AMI Bake vs Launch-Time Configuration

Bake config into the AMI or apply at launch? The trade-offs and the patterns.

Bake

Faster boots. Configuration is in the image.

Requires CI to produce AMIs. Versioning is critical.

Launch-time

Slower boots; userdata configures.

Easier iteration. Same AMI; different config per ASG.

Hybrid

Bake the slow stuff (large packages, kernel modules). Configure at launch (env vars, secrets).

Balances speed and flexibility.