Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Approved AMIs for Web-Tier ASG Launch Configurations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

- Ensure that your web-tier Auto Scaling Group (ASG) launch configurations are using approved (golden) Amazon Machine Images (AMIs) to launch EC2 instances within the ASG. An approved AMI is a base EC2 image that contains a pre-configured OS and a well-defined stack of server software fully configured to run your web applications. A list of approved AWS AMIs must be maintained by your organization. This conformity rule assumes that all AWS resources provisioned for your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags and the IDs of the approved/golden AMIs maintained by your organization must be configured in the rule settings, on your Cloud Conformity account dashboard.

Reliability

Using golden Amazon Machine Images to create new EC2 instances within your web-tier Auto Scaling Groups provides security and organizational benefits such as fast application deployment and scaling, secure application stack upgrades and versioning. Ensure that your web-tier ASG launch configuration template defines a golden AMI so that all EC2 instances launched within the ASG enforce consistency and follows best practices.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.


Audit

To determine if your web-tier ASG are using launch configurations with approved AMIs, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Use Approved AMIs for Web-Tier ASG Launch Configurations conformity rule settings and identify the tag set defined for all AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

05 Select the Auto Scaling Group that you want to examine.

06 Select the Tags tab from the dashboard bottom panel.

07 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <web_tier_tag> : <web_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged at all, the selected ASG is not a component of your web tier and the audit process ends here. If the tag sets match, the selected resource is a web-tier Auto Scaling Group and the audit process continues with the next step.

08 Select the Details tab from the dashboard bottom panel and copy the name of the associated launch configuration set as value for the Launch Configuration attribute.

09 In the navigation panel, within AUTO SCALING section, click Launch Configurations.

10 Paste the value copied at step no. 8 in the Filter launch configurations box and press Enter to return the launch configuration template used by the selected web-tier ASG.

11 Select the launch configuration returned as search result and check the value of the AMI ID attribute available on the Details panel. The value represents the ID of the Amazon Machine Image utilized by the selected launch configuration to provision EC2 instances within the current ASG.

12 Sign in to your Cloud Conformity account, access again the conformity rule settings and compare the ID found at the previous step against each approved AMI ID listed in the rule configuration section. If the verified ID does not match any of the approved AMI IDs listed on your Cloud Conformity console, the selected web-tier ASG launch configuration deploys EC2 instances without using a golden Amazon Machine Image, approved in your organization.

13 Repeat steps no. 5 – 12 to check other web-tier ASG launch configurations, created in the selected region, for associated golden/approved AMIs.

14 Change the AWS region from the navigation bar and repeat steps no. 5 – 13 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Use Approved AMIs for Web-Tier ASG Launch Configurations conformity rule settings and identify the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups available in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

03 The command output should return a table with the requested ASG name(s):

-----------------------------
| DescribeAutoScalingGroups |
+---------------------------+
| cc-web-auto-scaling-group |
+---------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the ASG that you want to examine as identifier and custom query filters to describe the tags defined for the selected Auto Scaling Group:

aws autoscaling describe-tags
	--region us-east-1
	--filters "Name=auto-scaling-group,Values=cc-web-auto-scaling-group"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ASG is not tagged, therefore the audit process for the selected resource ends here:
    []
    
  2. If the command output returns a set of tags that is different than the one identified at step no. 1, as shown in the example below, the verified AWS Auto Scaling Group does not belong to your web tier, therefore the audit process for the selected resource ends here:
    [
        {
            "Value": "Owner",
            "Key": "Web Team"
        }
    ]
    
  3. If the describe-tags command output returns a set of tags that match the one identified at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified AWS ASG is tagged as a web-tier resource, therefore the audit process continues with the next step:
    [
        {
            "Key": "<web_tier_tag>",
            "Value": "<web_tier_tag_value>"
        }
    ]
    

06 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to describe the name of the launch configuration associated with the selected web-tier ASG:

aws autoscaling describe-auto-scaling-groups
	--auto-scaling-group-names cc-web-auto-scaling-group
	--region us-east-1
	--query 'AutoScalingGroups[*].LaunchConfigurationName'

07 The command output should return the name of the associated launch configuration:

[
    "cc-web-asg-launch-configuration"
]

08 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the launch configuration returned at the previous step as identifier and custom query filters to get the ID of the Amazon Machine Image used by the selected launch configuration to launch EC2 instances within your web-tier ASG:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names cc-web-asg-launch-configuration
	--query "LaunchConfigurations[*].ImageId"

09 The command output should return the requested resource ID:

[
    "ami-1234abcd"
]

10 Sign in to your Cloud Conformity account, access Use Approved AMIs for Web-Tier ASG Launch Configurations conformity rule settings and compare the ID returned by the command output at the previous step against each approved AMI ID listed in the rule configuration settings. If the verified ID does not match any of the approved AMI IDs listed on your Cloud Conformity console, the selected web-tier ASG launch configuration launches EC2 instances without using a golden/approved Amazon Machine Image.

