diff --git a/platform/src/components/aws/vpc.ts b/platform/src/components/aws/vpc.ts
index bea5d0b9e..3c2bbfd9c 100644
--- a/platform/src/components/aws/vpc.ts
+++ b/platform/src/components/aws/vpc.ts
@@ -225,9 +225,12 @@ export class Vpc extends Component implements Link.Linkable {
     this.cloudmapNamespace = cloudmapNamespace;
 
     function normalizeAz() {
-      const zones = getAvailabilityZonesOutput({
-        state: "available",
-      });
+      const zones = getAvailabilityZonesOutput(
+        {
+          state: "available",
+        },
+        { parent },
+      );
       return all([zones, args?.az ?? 2]).apply(([zones, az]) =>
         Array(az)
           .fill(0)
@@ -498,23 +501,29 @@ export class Vpc extends Component implements Link.Linkable {
         { role: role.name },
         { parent },
       );
+      const amiIds = ec2.getAmiIdsOutput(
+        {
+          owners: ["amazon"],
+          filters: [
+            {
+              name: "name",
+              // The AMI has the SSM agent pre-installed
+              values: ["al2023-ami-2023.5.20240916.0-kernel-6.1-x86_64"],
+            },
+          ],
+        },
+        { parent },
+      ).ids;
       return new ec2.Instance(
         ...transform(
           args?.transform?.bastionInstance,
           `${name}BastionInstance`,
           {
             instanceType: "t2.micro",
-            ami: "ami-0427090fd1714168b",
+            ami: amiIds.apply((ids) => ids[0]),
             subnetId: publicSubnets.apply((v) => v[0].id),
             vpcSecurityGroupIds: [sg.id],
             iamInstanceProfile: instanceProfile.name,
-            userData: [
-              `#!/bin/bash`,
-              `set -ex`,
-              `sudo yum install -y amazon-ssm-agent`,
-              `sudo systemctl enable amazon-ssm-agent`,
-              `sudo systemctl start amazon-ssm-agent`,
-            ].join("\n"),
             tags: {
               "sst:lookup-type": "bastion",
             },