From 2462b0b0155a5cf5382b1780e8a8cd40d1206a95 Mon Sep 17 00:00:00 2001
From: Pahud Hsieh <pahudnet@gmail.com>
Date: Mon, 10 Jul 2023 11:44:40 -0400
Subject: [PATCH] feat(ec2): support using ssm parameter to resolve AMI ID at
 instance launch time (#26273)

Launch Template and EC2 instance support using SSM parameter to resolve the AMI ID at instance launch time(`resolve:ssm:parameter`) rather than the CFN deploy time(`CfnDynamicReference`). This PR introduces a new support for that.

- [Using SSM Parameter with Autoscaling and Launch Template](https://docs.aws.amazon.com/autoscaling/ec2/userguide/using-systems-manager-parameters.html)
- [Launch an instance using a Systems Manager parameter](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html#using-systems-manager-parameter-to-find-AMI)

Remove `latestAmazonLinux2022()` from the integ test as it does not return any valid al2022 images anymore as described in https://github.com/aws/aws-cdk/issues/26274

Closes https://github.com/aws/aws-cdk/issues/24551

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../integ.machine-image.js.snapshot/cdk.out   |   2 +-
 .../integ-ec2-machine-image-test.assets.json  |   6 +-
 ...integ-ec2-machine-image-test.template.json | 145 +++--
 .../integ.json                                |   2 +-
 ...efaultTestDeployAssert24D5C536.assets.json |   2 +-
 .../manifest.json                             |  62 +-
 .../integ.machine-image.js.snapshot/tree.json | 544 +++++++++++-------
 .../test/aws-ec2/test/integ.machine-image.ts  |  32 +-
 packages/aws-cdk-lib/aws-ec2/README.md        |   8 +
 .../lib/machine-image/machine-image.ts        |  60 +-
 .../aws-ec2/test/machine-image.test.ts        |  28 +
 11 files changed, 604 insertions(+), 287 deletions(-)

diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/cdk.out
index 7925065efbcc4..f0b901e7c06e5 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/cdk.out
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"31.0.0"}
\ No newline at end of file
+{"version":"32.0.0"}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ-ec2-machine-image-test.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ-ec2-machine-image-test.assets.json
index 8381633003d10..8970273b9f75a 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ-ec2-machine-image-test.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ-ec2-machine-image-test.assets.json
@@ -1,7 +1,7 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "files": {
-    "09b19c98d056dc3ddd9d9852de04232c8c27cdfbb4aa83797c6f9e1e118068d5": {
+    "fa6690179ed0aff2d045f19741af965ccdb151c74c58ea99393b00c3d47ceed9": {
       "source": {
         "path": "integ-ec2-machine-image-test.template.json",
         "packaging": "file"
@@ -9,7 +9,7 @@
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "09b19c98d056dc3ddd9d9852de04232c8c27cdfbb4aa83797c6f9e1e118068d5.json",
+          "objectKey": "fa6690179ed0aff2d045f19741af965ccdb151c74c58ea99393b00c3d47ceed9.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ-ec2-machine-image-test.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ-ec2-machine-image-test.template.json
index 0a742ab93e8b0..aa53f951e2f90 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ-ec2-machine-image-test.template.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ-ec2-machine-image-test.template.json
@@ -617,10 +617,10 @@
     "amzn2InstanceRole3F1DBBD2"
    ]
   },
-  "al2022InstanceSecurityGroupD2B46A06": {
+  "al2023InstanceSecurityGroupB018A9BC": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
-    "GroupDescription": "integ-ec2-machine-image-test/al2022/InstanceSecurityGroup",
+    "GroupDescription": "integ-ec2-machine-image-test/al2023/InstanceSecurityGroup",
     "SecurityGroupEgress": [
      {
       "CidrIp": "0.0.0.0/0",
@@ -631,7 +631,7 @@
     "Tags": [
      {
       "Key": "Name",
-      "Value": "integ-ec2-machine-image-test/al2022"
+      "Value": "integ-ec2-machine-image-test/al2023"
      }
     ],
     "VpcId": {
@@ -639,7 +639,7 @@
     }
    }
   },
-  "al2022InstanceRole6711C818": {
+  "al2023InstanceRoleECC2D6DD": {
    "Type": "AWS::IAM::Role",
    "Properties": {
     "AssumeRolePolicyDocument": {
@@ -657,36 +657,36 @@
     "Tags": [
      {
       "Key": "Name",
-      "Value": "integ-ec2-machine-image-test/al2022"
+      "Value": "integ-ec2-machine-image-test/al2023"
      }
     ]
    }
   },
-  "al2022InstanceProfileAA7ED3DD": {
+  "al2023InstanceProfileAB8077E0": {
    "Type": "AWS::IAM::InstanceProfile",
    "Properties": {
     "Roles": [
      {
-      "Ref": "al2022InstanceRole6711C818"
+      "Ref": "al2023InstanceRoleECC2D6DD"
      }
     ]
    }
   },
-  "al20225AC492C0": {
+  "al20231AC01FE4": {
    "Type": "AWS::EC2::Instance",
    "Properties": {
     "AvailabilityZone": "test-region-1a",
     "IamInstanceProfile": {
-     "Ref": "al2022InstanceProfileAA7ED3DD"
+     "Ref": "al2023InstanceProfileAB8077E0"
     },
     "ImageId": {
-     "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestal2022amikernel515x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
+     "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
     },
     "InstanceType": "t3.nano",
     "SecurityGroupIds": [
      {
       "Fn::GetAtt": [
-       "al2022InstanceSecurityGroupD2B46A06",
+       "al2023InstanceSecurityGroupB018A9BC",
        "GroupId"
       ]
      }
@@ -697,7 +697,7 @@
     "Tags": [
      {
       "Key": "Name",
-      "Value": "integ-ec2-machine-image-test/al2022"
+      "Value": "integ-ec2-machine-image-test/al2023"
      }
     ],
     "UserData": {
@@ -705,13 +705,22 @@
     }
    },
    "DependsOn": [
-    "al2022InstanceRole6711C818"
+    "al2023InstanceRoleECC2D6DD"
    ]
   },
-  "al2023InstanceSecurityGroupB018A9BC": {
+  "AmiParameter": {
+   "Type": "AWS::SSM::Parameter",
+   "Properties": {
+    "Type": "String",
+    "Value": "ami-06ca3ca175f37dd66",
+    "DataType": "aws:ec2:image",
+    "Name": "myAmi"
+   }
+  },
+  "ssmresolveinstanceInstanceSecurityGroupEACCDB27": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
-    "GroupDescription": "integ-ec2-machine-image-test/al2023/InstanceSecurityGroup",
+    "GroupDescription": "integ-ec2-machine-image-test/ssm-resolve-instance/InstanceSecurityGroup",
     "SecurityGroupEgress": [
      {
       "CidrIp": "0.0.0.0/0",
@@ -722,7 +731,7 @@
     "Tags": [
      {
       "Key": "Name",
-      "Value": "integ-ec2-machine-image-test/al2023"
+      "Value": "integ-ec2-machine-image-test/ssm-resolve-instance"
      }
     ],
     "VpcId": {
@@ -730,7 +739,7 @@
     }
    }
   },
-  "al2023InstanceRoleECC2D6DD": {
+  "ssmresolveinstanceInstanceRoleCC771AEF": {
    "Type": "AWS::IAM::Role",
    "Properties": {
     "AssumeRolePolicyDocument": {
@@ -748,36 +757,34 @@
     "Tags": [
      {
       "Key": "Name",
-      "Value": "integ-ec2-machine-image-test/al2023"
+      "Value": "integ-ec2-machine-image-test/ssm-resolve-instance"
      }
     ]
    }
   },
-  "al2023InstanceProfileAB8077E0": {
+  "ssmresolveinstanceInstanceProfileAD70EB72": {
    "Type": "AWS::IAM::InstanceProfile",
    "Properties": {
     "Roles": [
      {
-      "Ref": "al2023InstanceRoleECC2D6DD"
+      "Ref": "ssmresolveinstanceInstanceRoleCC771AEF"
      }
     ]
    }
   },
-  "al20231AC01FE4": {
+  "ssmresolveinstanceDC2C8573": {
    "Type": "AWS::EC2::Instance",
    "Properties": {
     "AvailabilityZone": "test-region-1a",
     "IamInstanceProfile": {
-     "Ref": "al2023InstanceProfileAB8077E0"
-    },
-    "ImageId": {
-     "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
+     "Ref": "ssmresolveinstanceInstanceProfileAD70EB72"
     },
+    "ImageId": "resolve:ssm:myAmi",
     "InstanceType": "t3.nano",
     "SecurityGroupIds": [
      {
       "Fn::GetAtt": [
-       "al2023InstanceSecurityGroupB018A9BC",
+       "ssmresolveinstanceInstanceSecurityGroupEACCDB27",
        "GroupId"
       ]
      }
@@ -788,7 +795,7 @@
     "Tags": [
      {
       "Key": "Name",
-      "Value": "integ-ec2-machine-image-test/al2023"
+      "Value": "integ-ec2-machine-image-test/ssm-resolve-instance"
      }
     ],
     "UserData": {
@@ -796,8 +803,86 @@
     }
    },
    "DependsOn": [
-    "al2023InstanceRoleECC2D6DD"
+    "ssmresolveinstanceInstanceRoleCC771AEF"
    ]
+  },
+  "LTC4631592": {
+   "Type": "AWS::EC2::LaunchTemplate",
+   "Properties": {
+    "LaunchTemplateData": {
+     "ImageId": "resolve:ssm:myAmi",
+     "InstanceType": "t3.nano",
+     "TagSpecifications": [
+      {
+       "ResourceType": "instance",
+       "Tags": [
+        {
+         "Key": "Name",
+         "Value": "integ-ec2-machine-image-test/LT"
+        }
+       ]
+      },
+      {
+       "ResourceType": "volume",
+       "Tags": [
+        {
+         "Key": "Name",
+         "Value": "integ-ec2-machine-image-test/LT"
+        }
+       ]
+      }
+     ],
+     "UserData": {
+      "Fn::Base64": "#!/bin/bash"
+     }
+    },
+    "TagSpecifications": [
+     {
+      "ResourceType": "launch-template",
+      "Tags": [
+       {
+        "Key": "Name",
+        "Value": "integ-ec2-machine-image-test/LT"
+       }
+      ]
+     }
+    ]
+   }
+  },
+  "ASG46ED3070": {
+   "Type": "AWS::AutoScaling::AutoScalingGroup",
+   "Properties": {
+    "MaxSize": "1",
+    "MinSize": "1",
+    "DesiredCapacity": "1",
+    "LaunchTemplate": {
+     "LaunchTemplateId": {
+      "Ref": "LTC4631592"
+     },
+     "Version": {
+      "Fn::GetAtt": [
+       "LTC4631592",
+       "LatestVersionNumber"
+      ]
+     }
+    },
+    "VPCZoneIdentifier": [
+     {
+      "Ref": "VpcPrivateSubnet1Subnet536B997A"
+     },
+     {
+      "Ref": "VpcPrivateSubnet2Subnet3788AAA1"
+     },
+     {
+      "Ref": "VpcPrivateSubnet3SubnetF258B56E"
+     }
+    ]
+   },
+   "UpdatePolicy": {
+    "AutoScalingScheduledAction": {
+     "IgnoreUnmodifiedGroupSizeProperties": true
+    }
+   }
   }
  },
  "Parameters": {
@@ -805,10 +890,6 @@
    "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>",
    "Default": "/aws/service/ami-amazon-linux-latest/amzn2-ami-kernel-5.10-hvm-x86_64-gp2"
   },
-  "SsmParameterValueawsserviceamiamazonlinuxlatestal2022amikernel515x8664C96584B6F00A464EAD1953AFF4B05118Parameter": {
-   "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>",
-   "Default": "/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-5.15-x86_64"
-  },
   "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter": {
    "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>",
    "Default": "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64"
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ.json
index 63242ceb48d4e..643997436cc45 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integ.json
@@ -1,6 +1,6 @@
 {
   "enableLookups": true,
-  "version": "31.0.0",
+  "version": "32.0.0",
   "testCases": {
     "integ-test/DefaultTest": {
       "stacks": [
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json
index ecd9f6bd2a455..4b008a0cae838 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/manifest.json
index ce2fed289c1b9..11315c671f6a8 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/manifest.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "artifacts": {
     "integ-ec2-machine-image-test.assets": {
       "type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/09b19c98d056dc3ddd9d9852de04232c8c27cdfbb4aa83797c6f9e1e118068d5.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/fa6690179ed0aff2d045f19741af965ccdb151c74c58ea99393b00c3d47ceed9.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -261,64 +261,82 @@
             "data": "SsmParameterValueawsserviceamiamazonlinuxlatestamzn2amikernel510hvmx8664gp2C96584B6F00A464EAD1953AFF4B05118Parameter"
           }
         ],
-        "/integ-ec2-machine-image-test/al2022/InstanceSecurityGroup/Resource": [
+        "/integ-ec2-machine-image-test/al2023/InstanceSecurityGroup/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "al2022InstanceSecurityGroupD2B46A06"
+            "data": "al2023InstanceSecurityGroupB018A9BC"
           }
         ],
-        "/integ-ec2-machine-image-test/al2022/InstanceRole/Resource": [
+        "/integ-ec2-machine-image-test/al2023/InstanceRole/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "al2022InstanceRole6711C818"
+            "data": "al2023InstanceRoleECC2D6DD"
           }
         ],
-        "/integ-ec2-machine-image-test/al2022/InstanceProfile": [
+        "/integ-ec2-machine-image-test/al2023/InstanceProfile": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "al2022InstanceProfileAA7ED3DD"
+            "data": "al2023InstanceProfileAB8077E0"
           }
         ],
-        "/integ-ec2-machine-image-test/al2022/Resource": [
+        "/integ-ec2-machine-image-test/al2023/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "al20225AC492C0"
+            "data": "al20231AC01FE4"
           }
         ],
-        "/integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2022-ami-kernel-5.15-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": [
+        "/integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "SsmParameterValueawsserviceamiamazonlinuxlatestal2022amikernel515x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
+            "data": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
           }
         ],
-        "/integ-ec2-machine-image-test/al2023/InstanceSecurityGroup/Resource": [
+        "/integ-ec2-machine-image-test/AmiParameter": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "al2023InstanceSecurityGroupB018A9BC"
+            "data": "AmiParameter"
           }
         ],
-        "/integ-ec2-machine-image-test/al2023/InstanceRole/Resource": [
+        "/integ-ec2-machine-image-test/ssm-resolve-instance/InstanceSecurityGroup/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "al2023InstanceRoleECC2D6DD"
+            "data": "ssmresolveinstanceInstanceSecurityGroupEACCDB27"
           }
         ],
-        "/integ-ec2-machine-image-test/al2023/InstanceProfile": [
+        "/integ-ec2-machine-image-test/ssm-resolve-instance/InstanceRole/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "al2023InstanceProfileAB8077E0"
+            "data": "ssmresolveinstanceInstanceRoleCC771AEF"
           }
         ],
-        "/integ-ec2-machine-image-test/al2023/Resource": [
+        "/integ-ec2-machine-image-test/ssm-resolve-instance/InstanceProfile": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "al20231AC01FE4"
+            "data": "ssmresolveinstanceInstanceProfileAD70EB72"
           }
         ],
-        "/integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": [
+        "/integ-ec2-machine-image-test/ssm-resolve-instance/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
+            "data": "ssmresolveinstanceDC2C8573"
+          }
+        ],
+        "/integ-ec2-machine-image-test/LT/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LTC4631592"
+          }
+        ],
+        "/integ-ec2-machine-image-test/ASG": [
+          {
+            "type": "aws:cdk:warning",
+            "data": "desiredCapacity has been configured. Be aware this will reset the size of your AutoScalingGroup on every deployment. See https://github.com/aws/aws-cdk/issues/5215"
+          }
+        ],
+        "/integ-ec2-machine-image-test/ASG/ASG": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "ASG46ED3070"
           }
         ],
         "/integ-ec2-machine-image-test/BootstrapVersion": [
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/tree.json
index de0c9ba0e7bc9..385f4d493dce9 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/tree.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.js.snapshot/tree.json
@@ -31,8 +31,8 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.CfnVPC",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "PublicSubnet1": {
@@ -68,16 +68,16 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Acl": {
                     "id": "Acl",
                     "path": "integ-ec2-machine-image-test/Vpc/PublicSubnet1/Acl",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTable": {
@@ -98,8 +98,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTableAssociation": {
@@ -117,8 +117,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "DefaultRoute": {
@@ -137,8 +137,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRoute",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "EIP": {
@@ -157,8 +157,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnEIP",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "NATGateway": {
@@ -185,14 +185,14 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "PublicSubnet2": {
@@ -228,16 +228,16 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Acl": {
                     "id": "Acl",
                     "path": "integ-ec2-machine-image-test/Vpc/PublicSubnet2/Acl",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTable": {
@@ -258,8 +258,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTableAssociation": {
@@ -277,8 +277,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "DefaultRoute": {
@@ -297,8 +297,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRoute",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "EIP": {
@@ -317,8 +317,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnEIP",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "NATGateway": {
@@ -345,14 +345,14 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "PublicSubnet3": {
@@ -388,16 +388,16 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Acl": {
                     "id": "Acl",
                     "path": "integ-ec2-machine-image-test/Vpc/PublicSubnet3/Acl",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTable": {
@@ -418,8 +418,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTableAssociation": {
@@ -437,8 +437,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "DefaultRoute": {
@@ -457,8 +457,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRoute",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "EIP": {
@@ -477,8 +477,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnEIP",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "NATGateway": {
@@ -505,14 +505,14 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "PrivateSubnet1": {
@@ -548,16 +548,16 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Acl": {
                     "id": "Acl",
                     "path": "integ-ec2-machine-image-test/Vpc/PrivateSubnet1/Acl",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTable": {
@@ -578,8 +578,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTableAssociation": {
@@ -597,8 +597,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "DefaultRoute": {
@@ -617,14 +617,14 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRoute",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "PrivateSubnet2": {
@@ -660,16 +660,16 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Acl": {
                     "id": "Acl",
                     "path": "integ-ec2-machine-image-test/Vpc/PrivateSubnet2/Acl",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTable": {
@@ -690,8 +690,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTableAssociation": {
@@ -709,8 +709,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "DefaultRoute": {
@@ -729,14 +729,14 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRoute",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "PrivateSubnet3": {
@@ -772,16 +772,16 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Acl": {
                     "id": "Acl",
                     "path": "integ-ec2-machine-image-test/Vpc/PrivateSubnet3/Acl",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTable": {
