Building CIS hardened Golden Images and Pipelines with EC2 Image Builder
Until recently, customers had to navigate to the AWS Marketplace Console and search for a compatible Amazon Machine Image (AMI) product for your image pipeline. They also had to write their own custom components to harden the operating systems to meet Center for Internet Security (CIS) Benchmark guidelines. This required subscriptions to the CIS Benchmark toolset. This also required a high level of effort to accurately identify and implement the required hardening steps outlined in the CIS Benchmark guide.
Now customers can search AWS Marketplace Amazon Machine Images (AMIs) directly in the EC2 Image Builder Console and use those AMIs as base images in their image build workflows. Customers can use EC2 Image Builder to create custom Amazon Machine Images (AMIs) that are hardened using Center for Internet Security (CIS) Benchmarks.
EC2 Image Builder, launched in 2019, is a service that simplifies the building, testing, and deployment of Virtual Machine and container images for use on AWS or on-premises.
Overview of solution
Introducing CIS Hardening in EC2 Image Builder
Now, customers can search AWS Marketplace AMIs (including CIS hardened image offerings from AWS Marketplace) in EC2 Image Builder Console and use those AMIs as base images in their image build workflows. This makes it easier for you to seamlessly track and integrate your AWS Marketplace AMI subscriptions in your image customization workflows.
In addition to above, users can further deploy CIS Benchmark Level 1 hardening components for Amazon Linux 2, Red Hat Enterprise Linux (RHEL) 7, Windows Server 2019 and Windows Server 2022 via EC2 Image Builder. This gives you the ability to customize the baseline CIS image, and still being able to get to CIS standards baseline. Your subscribed AWS Marketplace AMIs will be available in the subscriptions section of the EC2 Image Builder Console under AWS Marketplace – Image Products.
This launch provides a streamlined approach to image hardening by eliminating the need to design, build, and test hardening components.
Figure 1: Workflow to create and distribute the customized hardened images
During the Secure image step, users can now use managed CIS components to build CIS hardened images
Let’s create an Image Builder pipeline to include a CIS hardening component on a CIS base image using the Image Builder console. We will build a recipe to demonstrate the use of a CIS hardening component and the create a pipeline from it.
To create a CIS hardened image pipeline, we will perform the following steps:
- Subscribe to the CIS AMI in AWS Marketplace
- Add a CIS hardening component to an image recipe
- Create a pipeline from the image recipe
- Create an image from your image pipeline
Subscribe to the CIS AMI in the AWS Marketplace
To unlock the CIS hardening components, subscribe to the CIS Amazon Linux 2 Level 1 AMI in the AWS Marketplace. You can access the AWS Marketplace directly from the EC2 Image Builder console by selecting Image products in the navigation menu under AWS Marketplace.
Figure 2: Finding base CIS Image from AWS Marketplace Image products
Figure 3: Subscribing the hardened CIS AMI for Amazon Linux 2
Add a CIS hardening component to an image recipe
An EC2 Image Builder recipe defines the base image to use as your starting point to create a new image. It also includes the set of components that you add to customize your image and verify that everything works as expected.
We will create a new recipe for this example. If you already have a recipe that you want to add the CIS component to, you can create a new version of your existing recipe instead of creating an entirely new one.
In the EC2 Image Builder console, select Image recipes from the navigation menu. Select Create image recipe.
Figure 4: Create image recipe
We will use the following options for our image. All other options can be left to the default.
- Name: demo-cis-recipe
- Version: 0.0
- Base Image: AWS Marketplace image CIS Amazon Linux 2 Kernel 4.14 Benchmark – Level 1. This will appear here if you have subscribed to the CIS AMI as defined in the previous step.
Note: the CIS hardening component can only be used in conjunction with images published by CIS.
- Working directory path: /var/tmp (default /tmp will result in permission denied because it’s mounted with noexec permission in this base image)
- Build components: Select Third party managed and select cis-benchmark-level-1-amazon-linux to add the component to your recipe.
