The issue with using posted AMIs for this is the same as usual: they include god knows what else in addition to the installed and configured software (which is likely to also lag behind master / latest release quite a bit). Last few AMIs I tried for this included some random public keys as authorized users in a sudoer account! While they're likely benign (belonging to researchers that created these images), that'd be a nasty surprise to find in your data pipeline down the line.
This is a valid concern, which is one of the reasons we publish these AMIs through the AWS marketplace. Each of these AMIs had to go through the AWS security checker script as well as a manual review by the AWS marketplace team, please see the "Securing an AMI" section here.
Going through the AWS audit does take a few days to say the least and can be a hassle at times, but usually we are pretty close to the latest master / release.
