Disappointing quality control
AMI (launched 2 days after announcement) had 7 system packages that needed to be updated for security vulnerabilities
cfn_nag was configured to use a custom built Ruby 2.5.1 installation (which has many, many CVEs compared to current 2.5.7 or 2.6.5 releases), instead of the amazon-linux-extras 2.6 ruby install.
Custom Ruby was set as a system installation but cfn_nag was installed as a local gem for the ec2-user unix user
This Marketplace AMI is not configured for high performance EC2 node types
The AWS_REGION environment variable is inexplicably set to "US_EAST_1" (not a valid designation for us-east-1 as far as I know)
The EULA for this AMI is buggy and I'm not sure it's been proofread or run by a lawyer.
I don't know who this AMI is targeted at (people with trouble installing ruby and cfn-nag?) but as-is the attention to detail is such that I would never suggest that anyone run it.
- Leave a Comment |
- Mark review as helpful