Leaner, faster, hardened: Maximizing security with Minimal Ubuntu Pro CIS on AWS

On August 28, 2025, Canonical launched Minimal Ubuntu Pro with CIS hardening on the AWS Marketplace. Available for both AMD64 and Graviton architectures, this new listing provides a pre-hardened Amazon Machine Image (AMI) that is ready for immediate deployment.

What does it mean?

We have unified three essential value propositions into a single product:

Minimal Ubuntu

This image includes only the bare minimum of packages, allowing you to:

• Maintain full control over which packages are installed to support your workloads.
• Reduce the attack surface by eliminating unnecessary software.
• Optimize performance with smaller image sizes and faster boot times.

Ubuntu Pro

This expands your security model in three key ways:

• Extended lifecycle: Coverage increases from the standard 5-year LTS window to 10 years, with the option to reach up to 15 years via the Legacy add-on.
• Universe repository coverage: Security patching now expands beyond the “Main” repository to include thousands of additional packages included in the “Universe” repository.
• Simplified compliance: Includes FIPS-validated kernels and modules for FedRAMP, as well as industry-standard hardening profiles like CIS and DISA-STIG.

CIS hardening

With CIS Level 1 hardening applied out of the box, you get:

• Instant security: Industry-standard configurations are pre-applied to strengthen your security posture.
• Faster time-to-market: Spend less time configuring and more time deploying.

This image is ideal for customers who want to deploy lean and controlled environments while enhancing security at every layer.

Post-launch considerations

Completing Level 1 hardening

While CIS benchmarks provide a rigorous framework for hardening, not every rule can be automatically applied to a pre-built image. Some rules require user-specific decisions or intervention, while others must be “translated” to fit specific cloud environments.

For this reason, we have published a detailed documentation for post-deployment hardening to help you achieve full CIS Level 1 compliance. You can find the guide here: Post-deployment CIS hardening for Ubuntu

Moving to Level 2 compliance

If your environment requires a stricter level of security, Ubuntu Pro also provides Level 2 hardening profiles. Starting from a CIS Level 1 image makes the transition to Level 2 significantly faster. You can manage this via the command line:

• View available profiles: sudo usg list
• Apply Level 2 hardening: sudo usg fix cis_level2_server-v2.0.0

Checking compliance status

As you install workloads and dependencies, some configurations may change, potentially impacting your compliance status. To verify your standing, you can generate a report in HTML or XML format by running:

sudo usg audit cis_level1_server-v2.0.0

Additionally, Amazon Inspector provides CIS compliance scanning by leveraging AWS Systems Manager (SSM) to audit your instances automatically.

Availability and billing

• This image is available on AWS Marketplace, across all standard AWS Commercial regions.
• Billing Model: This is a “License Included” image. There is no need to manage separate contracts or tokens with Canonical.
• Pricing: You are billed a flat hourly fee (starting as low as $0.01/hr depending on the instance size) directly through your existing AWS bill. This simplifies procurement, as it counts towards your AWS Enterprise Discount Program (EDP) commitments.
• Architectures: Full support for AMD64 (x86) and Graviton (Arm64).

How to get started

You can deploy the new Minimal Ubuntu Pro with CIS Hardening via the AWS Marketplace or programmatically through the CLI.

1. AWS Marketplace

Find the listings directly here:

• Minimal Ubuntu Pro with CIS Hardening (AMD64)
• Minimal Ubuntu Pro with CIS Hardening (Graviton/ARM64)

2. AWS CLI (Recommended for automation)

The fastest way to find the latest AMI ID in your current region is by using the AWS Systems Manager (SSM) Parameter Store.

For AMD64 (x86):

aws ssm get-parameter --name /aws/service/marketplace/prod-zbdfwzjpx7kfq/latest

For Graviton (Arm64):

aws ssm get-parameter --name /aws/service/marketplace/prod-xrjt5gpdpgtz4/latest

Pro Tip: If you are using Infrastructure as Code (Terraform or CloudFormation), you can point your scripts to these SSM paths directly. This ensures your pipelines always pull the latest, most secure image without having to manually update AMI IDs.

To learn more about how to get Ubuntu images using CLI, follow our official documentation