Overview
Hardened Debian 13 - secure by default
Debian 13 hardened to CIS Level 1 and OpenSCAP-verified: SSH lockdown, AppArmor, fail2ban, auditd, automatic security updates, zero baked-in credentials, security-maintained by Verified Images.
This is a repackaged open source software product wherein additional charges apply for the hardened, security-maintained image (rebuilt and re-verified as new CVEs are disclosed).
Verified Images publishes a hardened, production-ready build of Debian 13 (Trixie). The image ships secure by default and stays current automatically, so you can launch trusted Linux infrastructure in minutes.
What's included:
- A security-hardened baseline aligned with the CIS Debian Linux Benchmark, Level 1 (Server profile), independently verified with OpenSCAP, evaluated against the newest published compatible SCAP Security Guide profile at scan time (ssg-debian12; a native Debian 13 profile was not yet published) (100.0% of applicable Level 1 controls pass, with 100 documented cloud-compatibility exceptions; verification report available on request): SSH password authentication and root login are disabled, a kernel/network sysctl hardening profile is applied, password-aging and umask defaults are set, and no default passwords or SSH keys are baked in. This hardening also maps to system-hardening requirements in PCI DSS, NIST 800-53, and HIPAA technical safeguards. Verified Images is not affiliated with or certified by the Center for Internet Security; CIS Benchmarks is a trademark of CIS.
- SSH brute-force protection: fail2ban ships enabled with a tuned sshd jail, banning repeat offenders automatically without ever affecting legitimate key-based logins.
- Audit trail out of the box: auditd records changes to identity files, sudoers, and the SSH server configuration with searchable audit keys.
- AppArmor mandatory access control installed and enabled (Debian does not ship it by default; Ubuntu-equivalent MAC coverage is added here).
- Automatic security updates enabled out of the box (unattended-upgrades), keeping the OS patched against CVEs without manual intervention. Automatic reboots are off by default and can be enabled with a maintenance window of your choice (victl enable-auto-reboot).
- The victl management CLI: security status, a full hardening report, on-demand security updates, health checks, and the auto-reboot toggle, all in one command.
- A login banner showing hardening status, pending updates, and the victl quick reference.
- AWS Systems Manager (SSM) agent preinstalled for keyless, auditable instance management.
- Ongoing security maintenance: the hardened image is rebuilt and re-verified against the CIS benchmark as new CVEs are disclosed, so new launches stay current.
Debian 13 (Trixie) is the current Debian stable release. Debian is a registered trademark of Software in the Public Interest, Inc. (SPI); Verified Images is not affiliated with, endorsed by, or sponsored by the Debian project or SPI.
Highlights
- Secure by default, verified - hardened to CIS Debian Benchmark Level 1 and independently OpenSCAP-verified (100.0% of applicable Level 1 controls, evaluated against the ssg-debian12 profile as no native Debian 13 profile is published yet); SSH password/root login disabled, fail2ban, auditd audit trail, AppArmor enabled, sysctl and login hardening, zero baked-in credentials.
- Stays patched, on your terms - unattended security updates out of the box, optional automatic reboot window, and the victl CLI for status, hardening reports, and on-demand updates; SSM agent preinstalled.
- Security-maintained - the hardened image is rebuilt and re-verified against the CIS benchmark as new CVEs are disclosed, so new launches ship current.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Cost/hour |
|---|---|
t3.small Recommended | $0.06 |
t3.micro | $0.05 |
m5.xlarge | $0.25 |
m5.2xlarge | $0.40 |
t3.large | $0.16 |
t3.2xlarge | $0.40 |
t3.medium | $0.10 |
c5.large | $0.16 |
c5.xlarge | $0.25 |
t3.xlarge | $0.25 |
Vendor refund policy
Refunds are handled through AWS Marketplace in accordance with AWS Marketplace's standard refund policy. To request a refund, buyers should submit a request via AWS Marketplace. For product-related questions, contact support@verified-images.com .
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Initial release: hardened Debian 13 (Trixie) image with automatic security updates, SSH lockdown, AppArmor, fail2ban, auditd, victl CLI, and SSM agent preinstalled. CIS Level 1 100.0% (OpenSCAP-verified against the ssg-debian12 profile; a native Debian 13 profile is not yet published; 100 documented cloud-compatibility exceptions).
Additional details
Usage instructions
-
Launch this AMI from AWS Marketplace. Choose an instance type (t3.small recommended) and assign your own EC2 key pair for SSH access.
-
Security group: open TCP 22 (SSH) from your IP. No other ports are required by the base image.
-
Connect via SSH as the "admin" user with your key pair: ssh -i /path/to/your-key.pem admin@<public-ip> Password authentication and root login are disabled by design. Use "sudo" for privileged commands.
-
Automatic security updates are enabled (unattended-upgrades). No action needed; the OS patches itself for security updates. Manage and inspect the security posture with the built-in CLI: victl status (services, pending updates, reboot-pending state) victl hardening-report (everything this image hardens) sudo victl update-now (apply security updates immediately) sudo victl enable-auto-reboot 03:30 (optional automatic reboot window; off by default)
-
(Optional) Manage the instance without SSH keys using AWS Systems Manager: attach an IAM role with the AmazonSSMManagedInstanceCore policy, and the instance will appear in Systems Manager.
-
Questions: support@verified-images.com . Include your instance ID and a description of the issue.
Support
Vendor support
support@verified-images.com (Verified Images, a DBA of CarmelTech LLC).
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
