Pillar 01 — Hardened AMI Images

Every Machine Starts from
a Known-Good Baseline.

Default OS images ship with years of unpatched vulnerabilities baked in. Powell Technology Group delivers CIS-benchmarked, pre-hardened machine images available on AWS Marketplace and delivered directly for on-premises environments — so every server you spin up is secure from minute one, not month six.

Get a Quote Compare Options
The Problem

Default Images Are a Security Liability.

A stock Ubuntu AMI from AWS Marketplace has hundreds of misconfigurations out of the box — unnecessary services running, weak SSH defaults, no audit logging, no file integrity monitoring. Every instance you launch from an unhardened image is a race against attackers to patch it before it's exploited. We end that race before it starts.

CIS Benchmarked
Every image is hardened to CIS Level 1 and Level 2 standards — the same benchmark used by compliance frameworks including SOC 2, PCI-DSS, and HIPAA.
EC2 Image Builder
AWS AMIs are built using EC2 Image Builder pipelines — fully automated, version-controlled, and distributed across four regions simultaneously.
Ansible-Hardened
Hardening is applied via Ansible roles at build time — SSH lockdown, audit daemon, sysctl tuning, rkhunter, fail2ban, and full CIS profile application.
Monthly Maintenance
Every image is rebuilt monthly with the latest OS patches and CIS re-validation. You never run a stale baseline.
Version History
Full image version history retained. Roll back to any previous build in minutes. Every version ships with a signed manifest and change log.
Compliance-Ready Docs
CIS benchmark compliance report delivered with every image. Hand it directly to your auditor, cyber insurer, or compliance team — no extra work required.
AWS Marketplace

Available on AWS Marketplace. Subscribe and Launch.

Powell Technology Group AMIs are listed directly on AWS Marketplace. Subscribe once, launch across your account in any supported region — no setup call required for standard images. All AMIs are distributed across us-east-1, us-west-2, eu-west-1, and ap-southeast-1.

Available on AWS Marketplace
Hardened Base Image
AI / LLM Workbench
$49 / month — AWS Marketplace
CIS Level 2 hardened Ubuntu 24.04 preconfigured for LLM and AI workloads. CUDA-ready, hardened SSH, audit daemon, and full CIS compliance report included.
Compliance-Ready Base
HIPAA-Ready Base AMI
$299 / month — AWS Marketplace
CIS Level 2 hardened Ubuntu 24.04 with HIPAA-aligned controls, audit logging, fail2ban, rkhunter, and documented control mapping for compliance teams.
Agentic Workload
Agentic AI Server
$79 / month — AWS Marketplace
Hardened base image preconfigured for autonomous agent workloads. Isolated execution environment, network controls, and full CIS Level 2 hardening applied.
Application Stack
Hardened WordPress AMI
$29 / month — AWS Marketplace
WordPress on a CIS Level 2 hardened Ubuntu base. Security headers, PHP hardening, fail2ban, and audit logging preconfigured. Launch a secure WordPress site in minutes.
SIEM Stack
SMB SIEM Stack (Wazuh)
$149 / month — AWS Marketplace
Wazuh SIEM with OpenSearch on a CIS Level 2 hardened base. Pre-configured for ingestion, alerting, and compliance reporting. Deploy enterprise-grade SIEM in one launch.
Find Us on AWS Marketplace
Search "Powell Technology Group" in AWS Marketplace to browse and subscribe to all available AMIs. Marketplace pricing is billed directly through your AWS account. Contact us for private offers, custom images, or enterprise volume arrangements.
On-Premises Delivery

Not Running AWS? We Deliver Directly.

The same Ansible CIS hardening that powers our AWS AMIs is applied to images built with Packer for VMware, Hyper-V, KVM, and bare metal. One hardening standard deployed across every platform you run. Images are delivered via secure S3 presigned URLs.

