Logo of Trend Micro

Approved/Golden AMIs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EC2-028

Ensure that all the AWS EC2 instances necessary for your application stack are launched from your approved base Amazon Machine Images (AMIs), known as golden AMIs in order to enforce consistency and save time when scaling your application.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

An approved/golden AMI is a base EC2 machine image that contains a pre-configured OS and a well-defined stack of server software fully configured to run your application. Using golden AMIs to create new EC2 instances within your AWS environment brings major benefits such as fast and stable application deployment and scaling, secure application stack upgrades and versioning. You can go even further and automate your golden AMIs creation with open source tools like Packer https://www.packer.io/ and Netflix Animator (https://github.com/Netflix/animator).

Audit

To determine if your EC2 instances are being launched using approved Amazon Machine Images (AMI), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine.

05 Select the Description tab from the dashboard bottom panel.

06 In the right column, click on the AMI ID parameter value to display the description box for the AMI used to launch the selected instance.

07 Inside the description box, copy the AMI ID exposed next to the AMI name:

copy the AMI ID exposed next to the AMI name

to your clipboard.

08 In the navigation panel, under IMAGES section, select AMIs.

09 Select Owned by me from the search filter dropdown menu, paste the AMI ID copied at step no. 7 into the search bar and press Enter. If the filtering process is not returning any results, the selected EC2 instance was deployed without using an approved/golden Amazon Machine Image (AMI), therefore the instance software configuration might not be well-secured.

10 Repeat steps no. 3 – 9 to verify the AMI origin for the other EC2 instances within your AWS region.

11 Change the AWS region from the navigation bar:

Change the AWS region from the navigation bar

and repeat the process for the other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with appropriate filtering to list the AMI IDs for all the EC2 instances currently available in the selected region: 

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].ImageId'

02 The command output should return a table with the requested AMI IDs: 

-------------------
|DescribeInstances|
+-----------------+
|  ami-f5f41398   |
|  ami-a8c439c5   |
|  ami-b4cr745d   |
+-----------------+

03 Run describe-images command (OSX/Linux/UNIX) using the AMI ID returned at the previous as identifier to return the owner name for the AMI used to create the selected EC2 instance: 

aws ec2 describe-images
	--region us-east-1
	--image-ids ami-f5f41398
	--query 'Images[*].ImageOwnerAlias'

04 The command output should return the owner name (e.g. self, amazon, aws-marketplace) for the selected AMI. In the following example output, the owner of the selected AMI is AWS: 

[
    "amazon"
]

If the value returned for the owner is different than 'self', the EC2 instance selected was deployed without using an approved/golden Amazon Machine Image (AMI), therefore the instance software configuration might not be stable and well-secured.

05 Repeat steps no. 3 and 4 to verify the AMI origin for the rest of the EC2 instances available in current AWS region.

06 Repeat steps no. 1 – 4 to verify the AMI origin for the EC2 instances launched in other AWS regions.

Remediation / Resolution

To create golden/approved machine images and enforce your AWS administrators to launch EC2 instances using only these images, perform the following:

Using AWS Console

01

Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Click Launch Instance button from the EC2 dashboard top menu and create your base Linux/Windows instance. During the instance creation process you have the option to pass user data (shell scripts, cloud-init directives, etc) or use configuration management tools such as Chef or Puppet to install server software automatically after the EC2 instance starts.

05 Once the instance is running, install and configure the necessary software to run your application, secure the OS and the software stack and upload your application. Test the entire software stack (including your application) to make sure that the EC2 instance qualifies for the golden image (AMI).

06 Now that the instance is ready, it’s time to create the AMI. Choose Instances from the navigation panel and select the newly created EC2 instance.

07 Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.

08 Inside Create Image dialog box, perform the following:

  1. Enter a name for the new AMI in the Image Name box.
  2. In the Image description box, provide a description of the software stack installed, the purpose of the image and the version.
  3. Leave No reboot option unchecked so the AWS can guarantee the file system integrity for the new image.
  4. If required, update the image volume size and/or type inside the Instance Volumes section.

09 Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The image creation process may take few minutes. Once the process is complete the AMI status should change from pending to available.

10 Now that the golden AMI is ready for use, update your EC2 administrator(s) access permissions to force him/them to create EC2 instances from the new (approved) AMI only. To implement this restriction you need to create a custom IAM policy and attach it to the EC2 administrators IAM group. To create the policy, perform the following:

  1. Go to IAM dashboard at https://console.aws.amazon.com/iam/.
  2. In the left navigation panel, choose Policies and click Create Policy button from the dashboard top menu.
  3. On the Create Policy page, select Create Your Own Policy to create the necessary policy.
  4. On the Review Policy page, enter the following information:
    • In the Policy Name box, enter a name for your custom policy. Choose a unique name that will reflect the policy usage (e.g. ApprovedAMIPolicy).
    • In the Description textbox, enter a short description for the policy (optional).
    • In the Policy Document textbox, paste the following data and replace the highlighted details with your own details. The highlighted identifier represents the image EBS snapshot ID - you can find this ID in your AMI description panel, under Block Devices: 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464769334076",
      "Action": [
        "ec2:RunInstances"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "ArnEquals": {
          "ec2:ParentSnapshot":
          "arn:aws:ec2:region::snapshot/snap-c5c0a423"
        }
      }
    }
  ]
}
    • Click Validate Policy button to validate the policy document then click Create Policy to save it.

