How to Use a CIS Hardened Image to Set Up an Amazon EC2 Mac Instance
By Markus Weyerhaeuser, Principal Solutions Architect, Global Financial Services – AWS
Digitization is a key trend that can be observed in all sectors and industries alike. Mobile, in particular, is part of a wider digital disruption we are witnessing, enabling many of us to stay online wherever and whenever we want.
Smartphones and tablets are game-changers for many industries and accelerate digital transformation. We use these devices to get information, to stay in touch with family and friends, to have fun, and to work. Many companies are integrating a mobile experience into their omnichannel strategy.
Building mobile applications requires a specific set of tools and workflows. For example, building an iOS app requires access to developer tools running on the Apple Mac platform. Amazon Elastic Compute Cloud (Amazon EC2) Mac instances improves the macOS development experience, as developers can now benefit from the scalability, elasticity, reliability, and security of Amazon Web Services (AWS) to support the entire macOS development pipeline to build, test, sign, and publish Apple apps.
Customers including Goldman Sachs, Pinterest, and Intuit who have migrated their existing iOS and macOS build-and-test pipelines to AWS have found builds are 18.4% faster and 80.5% more reliable while experiencing up to 30% better performance over on-premises data center infrastructure.
With Amazon EC2 Mac instances, you can provision macOS environments within minutes, dynamically scale provisioned capacity as needed, remove build bottlenecks, only pay for actual usage, and leverage additional AWS services such as Amazon Machine Images (AMIs), Elastic Load Balancing (ELB), Amazon FSx, and Amazon CloudWatch.
In this post, I will explain step by step how to set up an Amazon EC2 Mac instance with a hardened image provided by the Center for Internet Security (CIS). This will help you to mitigate common threats like malware, denial of service, insufficient authorization, and overlapping trust boundary threats.
CIS is an AWS Partner and community-driven nonprofit that aims to make “the connected world a safer place for people, businesses, and governments.”
Security in the Cloud is a Shared Responsibility
There are also the many security benefits AWS brings to the table. With EC2 Mac instances, you gain access to Amazon Virtual Private Cloud (Amazon VPC) for network isolation, granular access controls with AWS Identity Access Management (IAM), auditing with AWS CloudTrail, and integration with tools like AWS Key Management Service (AWS KMS) and AWS Secrets Manager to encrypt boot and data volumes at rest and store certificates.
While developer productivity is an important factor, security is “job zero” for everybody. In addition, regulated industries such as financial services, healthcare, or life sciences are operating under a heavy regulatory framework requiring significant levels of monitoring and reporting.
When transitioning to the cloud, financial services institutions, for example, are often concerned about security and privacy of their data. Regulatory frameworks like personally identifiable information (PII) and GDPR are key regulatory drivers. As the compliance and security bar is therefore quite high, customers are implementing security controls and guardrails to secure their cloud environment.
Security and compliance are a shared responsibility between AWS and the customer. This shared model can help relieve customers’ operational burdens as AWS operates, manages, and controls the components—from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
The customer, meanwhile, assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS-provided security group firewall.
Customers should carefully consider the services they choose, as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment.
This differentiation of responsibility is commonly referred to as security “of” the cloud vs. security “in” the cloud.
Figure 1 – AWS Shared Responsibility Model.
For EC2 Mac instances, AWS provides AMIs for various macOS versions, making it easy to launch an EC2 Mac instance and get started.
The ability for customers to customize their own set of derivative AMIs with the specific software, such as the version of Xcode needed and tools required, greatly simplifies the maintenance process and enables developers to quickly spin up clean, consistent environments for their builds.
Raising the Security Bar
To raise the security bar even further, the Center for Internet Security (CIS) offers hardened AMIs that can be used to set up an Amazon EC2 instance. CIS is responsible for the CIS Controls and CIS Benchmarks, globally recognized best practices for securing IT systems and data.
CIS leads a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. The CIS Benchmarks are developed through a community consensus process and provide a vendor-neutral, technology-specific recommendations.
The CIS Benchmarks include recommendations in the areas of installing updates, patches, and additional security software, as well as recommendations in security and privacy, firewall, encryption, iCloud, logging, and auditing. Many of the recommendations are automated and work out-of-the-box. The full list of the latest CIS Benchmark for macOS can be found on the CIS website.
Currently, CIS hardened images are available in AWS Marketplace for macOS 11 and macOS 10.15. When setting up an EC2 Mac instance, the CIS AMIs can be directly accessed from the EC2 console.
Next, I will set up an EC2 Mac instance and walk you through the process step by step.
To get started setting up an EC2 Mac instance with a CIS hardened image, follow these steps:
- Visit AWS Marketplace and click the Sign in button in the upper right corner. In case you don’t already have an account, you can create one by clicking Create a new account.
- Enter your 12-digit account ID, IAM user name, and password.
- In the search bar at the top of the window, type cis macOS. From the list of search results, select the one titled CIS Apple macOS 11 Big Sur Benchmark – Level 1.
Figure 2 – Search for CIS AMI in AWS Marketplace.
- On the CIS macOS 11 Benchmark detail page, click Continue to Subscribe.
- On the subscription page, click Accept Terms, and then select Continue to Configuration.
- Next, change the configuration parameter on the left side of the screen by selecting the latest software version and choose “US East (Ohio)” as the Region to launch your instance in. Then click Continue to Launch.
Figure 3 – Configure the software and fulfillment option.
- On the next screen, under Choose Action select Launch through EC2 and click the Launch button. This will open an AWS Management Console window and brings you directly to the EC2 launch instance wizard. The CSI AMI from AWS Marketplace is already configured, so you can go through the remaining steps of the wizard.
- Choose mac1.metal as the instance type for the EC2 Mac instance and click Next: Configure Instance Details.
Figure 4 – Choose the EC2 instance type.
- When configuring the instance, select the us-east-2b Availability Zone (AZ) and remember this because you need this information when configuring the Dedicated Host for the instance.
- Select Enable in Auto-Assign Public IP so you can connect to the instance from the internet later on. Then select Allocate a new host.
Figure 5 – Configure instance details.
- In the Allocate Dedicated Host screen, enter a tag name for the host, select mac1 as the instance family and mac1.metal as instance type. Under Availability Zone, choose the us-east-2b as this is the same subnet chosen for your instance. Then, click Allocate.
Figure 6 – Allocate a Dedicated Host.
Launching via the EC2 Console
To launch new EC2 Mac instances based on the CIS AMI from AWS Marketplace in the future, you can do this directly from the EC2 console by navigating to Images > AMI Catalog on the left side of the console window.
Then search for cis macOS, select the Community AMIs tab item, and select the AMI with the macOS version you want to install. By clicking Launch the selected AMI the EC2 launch instance wizard will be open and you can follow through as previously described.
Figure 7 – Launch instance with AMI.
The macOS development experience improves by using Amazon EC2 Mac instances, as developers can now benefit from the scalability, elasticity, reliability, and security of AWS. Setting up an EC2 Mac instance with a Center for Internet Security (CIS) hardened image raises the security bar and helps with the mitigation of common security threats.
The CIS hardened AMIs for macOS contain policies for hardened accounts, firewall configuration, and administrative templates. Using these AMIs to launch an Amazon EC2 Mac instance reduces time, cost, and risk associated with your organization’s AWS solution. The images are pre-configured to align with industry best practices that are developed and supported by CIS Benchmarks.
Center for Internet Security (CIS) – AWS Partner Spotlight
CIS is an AWS Partner and community-driven nonprofit that aims to make the connected world a safer place for people, businesses, and governments.