Figure 5: Choosing cis-benchmark-level-1-amazon-linux build components
- We will not select any test components for this demo. It is recommended that test components are created to test your output images from EC2 Image Builder.
- Scroll to the bottom of the page and select Create recipe.
You will now see your recipe in the EC2 Image Builder console under the Image recipes section in the navigation pane.
Figure 6: Finding your newly created Image recipeYou now have a recipe containing the CIS hardening component ready for use in your pipeline.
Create a pipeline from the image recipe
EC2 Image pipeline which will produce the desired AMI as an output. EC2 Image Builder image pipelines provide an automation framework for creating and maintaining custom AMIs and container images. Pipelines deliver the following functionality:
- Assemble the base image, components for building and testing, infrastructure configuration, and distribution settings.
- Use pipeline scheduler to run image pipeline on a fixed schedule.
- Enable change detection for the base image and components, to automatically skip scheduled builds when there are no changes.
- Enable rule-based automation through Amazon EventBridge.
To create a pipeline from your hardening recipe:
- Click your image recipe from the Image recipes and click Create pipeline from this recipe
Figure 7: Creating pipeline from the newly created recipe
Configure your pipeline
For this demo we will use the following values for our pipeline
- Pipeline name: demo-cis-pipeline
- Build Schedule: Manual, and click next
- Choose recipe screen: accept the default option of use existing recipe.
- recipe details: select your recipe from the dropdown list and click next
- Define infrastructure configuration screen: you can either add an existing infrastructure configuration or build a new one with service default settings which is Create infrastructure configuration using service defaults. Select default and click next
- Define distribution settings: use default and click next
Review your pipeline settings. If you see anything that needs to be changed, edit appropriate settings. If everything looks fine, click Create pipeline.
Note that pipeline creation can take some time to complete.
After a few minutes, you will see below screen that displays the pipeline you just made using the image recipe you created earlier.
Figure 8: Finding your newly created Image pipeline
Create an image from your image pipeline
- Select your new image pipeline, click actions, and select Run pipeline.
Figure 9: Creating an Image from your Image pipeline
The Run pipeline will initiate the build of the image which will show up in the Output images tab.
Figure 10: Finding newly created Image from Output Images
View Image creation logs
- Select log stream and it will take you directly to log groups in CloudWatch to show the events.
Figure 11: Viewing Image creation logs from Amazon CloudWatch Log groups
Make sure to regularly clean up temporary resources that you created for testing. Otherwise, you might forget about those resources, and then later, not remember what they were used for. From our demo, we will delete demo-cis-pipeline, demo-cis-recipe and then delete the AMI created by running the pipeline. Also unsubscribe to CIS Amazon Linux 2 Kernel base image within Free Trial period if you are testing the procedure. Refer Delete EC2 Image Builder resources for instruction and the order to prevent any dependency issues while clean up.
In this blog we provided an overview of how customers can search AWS Marketplace Amazon Machine Images (AMIs) directly in the EC2 Image Builder Console and use those AMIs as base images in their image build workflows. We also shared how customers can use EC2 Image Builder to create custom Amazon Machine Images (AMIs) that are hardened using Center for Internet Security (CIS) Benchmarks to build CIS hardened Golden Images and pipelines using EC2 Image Builder.
Get started today
EC2 Image Builder now supports AWS Marketplace subscriptions for custom AMIs. It is available in all AWS Regions, excluding the AWS GovCloud (US) Regions and AWS China Regions (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD). CIS Benchmarks for security hardening of Amazon Machine Images is available in all AWS Regions, including the AWS GovCloud (US) Regions, but excluding AWS China regions (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD).
Get started on these features from the EC2 Image Builder Console, CLI, API, CloudFormation, or CDK, and learn more about the service in the EC2 Image Builder user guide. Learn about what’s upcoming up at EC2 Image Builder roadmap.
If you have any questions, comments, or suggestions, please leave a comment. You can also visit the AWS re:Post
About the authors: