MGN and Golden AMIs

MGN simply makes a pure, full, binary copy of the whole source server and launches an EC2 instance from it. Aside from that, it doesn't make changes other than installing drivers and some utility programs needed for hosting the machine in EC2. In practice, if the operating system disk were replaced, whether manually or by MGN automatically, the result would almost invariably be a completely useless machine, because all the configuration files, libraries, application files, and other typically essential items would be completely missing from the resultant server.

This is nothing specific to MGN but would apply to any rehosting/lift-and-shift tool out there, such as VMware Converter or PlateSpin. It's just conceptually essential to retain everything on the server, and there's no straightforward way to "merge" a given golden AMI with an arbitrary setup on a source server.

Your latter option is therefore the only possibility: rehost/lift and shift the servers as they are, and harden them separately later.

Note that any hardening that is done afterwards can only go so far. For example, any actions that the configuration contained in a golden AMI might prevent from being taken by installation programs/scripts or rogue/uninformed administrators, whether intentionally or unwittingly, would not have been prevented on a random source server that might have existed for years. Only introducing those guardrails afterwards would do nothing to remedy the damage that was already done prior to the guardrails being introduced. The only way to deal with this in a simple and systematic manner is to create all servers from scratch, with the expected safeguards and guardrails already in place, install applications, middleware, and drivers only on top of that secure platform, and migrate the data and configurations from the old environment to the extent necessary and subject to a careful review to ensure compliance with the relevant security parameters of the standard environment.