@@ -802,8 +802,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "RouteTableAssociation": {
@@ -821,8 +821,8 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "DefaultRoute": {
@@ -841,14 +841,14 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnRoute",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "IGW": {
@@ -866,8 +866,8 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "VPCGW": {
@@ -885,14 +885,14 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               }
             },
             "constructInfo": {
-              "fqn": "aws-cdk-lib.aws_ec2.Vpc",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
           "amzn2": {
@@ -929,14 +929,14 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "InstanceRole": {
@@ -947,8 +947,8 @@
                     "id": "ImportInstanceRole",
                     "path": "integ-ec2-machine-image-test/amzn2/InstanceRole/ImportInstanceRole",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Resource": {
@@ -978,14 +978,14 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_iam.Role",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "InstanceProfile": {
@@ -1002,8 +1002,8 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_iam.CfnInstanceProfile",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "Resource": {
@@ -1043,47 +1043,47 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.CfnInstance",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               }
             },
             "constructInfo": {
-              "fqn": "aws-cdk-lib.aws_ec2.Instance",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
           "SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-kernel-5.10-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": {
             "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-kernel-5.10-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter",
             "path": "integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-kernel-5.10-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnParameter",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
           "SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-kernel-5.10-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118": {
             "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-kernel-5.10-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118",
             "path": "integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-kernel-5.10-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.Resource",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
-          "al2022": {
-            "id": "al2022",
-            "path": "integ-ec2-machine-image-test/al2022",
+          "al2023": {
+            "id": "al2023",
+            "path": "integ-ec2-machine-image-test/al2023",
             "children": {
               "InstanceSecurityGroup": {
                 "id": "InstanceSecurityGroup",
-                "path": "integ-ec2-machine-image-test/al2022/InstanceSecurityGroup",
+                "path": "integ-ec2-machine-image-test/al2023/InstanceSecurityGroup",
                 "children": {
                   "Resource": {
                     "id": "Resource",
-                    "path": "integ-ec2-machine-image-test/al2022/InstanceSecurityGroup/Resource",
+                    "path": "integ-ec2-machine-image-test/al2023/InstanceSecurityGroup/Resource",
                     "attributes": {
                       "aws:cdk:cloudformation:type": "AWS::EC2::SecurityGroup",
                       "aws:cdk:cloudformation:props": {
-                        "groupDescription": "integ-ec2-machine-image-test/al2022/InstanceSecurityGroup",
+                        "groupDescription": "integ-ec2-machine-image-test/al2023/InstanceSecurityGroup",
                         "securityGroupEgress": [
                           {
                             "cidrIp": "0.0.0.0/0",
@@ -1094,7 +1094,7 @@
                         "tags": [
                           {
                             "key": "Name",
-                            "value": "integ-ec2-machine-image-test/al2022"
+                            "value": "integ-ec2-machine-image-test/al2023"
                           }
                         ],
                         "vpcId": {
@@ -1103,31 +1103,31 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "InstanceRole": {
                 "id": "InstanceRole",
-                "path": "integ-ec2-machine-image-test/al2022/InstanceRole",
+                "path": "integ-ec2-machine-image-test/al2023/InstanceRole",
                 "children": {
                   "ImportInstanceRole": {
                     "id": "ImportInstanceRole",
-                    "path": "integ-ec2-machine-image-test/al2022/InstanceRole/ImportInstanceRole",
+                    "path": "integ-ec2-machine-image-test/al2023/InstanceRole/ImportInstanceRole",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Resource": {
                     "id": "Resource",
-                    "path": "integ-ec2-machine-image-test/al2022/InstanceRole/Resource",
+                    "path": "integ-ec2-machine-image-test/al2023/InstanceRole/Resource",
                     "attributes": {
                       "aws:cdk:cloudformation:type": "AWS::IAM::Role",
                       "aws:cdk:cloudformation:props": {
@@ -1146,58 +1146,58 @@
                         "tags": [
                           {
                             "key": "Name",
-                            "value": "integ-ec2-machine-image-test/al2022"
+                            "value": "integ-ec2-machine-image-test/al2023"
                           }
                         ]
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_iam.Role",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "InstanceProfile": {
                 "id": "InstanceProfile",
-                "path": "integ-ec2-machine-image-test/al2022/InstanceProfile",
+                "path": "integ-ec2-machine-image-test/al2023/InstanceProfile",
                 "attributes": {
                   "aws:cdk:cloudformation:type": "AWS::IAM::InstanceProfile",
                   "aws:cdk:cloudformation:props": {
                     "roles": [
                       {
-                        "Ref": "al2022InstanceRole6711C818"
+                        "Ref": "al2023InstanceRoleECC2D6DD"
                       }
                     ]
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_iam.CfnInstanceProfile",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "Resource": {