On-Premises
VMware
Delivered as .ova — ready to import into vSphere, vCenter, or ESXi. Supports vApp and template cloning workflows.
On-Premises
Hyper-V
Delivered as .vhdx — compatible with Windows Server Hyper-V 2019 and 2022. Supports Generation 2 VMs.
On-Premises
KVM / QEMU
Delivered as .qcow2 — works with libvirt, Proxmox, and OpenStack. Thin-provisioned by default.
Physical
Bare Metal
Kickstart and cloud-init preseed files for unattended PXE or ISO installation on physical servers. Tested on Dell PowerEdge and HPE ProLiant.

Supported Operating Systems

Ubuntu Server 24.04 LTSCIS L1 & L2
Ubuntu Server 22.04 LTSCIS L1 & L2
RHEL 8 / 9CIS L1 & L2
AlmaLinuxCIS L1 & L2
Windows Server 2019CIS L1 & L2
Windows Server 2022CIS L1 & L2
Custom OS / DistroQuote required
Direct Delivery Pricing

Custom Images. Flat-Rate. No Per-Instance Surprises.

For non-AWS environments and custom image builds, you pay once to build and once per month to maintain — not per instance launched. Spin up one server or one hundred from the same hardened image.

Single Bare Metal Image
$599 one-time
+ $199/mo maintenance
One hardened OS image for physical or virtual bare metal deployment. Kickstart / preseed included.
  • 1 OS image (your choice of supported OS)
  • CIS Level 1 & Level 2 hardening
  • Ansible hardening playbooks included
  • Kickstart / cloud-init preseed file
  • CIS compliance report at delivery
  • Monthly rebuild + patch integration
  • Version history retained
Get a Quote
Most Popular
Custom OS Image
$999 one-time
+ $299/mo maintenance
A single hardened image for VMware, Hyper-V, or KVM with your application stack baked in.
  • 1 image — any supported platform
  • CIS Level 1 & Level 2 hardening
  • Custom application stack baked in
  • Delivery via secure S3 presigned URL
  • CIS compliance report at delivery
  • Monthly rebuild + CIS re-validation
  • Version history + signed manifest
  • Change log with every rebuild
Get a Quote
Golden Image Library
$2,499 one-time
+ $499/mo maintenance
Up to 5 hardened images across any platform mix — the complete foundation for multi-environment organizations.
  • Up to 5 images — any platform mix
  • CIS Level 1 & Level 2 on all images
  • Custom app stacks per image
  • On-prem formats (.ova, .vhdx, .qcow2)
  • Monthly rebuild for all images
  • On-demand rebuild SLA
  • Full version history — all images
  • Dedicated change log per rebuild
Get a Quote
Full Comparison

All Direct Delivery Options Side by Side

Feature Bare Metal
$599 + $199/mo		 Custom OS Image
$999 + $299/mo		 Golden Image Library
$2,499 + $499/mo
Number of Images11Up to 5
CIS Level 1 Hardening
CIS Level 2 Hardening
Ansible Hardening Playbooks
CIS Compliance Report
Monthly Rebuild + Patch Integration
Version History
Signed Manifest
Custom App Stack Baked In
VMware .ova
Hyper-V .vhdx
KVM .qcow2
On-Demand Rebuild SLA
Change Log Per Rebuild
Platform Mix (any combo)
Process

How It Works

01
Scoping Call
We walk through your environment — hypervisors, OS requirements, and any application stacks that need to be baked in. Takes about 30 minutes.
02
Build & Harden
We build the image using EC2 Image Builder (for AWS) or Packer (for on-prem), apply Ansible CIS hardening roles, and validate against Level 1 and Level 2 controls.
03
Delivery
AWS AMIs are distributed directly to your account. On-prem images are delivered via secure S3 presigned URL — alongside the CIS compliance report and signed manifest.
04
Monthly Maintenance
Every image is rebuilt on the first business day of each month with the latest OS patches, CIS re-validation, and a fresh compliance report. Delivered automatically.
Get Started

Ready to start from a secure baseline?

Book a free 30-minute scoping call. We'll walk through your platforms, OS requirements, and any custom stacks — and give you a fixed quote before any work begins.

Book Free Scoping Call Back to All Services
Loading

NVD ↗