Amazon Machine Images (AMIs) provide an initial configuration for an EC2 instance, which includes the OS and optional customer-specific customizations, such as applications and security controls. Create an AMI catalog containing customized security configuration baselines to ensure all instances are launched with standard security controls. Security baselines can be baked into an AMI, bootstrapped dynamically when an EC2 instance is launched, or packaged as a product for uniform distribution through AWS Service Catalog portfolios. For more information on AMI configuration options, see the 

EC2 instance OS configuration should adhere to organizational security standards and contain host-integrity management software. Configure security software to monitor and maintain OS security settings, protect the integrity of critical OS files, and alert on deviations from the security baseline. AWS customers can also run Amazon Inspector assessments to improve the security and compliance of applications deployed on EC2 instances. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices and includes a knowledge base of hundreds of rules mapped to common security compliance standards (e.g., PCI DSS) and vulnerability definitions. Examples of built-in rules include checking if remote root login is enabled, or if vulnerable software versions are installed. These rules are regularly updated by AWS security researchers.

Configure OS, audit, and application logging to send local log files to a centralized log management system3 to preserve log data for security and operational behavior analysis. For example, consider including a log management agent such as the CloudWatch Logs agent or another third-party agent as part of an EC2 instance security baseline. For OS-specific configuration management advice, please see the