                 "id": "Resource",
-                "path": "integ-ec2-machine-image-test/al2022/Resource",
+                "path": "integ-ec2-machine-image-test/al2023/Resource",
                 "attributes": {
                   "aws:cdk:cloudformation:type": "AWS::EC2::Instance",
                   "aws:cdk:cloudformation:props": {
                     "availabilityZone": "test-region-1a",
                     "iamInstanceProfile": {
-                      "Ref": "al2022InstanceProfileAA7ED3DD"
+                      "Ref": "al2023InstanceProfileAB8077E0"
                     },
                     "imageId": {
-                      "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestal2022amikernel515x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
+                      "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
                     },
                     "instanceType": "t3.nano",
                     "securityGroupIds": [
                       {
                         "Fn::GetAtt": [
-                          "al2022InstanceSecurityGroupD2B46A06",
+                          "al2023InstanceSecurityGroupB018A9BC",
                           "GroupId"
                         ]
                       }
@@ -1208,7 +1208,7 @@
                     "tags": [
                       {
                         "key": "Name",
-                        "value": "integ-ec2-machine-image-test/al2022"
+                        "value": "integ-ec2-machine-image-test/al2023"
                       }
                     ],
                     "userData": {
@@ -1217,47 +1217,64 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.CfnInstance",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               }
             },
             "constructInfo": {
-              "fqn": "aws-cdk-lib.aws_ec2.Instance",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
-          "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2022-ami-kernel-5.15-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": {
-            "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2022-ami-kernel-5.15-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter",
-            "path": "integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2022-ami-kernel-5.15-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter",
+          "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": {
+            "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter",
+            "path": "integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnParameter",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
-          "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2022-ami-kernel-5.15-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118": {
-            "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2022-ami-kernel-5.15-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118",
-            "path": "integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2022-ami-kernel-5.15-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118",
+          "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118": {
+            "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118",
+            "path": "integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.Resource",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
-          "al2023": {
-            "id": "al2023",
-            "path": "integ-ec2-machine-image-test/al2023",
+          "AmiParameter": {
+            "id": "AmiParameter",
+            "path": "integ-ec2-machine-image-test/AmiParameter",
+            "attributes": {
+              "aws:cdk:cloudformation:type": "AWS::SSM::Parameter",
+              "aws:cdk:cloudformation:props": {
+                "type": "String",
+                "value": "ami-06ca3ca175f37dd66",
+                "dataType": "aws:ec2:image",
+                "name": "myAmi"
+              }
+            },
+            "constructInfo": {
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
+            }
+          },
+          "ssm-resolve-instance": {
+            "id": "ssm-resolve-instance",
+            "path": "integ-ec2-machine-image-test/ssm-resolve-instance",
             "children": {
               "InstanceSecurityGroup": {
                 "id": "InstanceSecurityGroup",
-                "path": "integ-ec2-machine-image-test/al2023/InstanceSecurityGroup",
+                "path": "integ-ec2-machine-image-test/ssm-resolve-instance/InstanceSecurityGroup",
                 "children": {
                   "Resource": {
                     "id": "Resource",
-                    "path": "integ-ec2-machine-image-test/al2023/InstanceSecurityGroup/Resource",
+                    "path": "integ-ec2-machine-image-test/ssm-resolve-instance/InstanceSecurityGroup/Resource",
                     "attributes": {
                       "aws:cdk:cloudformation:type": "AWS::EC2::SecurityGroup",
                       "aws:cdk:cloudformation:props": {
-                        "groupDescription": "integ-ec2-machine-image-test/al2023/InstanceSecurityGroup",
+                        "groupDescription": "integ-ec2-machine-image-test/ssm-resolve-instance/InstanceSecurityGroup",
                         "securityGroupEgress": [
                           {
                             "cidrIp": "0.0.0.0/0",
@@ -1268,7 +1285,7 @@
                         "tags": [
                           {
                             "key": "Name",
-                            "value": "integ-ec2-machine-image-test/al2023"
+                            "value": "integ-ec2-machine-image-test/ssm-resolve-instance"
                           }
                         ],
                         "vpcId": {
@@ -1277,31 +1294,31 @@
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "InstanceRole": {
                 "id": "InstanceRole",
-                "path": "integ-ec2-machine-image-test/al2023/InstanceRole",
+                "path": "integ-ec2-machine-image-test/ssm-resolve-instance/InstanceRole",
                 "children": {
                   "ImportInstanceRole": {
                     "id": "ImportInstanceRole",
-                    "path": "integ-ec2-machine-image-test/al2023/InstanceRole/ImportInstanceRole",
+                    "path": "integ-ec2-machine-image-test/ssm-resolve-instance/InstanceRole/ImportInstanceRole",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "Resource": {
                     "id": "Resource",