11 To attach the custom policy created at the previous step to the necessary IAM group, perform the following actions:

  1. In the navigation panel, choose Groups and click on the EC2 administrators group to access its configuration page.
  2. On the group configuration page, select the Permissions tab and click Attach Policy button to attach the IAM custom policy created earlier.
  3. Select Customer Managed Policies from the Filter dropdown menu and select your newly created policy.
  4. Click Attach Policy to attach the selected policy to the IAM group.
  5. On the Review page, review the new group configuration then click Create Group.

Using AWS CLI

01First, create the EC2 instance dependencies – the 2048-bit RSA key pair and the required security group:

  1. Run create-key-pair command (OSX/Linux/UNIX) to set up a new RSA key pair in the selected AWS region: 
    aws ec2 create-key-pair
	--region us-east-1
	--key-name MyKeyPair
  2. The command output should return the ASCII version of the private key and the key fingerprint. Save the content of your key, listed as the KeyMaterial parameter value, in a .pem file on your machine: 
    {
    "KeyMaterial": "-BEGIN RSA PRIVATE KEY- ... -END RSA PRIVATE KEY-",
    "KeyName": "MyKeyPair",
    "KeyFingerprint": "ef:20:96:4a:5a:06:28 ... bb:20:0f:0f:c9:7b:g4"
}
  3. Run create-security-group command (OSX/Linux/UNIX) to create a security group for the EC2 instance in the selected VPC. The following command example creates a security group called MySecurityGroup inside the VPC identified with the ID vpc-fb03eb9c, within the US East AWS region: 
    aws ec2 create-security-group
	--region us-east-1
	--group-name MySecurityGroup
	--description "My EC2 Security Group"
	--vpc-id vpc-fb03eb9c
  4. The command output should return the new security group ID: 
    {
    "GroupId": "sg-7550e90e"
}

02Run run-instances command (OSX/Linux/UNIX) to launch your base Linux/Windows EC2 instance. The following command example creates a new c4.large EC2 instance using an AMI with the ID ami-f5f41398 (Amazon Linux AMI 2016.03.1 base AMI), the RSA key pair and the security group created earlier, within the US East AWS region:

aws ec2 run-instances
	--region us-east-1
	--image-id ami-f5f41398
	--count 1
	--instance-type c4.large
	--key-name MyKeyPair
	--security-groups MySecurityGroup

03 The command output should return the new EC2 instance configuration metadata: 

{
    "OwnerId": "123456789012",
    "ReservationId": "r-05587b8359ad968fb",
    "Groups": [],
    "Instances": [
        {
            ...
            "EbsOptimized": false,
            "LaunchTime": "2016-06-01T15:41:23.000Z",
            "PrivateIpAddress": "172.31.12.90",
            "ProductCodes": [],
            "VpcId": "vpc-2fb56548",
            "StateTransitionReason": "",
            "InstanceId": "i-003b1c5834a73e5ae",
            "ImageId": "ami-f5f41398",
            ...
            "RootDeviceName": "/dev/xvda",
            "VirtualizationType": "hvm",
            "AmiLaunchIndex": 0
        }
    ]
}

04 Once the new EC2 instance is running, log in to the instance using the key pair created at step no. 1 and install the necessary software to run your application, secure the OS and the software stack and upload your application. Test the entire software stack to make sure that the EC2 instance qualifies for the golden image (AMI) then move to the next step.

05 Run create-image command (OSX/Linux/UNIX) to create the approved/golden AMI using the EBS-backed instance created at step no. 2. Include the –no-reboot command parameter to guarantee the file system integrity for your new AMI: 

aws ec2 create-image
	--region us-east-1
	--instance-id i-003b1c5834a73e5ae
	--name "Approved/Golden Image"
	--description "Web App Stack Production AMI ver. 1.4"
	--no-reboot

06 The command output should return the new Amazon Machine Image (AMI) ID: 

{
    "ImageId": "ami-e91ee384"
}

07 Now that the golden AMI is ready for use, enforce your EC2 administrators to create instances from the new (approved) AMI only. To implement this restriction, perform the following:

  1. Create a new policy document called approved-ami-policy.json and paste the following data (replace the highlighted details with your own details): 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464769336975",
      "Action": [
        "ec2:RunInstances"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "ArnEquals": {
          "ec2:ParentSnapshot":
          "arn:aws:ec2:region::snapshot/snap-c5c0a423"
        }
      }
    }
  ]
}
  2. Run create-policy command (OSX/Linux/UNIX) to create the required IAM managed policy that will force your EC2 administrators to create instances using the golden AMI only: 
    aws iam create-policy
	--policy-name ApprovedAMIPolicy
	--policy-document file://approved-ami-policy.json
  3. The command output should return the new IAM policy metadata (name, ID, ARN, etc): 
    {
    "Policy": {
        "PolicyName": "ApprovedAMIPolicy",
        "CreateDate": "2016-06-01T16:12:43.987Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "ANPAJIE7CHX7PBDD5COQQ",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:policy/ApprovedAMIPolicy",
        "UpdateDate": "2016-06-01T16:12:43.987Z"
    }
}
  4. Run attach-group-policy command (OSX/Linux/UNIX) using the IAM policy ARN returned at the previous step to attach the policy to the EC2 administrators group (if the command succeeds, no output is returned):
    aws iam attach-group-policy
	--policy-arn arn:aws:iam::123456789012:policy/ApprovedAMIPolicy
	--group-name EC2Admins

References

Publication date Jun 2, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Approved/Golden AMIs

Risk level: Medium