use one of the following methods to get the ARN.
------
#### [ AWS Management Console ]
To get the ARN for the service-linked role that Image Builder created under your account from the AWS Management Console, follow these steps:
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the left navigation pane, choose **Roles**.
1. Search for `ImageBuilder`, and choose the following **Role name** from the results: `AWSServiceRoleForImageBuilder`. This displays the role detail page.
1. To copy the ARN to your clipboard, choose the icon next to the ARN name.
------
#### [ AWS CLI ]
To get the ARN for the service-linked role that Image Builder created under your account from the AWS CLI, use the IAM [get-role](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-role.html) command, as follows.
```
aws iam get-role --role-name AWSServiceRoleForImageBuilder
```
**Partial sample output:**
```
{
"Role": {
"Path": "/aws-service-role/imagebuilder.amazonaws.com/",
"RoleName": "AWSServiceRoleForImageBuilder",
...
"Arn": "arn:aws:iam::123456789012:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder",
...
}
```
------
## SNS message format
After Image Builder publishes a message to your Amazon SNS topic, other services that subscribe to the topic can filter on the message format and determine if it meets criteria for further action. For example, a success message might initiate a task to update an AWS Systems Manager parameter store, or to launch an external compliance testing workflow for the output AMI.
The following example shows the JSON payload for a typical message that Image Builder publishes when a pipeline build runs to completion, and creates a Linux image.
```
{
"versionlessArn": "arn:aws:imagebuilder:us-west-1:123456789012:image/example-linux-image",
"semver": 1237940039285380274899124227,
"arn": "arn:aws:imagebuilder:us-west-1:123456789012:image/example-linux-image/1.0.0/3",
"name": "example-linux-image",
"version": "1.0.0",
"type": "AMI",
"buildVersion": 3,
"state": {
"status": "AVAILABLE"
},
"platform": "Linux",
"imageRecipe": {
"arn": "arn:aws:imagebuilder:us-west-1:123456789012:image-recipe/example-linux-image/1.0.0",
"name": "amjule-barebones-linux",
"version": "1.0.0",
"components": [
{
"componentArn": "arn:aws:imagebuilder:us-west-1:123456789012:component/update-linux/1.0.2/1"
}
],
"platform": "Linux",
"parentImage": "arn:aws:imagebuilder:us-west-1:987654321098:image/amazon-linux-2-x86/2022.6.14/1",
"blockDeviceMappings": [
{
"deviceName": "/dev/xvda",
"ebs": {
"encrypted": false,
"deleteOnTermination": true,
"volumeSize": 8,
"volumeType": "gp2"
}
}
],
"dateCreated": "Feb 24, 2021 12:31:54 AM",
"tags": {
"internalId": "1a234567-8901-2345-bcd6-ef7890123456",
"resourceArn": "arn:aws:imagebuilder:us-west-1:123456789012:image-recipe/example-linux-image/1.0.0"
},
"workingDirectory": "/tmp",
"accountId": "462045008730"
},
"sourcePipelineArn": "arn:aws:imagebuilder:us-west-1:123456789012:image-pipeline/example-linux-pipeline",
"infrastructureConfiguration": {
"arn": "arn:aws:imagebuilder:us-west-1:123456789012:infrastructure-configuration/example-linux-infra-config-uswest1",
"name": "example-linux-infra-config-uswest1",
"instanceProfileName": "example-linux-ib-baseline-admin",
"tags": {
"internalId": "234abc56-d789-0123-a4e5-6b789d012c34",
"resourceArn": "arn:aws:imagebuilder:us-west-1:123456789012:infrastructure-configuration/example-linux-infra-config-uswest1"
},
"logging": {
"s3Logs": {
"s3BucketName": "amzn-s3-demo-bucket"
}
},
"keyPair": "example-linux-key-pair-uswest1",
"terminateInstanceOnFailure": true,
"snsTopicArn": "arn:aws:sns:us-west-1:123456789012:example-linux-ibnotices-uswest1",
"dateCreated": "Feb 24, 2021 12:31:55 AM",
"accountId": "123456789012"
},
"imageTestsConfigurationDocument": {
"imageTestsEnabled": true,
"timeoutMinutes": 720
},
"distributionConfiguration": {
"arn": "arn:aws:imagebuilder:us-west-1:123456789012:distribution-configuration/example-linux-distribution",
"name": "example-linux-distribution",
"dateCreated": "Feb 24, 2021 12:31:56 AM",
"distributions": [
{
"region": "us-west-1",
"amiDistributionConfiguration": {}
}
],
"tags": {
"internalId": "345abc67-8910-12d3-4ef5-67a8b90c12de",
"resourceArn": "arn:aws:imagebuilder:us-west-1:123456789012:distribution-configuration/example-linux-distribution"
},
"accountId": "123456789012"
},
"dateCreated": "Jul 28, 2022 1:13:45 AM",
"outputResources": {
"amis": [
{
"region": "us-west-1",
"image": "ami-01a23bc4def5a6789",
"name": "example-linux-image 2022-07-28T01-14-17.416Z",
"accountId": "123456789012"
}
]
},
"buildExecutionId": "ab0cd12e-34fa-5678-b901-2c3456d789e0",
"testExecutionId": "6a7b8901-cdef-234a-56b7-8cd89ef01234",
"distributionJobId": "1f234567-8abc-9d0e-1234-fa56b7c890de",
"integrationJobId": "432109b8-afe7-6dc5-4321-0ba98f7654e3",
"accountId": "123456789012",
"osVersion": "Amazon Linux 2",
"enhancedImageMetadataEnabled": true,
"buildType": "USER_INITIATED",
"tags": {
"internalId": "901e234f-a567-89bc-0123-d4e567f89a01",
"resourceArn": "arn:aws:imagebuilder:us-west-1:123456789012:image/example-linux-image/1.0.0/3"
}
}
```
The following example shows the JSON payload for a typical message that Image Builder publishes for a pipeline build failure for a Linux image.