-                    "path": "integ-ec2-machine-image-test/al2023/InstanceRole/Resource",
+                    "path": "integ-ec2-machine-image-test/ssm-resolve-instance/InstanceRole/Resource",
                     "attributes": {
                       "aws:cdk:cloudformation:type": "AWS::IAM::Role",
                       "aws:cdk:cloudformation:props": {
@@ -1320,58 +1337,56 @@
                         "tags": [
                           {
                             "key": "Name",
-                            "value": "integ-ec2-machine-image-test/al2023"
+                            "value": "integ-ec2-machine-image-test/ssm-resolve-instance"
                           }
                         ]
                       }
                     },
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_iam.Role",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "InstanceProfile": {
                 "id": "InstanceProfile",
-                "path": "integ-ec2-machine-image-test/al2023/InstanceProfile",
+                "path": "integ-ec2-machine-image-test/ssm-resolve-instance/InstanceProfile",
                 "attributes": {
                   "aws:cdk:cloudformation:type": "AWS::IAM::InstanceProfile",
                   "aws:cdk:cloudformation:props": {
                     "roles": [
                       {
-                        "Ref": "al2023InstanceRoleECC2D6DD"
+                        "Ref": "ssmresolveinstanceInstanceRoleCC771AEF"
                       }
                     ]
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_iam.CfnInstanceProfile",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               },
               "Resource": {
                 "id": "Resource",
-                "path": "integ-ec2-machine-image-test/al2023/Resource",
+                "path": "integ-ec2-machine-image-test/ssm-resolve-instance/Resource",
                 "attributes": {
                   "aws:cdk:cloudformation:type": "AWS::EC2::Instance",
                   "aws:cdk:cloudformation:props": {
                     "availabilityZone": "test-region-1a",
                     "iamInstanceProfile": {
-                      "Ref": "al2023InstanceProfileAB8077E0"
-                    },
-                    "imageId": {
-                      "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter"
+                      "Ref": "ssmresolveinstanceInstanceProfileAD70EB72"
                     },
+                    "imageId": "resolve:ssm:myAmi",
                     "instanceType": "t3.nano",
                     "securityGroupIds": [
                       {
                         "Fn::GetAtt": [
-                          "al2023InstanceSecurityGroupB018A9BC",
+                          "ssmresolveinstanceInstanceSecurityGroupEACCDB27",
                           "GroupId"
                         ]
                       }
@@ -1382,7 +1397,7 @@
                     "tags": [
                       {
                         "key": "Name",
-                        "value": "integ-ec2-machine-image-test/al2023"
+                        "value": "integ-ec2-machine-image-test/ssm-resolve-instance"
                       }
                     ],
                     "userData": {
@@ -1391,52 +1406,145 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ec2.CfnInstance",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               }
             },
             "constructInfo": {
-              "fqn": "aws-cdk-lib.aws_ec2.Instance",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
-          "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": {
-            "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter",
-            "path": "integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter",
+          "LT": {
+            "id": "LT",
+            "path": "integ-ec2-machine-image-test/LT",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "integ-ec2-machine-image-test/LT/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::EC2::LaunchTemplate",
+                  "aws:cdk:cloudformation:props": {
+                    "launchTemplateData": {
+                      "imageId": "resolve:ssm:myAmi",
+                      "instanceType": "t3.nano",
+                      "tagSpecifications": [
+                        {
+                          "resourceType": "instance",
+                          "tags": [
+                            {
+                              "key": "Name",
+                              "value": "integ-ec2-machine-image-test/LT"
+                            }
+                          ]
+                        },
+                        {
+                          "resourceType": "volume",
+                          "tags": [
+                            {
+                              "key": "Name",
+                              "value": "integ-ec2-machine-image-test/LT"
+                            }
+                          ]
+                        }
+                      ],
+                      "userData": {
+                        "Fn::Base64": "#!/bin/bash"
+                      }
+                    },
+                    "tagSpecifications": [
+                      {
+                        "resourceType": "launch-template",
+                        "tags": [
+                          {
+                            "key": "Name",
+                            "value": "integ-ec2-machine-image-test/LT"
+                          }
+                        ]
+                      }
+                    ]
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
+                }
+              }
+            },
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnParameter",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
-          "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118": {
-            "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118",
-            "path": "integ-ec2-machine-image-test/SsmParameterValue:--aws--service--ami-amazon-linux-latest--al2023-ami-kernel-6.1-x86_64:C96584B6-F00A-464E-AD19-53AFF4B05118",
+          "ASG": {
+            "id": "ASG",
+            "path": "integ-ec2-machine-image-test/ASG",
+            "children": {
+              "ASG": {
+                "id": "ASG",
+                "path": "integ-ec2-machine-image-test/ASG/ASG",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::AutoScaling::AutoScalingGroup",
+                  "aws:cdk:cloudformation:props": {
+                    "maxSize": "1",
