Provide EC2 Image Builder base images for EKS Optimized AMIs

[mjvirt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request We need to add hardening to our EKS AMIs before we can use them. We would like base images for EKS Optimized AMIs so that we can rely on x.x.x to pick up the latest EKS Optimized AMI for a particular EKS/Kubernetes version (1.23, 1.24 ,...). From the table here: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

Currently, several image types are provided as base images by EC2 Image Builder. This includes e.g. amazon-linux-2-ecs-optimized-* images. But EKS Optimized AMI's are not available.

As SSM parameters are not yet an option (https://github.com/aws/ec2-image-builder-roadmap/issues/67) only way to update to pick up the latest EKS Optimized AMI is regularly by creating a new pipeline recipe and the AMI id.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We use CDK/Cloudformation to deploy our EC2 Image Builder pipelines to harden various Linux and Windows flavours. We have many pipelines. The EKS AMI's are currently the only ones where we need to keep an eye on the latest provided EKS Optimized AMI and then update the EC2 Image Builder pipeline.

Are you currently working around this issue? We are currently manually keeping an eye on new EKS Optimized AMI versions here: https://github.com/awslabs/amazon-eks-ami/blob/master/CHANGELOG.md. Then when there are new versions we need to make pipeline recipe changes, bump the recipe version, deploy the pipeline and then manually run the pipeline to create the first hardened EKS Optimized AMI.