11 Repeat steps no. 4 – 10 to check other web-tier ASG launch configurations, available in the selected region, for associated golden AMIs.

12 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 11 to perform the entire audit process for other regions.

Remediation / Resolution

To launch EC2 instances within your web-tier ASG from golden/approved Amazon Machine Images, you must re-create the web-tier ASG launch configuration template with a reference to a well-defined AMI maintained and approved by your organization. If there are no golden AMIs already available within your AWS account, follow the instructions outlined in this conformity rule to create the necessary AMIs. To set up a new ASG launch configuration, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under AUTO SCALING, click Launch Configurations.

04 Select the web-tier ASG launch configuration that you want to re-create (see Audit section part I to identify the right launch configuration template).

05 Click the Actions dropdown button from the dashboard top menu and select Copy launch configuration option.

06 On Copy Launch Configuration from <LAUNCH_CONFIGURATION_NAME> page, within Launch configuration details section, click Edit AMI and perform the following actions:

  1. In the left navigation panel, choose My AMIs and select the golden/approved Amazon Machine Image that you want to associate with the selected web-tier ASG launch configuration.
  2. Inside You selected a different AMI dialog box, choose Yes, I want to continue with this AMI (<AMI_NAME> - <AMI_ID>) option and click Next.
  3. Go through the launch configuration setup wizard until you reach the Review panel without changing any configuration settings.
  4. On the Reviewpanel, check the configuration details then click Create launch configuration.
  5. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source launch configuration. Click Create launch configuration to make a copy of the specified web-tier ASG launch configuration. Click Close to return to the EC2 dashboard.

07 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

08 Select the web-tier ASG that you want to reconfigure (see Audit section part I to identify the right resource).

09 Select the Details tab from the dashboard bottom panel and click Edit to change the ASG configuration.

10 Select the name of the launch configuration (copy) created at step no. 6 from the Launch configuration dropdown list, then click Save to apply the changes. The selected web-tier Auto Scaling Group is now associated with a launch configuration that utilizes a golden/approved AMI to launch EC2 instances.

11 Repeat steps no. 4 – 10 to re-create other web-tier ASG launch configurations, available in the selected region, and configure them to use approved AMIs to launch EC2 instances.

12 Change the AWS region from the navigation bar and repeat steps no. 4 – 11 for other regions.

Using AWS CLI

01 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the web-tier ASG launch configuration that you want to re-create as identifier (see Audit section part II to identify the right resource), to describe its configuration details, information required later when the new launch configuration will be created:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names cc-web-asg-launch-configuration

02 The command output should return the requested details:

{
    "LaunchConfigurations": [
        {
            "BlockDeviceMappings": [
                {
                    "DeviceName": "/dev/xvda",
                    "Ebs": {
                        "VolumeSize": 80,
                        "VolumeType": "gp2"
                    }
                }
            ],

	      ...

            "SecurityGroups": [
                "sg-1234abcd"
            ],
            "LaunchConfigurationName": "cc-web-asg-launch-configuration",
            "KernelId": "",
            "RamdiskId": "",
            "ImageId": "ami-1234abcd",
            "InstanceType": "c4.xlarge"
        }
    ]
}

03 Run create-launch-configuration command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to create a new launch configuration that will replace the one currently associated with your web-tier Auto Scaling Group. The following command example creates an ASG launch configuration named "cc-web-asg-launch-config", that utilizes a golden/approved AWS AMI identified by the ID "ami-abcd1234" (the command does not produce an output):

aws autoscaling create-launch-configuration
	--region us-east-1
	--launch-configuration-name cc-web-asg-launch-config
	--image-id ami-abcd1234
	--instance-type c4.xlarge
	--key-name cc-ssh-private-key
	--security-groups sg-1234abcd
	--iam-instance-profile cc-iam-instance-profile
	--block-device-mappings "[{\"DeviceName\": \"/dev/xvda\",\"Ebs\":{\"VolumeSize\":80}}]"

04 Run update-auto-scaling-group command (OSX/Linux/UNIX) to update the configuration for your web-tier Auto Scaling Group (see Audit section part II to identify the right ASG), in order to replace the reference to its launch configuration with the new one created at the previous step (the command does not return an output):

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name cc-web-auto-scaling-group
	--launch-configuration-name cc-web-asg-launch-config

05 Repeat steps no. 1 – 4 to re-create other web-tier ASG launch configurations, available in the selected region, and configure them to use golden AMIs to launch EC2 instances.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the process for other regions.

References

Publication date Apr 21, 2018