+                    "minSize": "1",
+                    "desiredCapacity": "1",
+                    "launchTemplate": {
+                      "launchTemplateId": {
+                        "Ref": "LTC4631592"
+                      },
+                      "version": {
+                        "Fn::GetAtt": [
+                          "LTC4631592",
+                          "LatestVersionNumber"
+                        ]
+                      }
+                    },
+                    "vpcZoneIdentifier": [
+                      {
+                        "Ref": "VpcPrivateSubnet1Subnet536B997A"
+                      },
+                      {
+                        "Ref": "VpcPrivateSubnet2Subnet3788AAA1"
+                      },
+                      {
+                        "Ref": "VpcPrivateSubnet3SubnetF258B56E"
+                      }
+                    ]
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
+                }
+              }
+            },
             "constructInfo": {
-              "fqn": "aws-cdk-lib.Resource",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
           "BootstrapVersion": {
             "id": "BootstrapVersion",
             "path": "integ-ec2-machine-image-test/BootstrapVersion",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnParameter",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           },
           "CheckBootstrapVersion": {
             "id": "CheckBootstrapVersion",
             "path": "integ-ec2-machine-image-test/CheckBootstrapVersion",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnRule",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.55"
             }
           }
         },
         "constructInfo": {
-          "fqn": "aws-cdk-lib.Stack",
-          "version": "0.0.0"
+          "fqn": "constructs.Construct",
+          "version": "10.2.55"
         }
       },
       "integ-test": {
@@ -1452,7 +1560,7 @@
                 "path": "integ-test/DefaultTest/Default",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.1.270"
+                  "version": "10.2.55"
                 }
               },
               "DeployAssert": {
@@ -1463,22 +1571,22 @@
                     "id": "BootstrapVersion",
                     "path": "integ-test/DefaultTest/DeployAssert/BootstrapVersion",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnParameter",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   },
                   "CheckBootstrapVersion": {
                     "id": "CheckBootstrapVersion",
                     "path": "integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnRule",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.55"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.Stack",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.55"
                 }
               }
             },
@@ -1498,13 +1606,13 @@
         "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.270"
+          "version": "10.2.55"
         }
       }
     },
     "constructInfo": {
-      "fqn": "aws-cdk-lib.App",
-      "version": "0.0.0"
+      "fqn": "constructs.Construct",
+      "version": "10.2.55"
     }
   }
 }
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.ts
index 387584fd5d41a..790f623c5bf14 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.ts
@@ -4,6 +4,8 @@ import {
   StackProps,
   App,
   aws_ec2 as ec2,
+  aws_autoscaling as asg,
+  aws_ssm as ssm,
 } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
@@ -13,21 +15,37 @@ export class TestCase extends Stack {
     super(scope, id, props);
     this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
     const vpc = new ec2.Vpc(this, 'Vpc');
+
+    const instanceType = ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO);
+
     new ec2.Instance(this, 'amzn2', {
-      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),
+      instanceType,
       machineImage: ec2.MachineImage.latestAmazonLinux2(),
       vpc,
     });
-    new ec2.Instance(this, 'al2022', {
-      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),
-      machineImage: ec2.MachineImage.latestAmazonLinux2022(),
-      vpc,
-    });
+
     new ec2.Instance(this, 'al2023', {
-      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),
+      instanceType,
       machineImage: ec2.MachineImage.latestAmazonLinux2023(),
       vpc,
     });
+
+    new ssm.CfnParameter(this, 'AmiParameter', {
+      name: 'myAmi',
+      type: 'String',
+      dataType: 'aws:ec2:image',
+      value: 'ami-06ca3ca175f37dd66',
+    });
+
+    const machineImage = ec2.MachineImage.resolveSsmParameterAtLaunch('myAmi');
+    new ec2.Instance(this, 'ssm-resolve-instance', { instanceType, machineImage, vpc });
+
+    const launchTemplate = new ec2.LaunchTemplate(this, 'LT', { instanceType, machineImage });
+    new asg.AutoScalingGroup(this, 'ASG', {
+      vpc,
+      launchTemplate,
+      desiredCapacity: 1,
+    });
   }
 }
 
diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md
index fd489e9895d03..389bac824a51f 100644
--- a/packages/aws-cdk-lib/aws-ec2/README.md
+++ b/packages/aws-cdk-lib/aws-ec2/README.md
@@ -1896,6 +1896,14 @@ const launchTemplate = new ec2.LaunchTemplate(stack, 'LaunchTemplate', {
 launchTemplate.addSecurityGroup(sg2);
 ```
 
+To use [AWS Systems Manager parameters instead of AMI IDs](https://docs.aws.amazon.com/autoscaling/ec2/userguide/using-systems-manager-parameters.html) in launch templates and resolve the AMI IDs at instance launch time:
+
+```ts
+const launchTemplate = new ec2.LaunchTemplate(stack, 'LaunchTemplate', {
+  machineImage: ec2.MachineImage.resolveSsmParameterAtLaunch('parameterName');
+});
+```
+
 ## Detailed Monitoring
 
 The following demonstrates how to enable [Detailed Monitoring](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html) for an EC2 instance. Keep in mind that Detailed Monitoring results in [additional charges](http://aws.amazon.com/cloudwatch/pricing/).
diff --git a/packages/aws-cdk-lib/aws-ec2/lib/machine-image/machine-image.ts b/packages/aws-cdk-lib/aws-ec2/lib/machine-image/machine-image.ts
index 48c617f7e51df..c6eed786b066e 100644
--- a/packages/aws-cdk-lib/aws-ec2/lib/machine-image/machine-image.ts
+++ b/packages/aws-cdk-lib/aws-ec2/lib/machine-image/machine-image.ts
@@ -156,6 +156,21 @@ export abstract class MachineImage {
     return new GenericSsmParameterImage(parameterName, options);
   }
 
+  /**
+   * An image specified in SSM parameter store that will be resolved at instance launch time.
