Getting Started with Windows AMIs

Welcome to the easiest way to build secure workloads available in the AWS Marketplace today! Our Windows AMIs are designed to fit into your standard build processes as you use today, with as few changes as possible to the way you do things.

Important Note About Security

While we provide STIG compliance as a core part of our AMI package, we are not responsible for ensuring the security or availablilty of your data and systems.  There are very important considerations that you need to make while using our products to ensure you maintain compliance with all Federal and State regulations, and to ensure that your systems are not compromised and your data is secure to the greatest extent possible.

  1. Our AMIs store your application and configuration information on Elastic Block Store volumes.  By default, when creating EC2 images, these EBS volumes are not encrypted.  It is up to you, during build and deployment time, to ensure that these encryption settings are configured correctly.  Please pay close attention to the EBS instructions below to ensure you enable data-at-rest encryption on your instance, or you may be vulnerable to data exfiltration down the road.
  2. In cases where your AMI provides a frontend to a corresponding backend data service, it is entirely up to you to ensure you are using the correct network encryption algorithms on the connection between your AMI and its backend services, and that you are encrypting the data-at-rest within these services in a compliant and secure manner.  Neither Nému Corporation, nor its employees or contractors, are responsible for the complete security of your system.
  3. Our default base AMIs do not provide any cryptographic services that require key rotation, other than the SSH key that is used to access your instance.  Please refer to Amazon's documentation on recommended solutions for keypair rotation and management.
  4. Once your instance is up and running, it can be monitored using standard AWS tools, such as AWS CloudWatch.  Please refer to Amazon's documentation on best practices and recommended monitoring procedures.

Manual Build Process

If you are just testing our AMI, or you use the AWS console to launch new EC2 instances, you'll find this process familiar.  To start, browse to your EC2 console and click on either one of the Launch Instance buttons.


Next, click on AWS Marketplace in the left-hand menu and enter "nemu" in the search box, and press enter


Find the variant of Windows that you need and press the Select button next to it.


If you have not subscribed to the product yet, a dialog box will pop up asking you to confirm your subscription.  Press the Continue button to subscribe to this AMI.


You will need to select your instance type next. This works the same way as any other EC2 instance.


Select your server's SSH keypair, or create one if you do not already have one defined.

Configure your network placement and security groups in accordance with your application's architecture requirements.

Here is one area where the process differs from normal: You will need to determine how much storage space your Windows server requires, add additional volumes if desired, and tune the sizes of the all of your volumes as appropriate. You will also need to click on the Advanced link to ensure you are able to enable Encryption for each volume: The security of your data-at-rest depends on it, and it is incumbent on you to make sure this is enabled in order to maintain your security posture.  It is also important to ensure you select the appropriate volume size and volume type to meet your storage and performance needs.


If you require a user-data script to configure your instance, an IAM instance profile, or any other advanced settings, expand the Advanced details panel and add that information there.


Review the summary information at the bottom of the screen and press Launch instance to begin the EC2 deployment process.

At this point, your EC2 instance will be started and you can manage it as you would any other instance in your environment!

AWS CLI Build Process

Content under construction

CloudFormation Template Example

Content under construction

Post-Deployment System Updates

Our Windows AMIs should automatically download and apply Windows Updates within the running instance, but it is still your responsibility to ensure that all security updates are applied successfully in a timely manner.  Failure to do so may result in system compromise or denial of service.

Customers are strongly encouraged to utilize AWS Systems Manager Patch Manager to automate this task wherever possible.

Getting Help

We understand that it is sometimes difficult to get your application running on hardened operating systems. If you are encountering errors or problems trying to run your application on our AMIs, please be sure to check the knowledgebase to see if there's already a solution, and reach out to our support team if that doesn't fix it. While we may not know everything about your specific application, we have seen many of the components that are used to build them, and are more than happy to help you get things running!

Hat das Ihr Problem gelöst?