```
{
"versionlessArn": "arn:aws:imagebuilder:us-west-2:123456789012:image/my-example-image",
"semver": 1237940039285380274899124231,
"arn": "arn:aws:imagebuilder:us-west-2:123456789012:image/my-example-image/1.0.0/7",
"name": "My Example Image",
"version": "1.0.0",
"type": "AMI",
"buildVersion": 7,
"state": {
"status": "FAILED",
"reason": "Image Failure reason."
},
"platform": "Linux",
"imageRecipe": {
"arn": "arn:aws:imagebuilder:us-west-2:123456789012:image-recipe/my-example-image/1.0.0",
"name": "My Example Image",
"version": "1.0.0",
"description": "Testing Image recipe",
"components": [
{
"componentArn": "arn:aws:imagebuilder:us-west-2:123456789012:component/my-example-image-component/1.0.0/1"
}
],
"platform": "Linux",
"parentImage": "ami-0cd12345db678d90f",
"dateCreated": "Jun 21, 2022 11:36:14 PM",
"tags": {
"internalId": "1a234567-8901-2345-bcd6-ef7890123456",
"resourceArn": "arn:aws:imagebuilder:us-west-2:123456789012:image-recipe/my-example-image/1.0.0"
},
"accountId": "123456789012"
},
"sourcePipelineArn": "arn:aws:imagebuilder:us-west-2:123456789012:image-pipeline/my-example-image-pipeline",
"infrastructureConfiguration": {
"arn": "arn:aws:imagebuilder:us-west-2:123456789012:infrastructure-configuration/my-example-infra-config",
"name": "SNS topic Infra config",
"description": "An example that will retain instances of failed builds",
"instanceTypes": [
"t2.micro"
],
"instanceProfileName": "EC2InstanceProfileForImageBuilder",
"tags": {
"internalId": "234abc56-d789-0123-a4e5-6b789d012c34",
"resourceArn": "arn:aws:imagebuilder:us-west-2:123456789012:infrastructure-configuration/my-example-infra-config"
},
"terminateInstanceOnFailure": true,
"snsTopicArn": "arn:aws:sns:us-west-2:123456789012:example-pipeline-notification-topic",
"dateCreated": "Jul 5, 2022 7:31:53 PM",
"accountId": "123456789012"
},
"imageTestsConfigurationDocument": {
"imageTestsEnabled": true,
"timeoutMinutes": 720
},
"distributionConfiguration": {
"arn": "arn:aws:imagebuilder:us-west-2:123456789012:distribution-configuration/my-example-distribution-config",
"name": "New distribution config",
"dateCreated": "Dec 3, 2021 9:24:22 PM",
"distributions": [
{
"region": "us-west-2",
"amiDistributionConfiguration": {},
"fastLaunchConfigurations": [
{
"enabled": true,
"snapshotConfiguration": {
"targetResourceCount": 2
},
"maxParallelLaunches": 2,
"launchTemplate": {
"launchTemplateId": "lt-01234567890"
},
"accountId": "123456789012"
}
]
}
],
"tags": {
"internalId": "1fecd23a-4f56-7f89-01e2-345678abbe90",
"resourceArn": "arn:aws:imagebuilder:us-west-2:123456789012:distribution-configuration/my-example-distribution-config"
},
"accountId": "123456789012"
},
"dateCreated": "Jul 5, 2022 7:40:15 PM",
"outputResources": {
"amis": []
},
"accountId": "123456789012",
"enhancedImageMetadataEnabled": true,
"buildType": "SCHEDULED",
"tags": {
"internalId": "456c78b9-0e12-3f45-afb6-7e89b0f1a23b",
"resourceArn": "arn:aws:imagebuilder:us-west-2:123456789012:image/my-example-image/1.0.0/7"
}
}
```
# Compliance products for your Image Builder images
With constantly evolving security standards, it can be a challenge to maintain compliance and safeguard your organization from cyber threats. To help ensure that your custom images are compliant, and stay that way through automatic updates when publishers release new versions, Image Builder integrates with AWS Marketplace compliance products and Image Builder components.
Image Builder integrates with the following compliance products:
+
**Center for Internet Security (CIS) Benchmarks hardening**
You can use CIS Hardened Images and the related CIS hardening components to build custom images that comply with the latest CIS Benchmarks Level 1 guidelines. CIS Hardened Images are available in AWS Marketplace. To learn more about how to set up and use CIS Hardened Images and hardening components, see the [Quick Start Guide: CIS Hardening Components for EC2 Image Builder](https://cisecurity.atlassian.net/wiki/spaces/CSKB/pages/2850881850/Quick+Start+Guide+CIS+Hardening+Components+for+EC2+Image+Builder) in the CIS security wiki.
**Note**
When you subscribe to a CIS Hardened Image, you also get access to the associated build component that runs a script to enforce CIS Benchmark Level 1 guidelines for your configuration. For more information, see [CIS hardening components](toe-cis.md).
+
**Security Technical Implementation Guides (STIG)**
For STIG compliance, use can use Amazon-managed AWS Task Orchestrator and Executor (AWSTOE) STIG components in your Image Builder recipes. STIG components scan your build instance for misconfigurations and run a remediation script to correct issues that they find. We can't guarantee STIG compliance for the images that you build with Image Builder. You must work with your organization's compliance team to verify that your final image is compliant. For a complete list of AWSTOE STIG components that you can use in your Image Builder recipes, see [Amazon managed STIG hardening components for Image Builder](ib-stig.md).