A platform team rebuilds a hardened Amazon Linux golden AMI every time the upstream base image receives security patches, and they want the rebuild, the hardening steps, a smoke test and the production of a new AMI to run automatically on a schedule with no instance kept running between builds. Which service produces the new golden AMI in the most managed, repeatable way?
- AKeep a long-running EC2 builder instance and use a Systems Manager State Manager association to reapply the hardening configuration to it whenever new patches are released.
- BLaunch an instance from the base AMI on a schedule with Run Command, apply the hardening commands by hand-written scripts, then call CreateImage and terminate the instance manually each cycle.
- CDefine an EC2 Image Builder pipeline with the base image, hardening and test components and a schedule, so each run builds, tests and outputs a new versioned AMI then tears the build instance down. Correct
- DStore the hardening steps in a CloudFormation template and deploy a new stack on each patch release so the stack update bakes the configuration into a fresh machine image for the fleet.
Why A is wrong: State Manager enforces configuration on a running instance and never outputs an AMI, so it keeps a builder alive between rebuilds and does not produce the new golden image the team needs.
Why B is wrong: Run Command can drive the steps but the team must stitch together scheduling, image creation and cleanup themselves, which is the manual orchestration that a managed image pipeline removes.
Why C is correct: Image Builder pipelines orchestrate build and test components on a transient instance, output a versioned AMI and clean up automatically, which matches the scheduled hands-off golden image rebuild exactly.
Why D is wrong: CloudFormation provisions resources from a template but does not build or register an AMI from a base image, so it cannot bake a hardened golden image the way an image pipeline does.