+   *
+   * The AMI ID will be resolved at instance launch time.
+   *
+   * @param parameterName The name of SSM parameter containing the AMI ID
+   * @param options The parameter image options
+   *
+   * @see https://docs.aws.amazon.com/autoscaling/ec2/userguide/using-systems-manager-parameters.html
+   *
+   */
+  public static resolveSsmParameterAtLaunch(parameterName: string, options?: SsmParameterImageOptions): IMachineImage {
+    return new ResolveSsmParameterAtLaunchImage(parameterName, options);
+  }
+
   /**
    * Look up a shared Machine Image using DescribeImages
    *
@@ -176,7 +191,7 @@ export abstract class MachineImage {
 }
 
 /**
- * Select the image based on a given SSM parameter
+ * Select the image based on a given SSM parameter at deployment time of the CloudFormation Stack.
  *
  * This Machine Image automatically updates to the latest version on every
  * deployment. Be aware this will cause your instances to be replaced when a
@@ -212,6 +227,40 @@ export class GenericSSMParameterImage implements IMachineImage {
   }
 }
 
+/**
+ * Select the image based on a given SSM parameter at instance launch time.
+ *
+ * This Machine Image comes with an imageId as `resolve:ssm:parameter-name` or `resolve:ssm:parameter-name:version` format
+ * as described in the document:
+ *
+ * @see https://docs.aws.amazon.com/autoscaling/ec2/userguide/using-systems-manager-parameters.html
+ *
+ * The AMI ID would be selected at instance launch time.
+ */
+export class ResolveSsmParameterAtLaunchImage implements IMachineImage {
+  /**
+   * Name of the SSM parameter we're looking up
+   */
+  public readonly parameterName: string;
+
+  constructor(parameterName: string, private readonly props: SsmParameterImageOptions = {}) {
+    this.parameterName = parameterName;
+  }
+
+  /**
+   * Return the image to use in the given context
+   */
+  public getImage(_: Construct): MachineImageConfig {
+    const versionString = this.props.parameterVersion ? `:${this.props.parameterVersion}` : '';
+    const osType = this.props.os ?? OperatingSystemType.LINUX;
+    return {
+      imageId: `resolve:ssm:${this.parameterName}${versionString}`,
+      osType,
+      userData: this.props.userData ?? (osType === OperatingSystemType.WINDOWS ? UserData.forWindows() : UserData.forLinux()),
+    };
+  }
+}
+
 /**
  * Properties for GenericSsmParameterImage
  */
@@ -250,10 +299,17 @@ export interface SsmParameterImageOptions {
    * @default false
    */
   readonly cachedInContext?: boolean;
+
+  /**
+   * The version of the SSM parameter.
+   *
+   * @default no version specified.
+   */
+  readonly parameterVersion?: string;
 }
 
 /**
- * Select the image based on a given SSM parameter
+ * Select the image based on a given SSM parameter at deployment time of the CloudFormation Stack.
  *
  * This Machine Image automatically updates to the latest version on every
  * deployment. Be aware this will cause your instances to be replaced when a
diff --git a/packages/aws-cdk-lib/aws-ec2/test/machine-image.test.ts b/packages/aws-cdk-lib/aws-ec2/test/machine-image.test.ts
index 3375f1736f9be..c52129d095e49 100644
--- a/packages/aws-cdk-lib/aws-ec2/test/machine-image.test.ts
+++ b/packages/aws-cdk-lib/aws-ec2/test/machine-image.test.ts
@@ -96,6 +96,34 @@ test('can make and use a Generic SSM image', () => {
   expect(details.osType).toEqual(ec2.OperatingSystemType.LINUX);
 });
 
+test('can make and use a SSM resolve image', () => {
+  // WHEN
+  const image = new ec2.ResolveSsmParameterAtLaunchImage('testParam');
+
+  // THEN
+  const details = image.getImage(stack);
+  expect(details.imageId).toEqual('resolve:ssm:testParam');
+  expect(details.osType).toEqual(ec2.OperatingSystemType.LINUX);
+});
+
+test('can make and use a SSM resolve image with parameter version', () => {
+  // WHEN
+  const image = new ec2.ResolveSsmParameterAtLaunchImage('testParam', { parameterVersion: '2' });
+
+  // THEN
+  const details = image.getImage(stack);
+  expect(details.imageId).toEqual('resolve:ssm:testParam:2');
+});
+
+test('can make and use a SSM resolve image with resolveSsmParameterAtLaunch', () => {
+  // WHEN
+  const image = ec2.MachineImage.resolveSsmParameterAtLaunch('testParam', { parameterVersion: '2' });
+
+  // THEN
+  const details = image.getImage(stack);
+  expect(details.imageId).toEqual('resolve:ssm:testParam:2');
+});
+
 test('WindowsImage retains userdata if given', () => {
   // WHEN
   const ud = ec2.UserData.forWindows();