Skip to main content

Preparing an Instance for a Custom AMI

Hands-On Lab


Photo of

Training Architect





The AWS EC2 service is outstanding when it comes to hosting applications quickly and efficiently. Part of what makes EC2 so efficient is the Amazon Machine Images, or AMIs. These images allow you to spin up EC2 instances at a moment's notice. These AMIs are great, but you have to guard them very closely if there is any sensitive information on them. If an AMI were accidentally shared to the wrong account, this information would go with it. That's why you must remove any sensitive information from EC2 instances before creating AMIs from them. This learning activity will show you how to remove sensitive information from your EC2 instances before creating an AMI to maintain utmost security.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Preparing an Instance for a Custom AMI

In this lab, we learn how to prepare an EC2 instance we want to create an AMI out of so that no sensitive information is being shared.

Before getting started, make sure you're logged in to the AWS web console and have selected the N. Virginia region (us-east-1).

Configure the EC2 Instance

To begin, navigate to EC2 from the services menu, go to the Instances section, and select AMISource from the list of instances. Copy its IPv4 public IP address to your clipboard.

Next, open a terminal window and connect to the instance via SSH:

$ ssh cloud_user@

Be sure to substitute the actual IP address of the instance for the one in the command. The instance login password can be found on the lab page with the other credentials for this lab.

Configure the AWS CLI

Once logged in, run the following command:

$ aws configure

We'll be prompted for an Access Key ID and a Secret Access Key... just press enter past those questions. A role has been assigned to the EC2 instance to allow the needed permissions. For the default region name, enter us-east-1. Press enter when prompted for the default output format.

Remove Sensitive Data

Before we create our AMI, we need to ensure it will not contain any sensitive information. Start by checking the contents of the cloud_user home directory:

$ ls -la

SSH Keys

First, let's examine our .ssh directory. Navigate there and check the contents:

$ cd .ssh
$ ls

We'll see that this directory includes a private key file, myPrivateSSHKey.pem, which should not be included in our AMI. To securely delete this file, run:

$ sudo shred myPrivateSSHKey.pem
$ rm myPrivateSSHKey.pem

Next, let's check the contents of the other file in the .ssh directory, authorized_hosts:

$ more authorized_hosts

The file contains two public keys. The second one, myUnusedKeyPair is no longer in use, so we should remove it before creating our AMI. Open the file in a text editor:

$ vim authorized_hosts
$ nano authorized_hosts

Remove the second keypair, save and exit the file.

AWS Configuration

Navigate back up to the cloud_user home directory and into the .aws directory:

$ cd ..
$ cd .aws
$ ls

This directory contains configuration for the AWS CLI that we set up earlier. Check the contents of the credentials file:

$ more credentials

We'll see that the credentials are stored on the instance in plain text. The simplest way to remove this information is to run aws configure again. This time, enter "None" at each prompt rather than the actual keys and region information. We can then run more credentials again, and we'll see that the access keys have been removed.

Bash History

Finally, we'll check our Bash history for sensitive information. Navigate back up to the cloud_user home directory:

$ cd ..

We want to ensure that we're clearing the history for not only the current session, but for all sessions. Run the following commands to clear both of these, respectively:

$ history -c
$ history -w

If we check our history after running these commands, we'll see only the commands that have been run since clearing the current session's history:

$ history
  1 history -w
  2 history

Create an AMI

Now that we've removed sensitive data from our instance, we can create an AMI from it.

Go back to the EC2 dashboard in the AWS web console and select the AMISource instance. Click Actions at the top of the page, select Image, and then select Create Image. Enter "myAMI" for the image name and click the Create Image button.

From the menu on the left side of the page, select AMIs. We should see the myAMI image we just created in this list. We can now use this image to create launch configurations or launch new instances.


In this lab, we learned how to identify and remove some commonly seen pieces of sensitive data from an EC2 instance so that we can create a more secure AMI from it.

Congratulations! You've successfully completed the lab on preparing an instance for a custom AMI!