AWS Cloud Operations Blog

Building CIS hardened Golden Images and Pipelines with EC2 Image Builder

Until recently, customers had to navigate to the AWS Marketplace Console and search for a compatible Amazon Machine Image (AMI) product for your image pipeline. They also had to write their own custom components to harden the operating systems to meet Center for Internet Security (CIS) Benchmark guidelines. This required subscriptions to the CIS Benchmark toolset. This also required a high level of effort to accurately identify and implement the required hardening steps outlined in the CIS Benchmark guide.

Now customers can search AWS Marketplace Amazon Machine Images (AMIs) directly in the EC2 Image Builder Console and use those AMIs as base images in their image build workflows. Customers can use EC2 Image Builder to create custom Amazon Machine Images (AMIs) that are hardened using Center for Internet Security (CIS) Benchmarks.

EC2 Image Builder, launched in 2019, is a service that simplifies the building, testing, and deployment of Virtual Machine and container images for use on AWS or on-premises.

Overview of solution

Introducing CIS Hardening in EC2 Image Builder

Now, customers can search AWS Marketplace AMIs (including CIS hardened image offerings from AWS Marketplace) in EC2 Image Builder Console and use those AMIs as base images in their image build workflows. This makes it easier for you to seamlessly track and integrate your AWS Marketplace AMI subscriptions in your image customization workflows.

In addition to above, users can further deploy CIS Benchmark Level 1 hardening components for Amazon Linux 2, Red Hat Enterprise Linux (RHEL) 7, Windows Server 2019 and Windows Server 2022 via EC2 Image Builder. This gives you the ability to customize the baseline CIS image, and still being able to get to CIS standards baseline. Your subscribed AWS Marketplace AMIs will be available in the subscriptions section of the EC2 Image Builder Console under AWS Marketplace – Image Products.

This launch provides a streamlined approach to image hardening by eliminating the need to design, build, and test hardening components.

In the EC2 Image Builder, start with a source image, customize the software installed on the image, secure image with AWS-provided and/or custom templates, then test the image with AWS-provided tests and/or your own test, once successful, distribute yips golden image to selected AWS regions.

Figure 1: Workflow to create and distribute the customized hardened images

During the Secure image step, users can now use managed CIS components to build CIS hardened images

Getting Started

Let’s create an Image Builder pipeline to include a CIS hardening component on a CIS base image using the Image Builder console. We will build a recipe to demonstrate the use of a CIS hardening component and the create a pipeline from it.

To create a CIS hardened image pipeline, we will perform the following steps:

  • Subscribe to the CIS AMI in AWS Marketplace
  • Add a CIS hardening component to an image recipe
  • Create a pipeline from the image recipe
  • Create an image from your image pipeline

Subscribe to the CIS AMI in the AWS Marketplace

To unlock the CIS hardening components, subscribe to the CIS Amazon Linux 2 Level 1 AMI in the AWS Marketplace. You can access the AWS Marketplace directly from the EC2 Image Builder console by selecting Image products in the navigation menu under AWS Marketplace.

In this picture, we searched for CIS in the AWS Marketplace Image Products and clicked on the CIS Amazon Linux 2 from search results.

Figure 2: Finding base CIS Image from AWS Marketplace Image products

After clicking on CIS Amazon Linux Image product, you will see this screen where CIS (Center of internet Security) has stated that the image is hardened with the associated CIS benchmark that has been developed by consensus to be the industry best practice. We click on Continue to subscribe link. The typical total price quoted by CIS in this image is $0.043/hr.

Figure 3: Subscribing the hardened CIS AMI for Amazon Linux 2

Add a CIS hardening component to an image recipe

An EC2 Image Builder recipe defines the base image to use as your starting point to create a new image. It also includes the set of components that you add to customize your image and verify that everything works as expected.

We will create a new recipe for this example. If you already have a recipe that you want to add the CIS component to, you can create a new version of your existing recipe instead of creating an entirely new one.

In the EC2 Image Builder console, select Image recipes from the navigation menu. Select Create image recipe.

In the image, we are in EC2 Image Builder console in Image recipes section and clicking on Create image recipe.

Figure 4: Create image recipe

We will use the following options for our image.  All other options can be left to the default.

  • Name: demo-cis-recipe
  • Version: 0.0
  • Base Image: AWS Marketplace image CIS Amazon Linux 2 Kernel 4.14 Benchmark – Level 1. This will appear here if you have subscribed to the CIS AMI as defined in the previous step.
    Note: the CIS hardening component can only be used in conjunction with images published by CIS.
  • Working directory path: /var/tmp (default /tmp will result in permission denied because it’s mounted with noexec permission in this base image)
  • Build components: Select Third party managed and select cis-benchmark-level-1-amazon-linux to add the component to your recipe.

The image shows is that while creating the image, we shall need to choose build components to produce the desired output AMI. We are choosing Third Party managed build components from the dropdown and then selecting cis-benchmark-level-1-amazon-linux component.

Figure 5: Choosing cis-benchmark-level-1-amazon-linux build components

  • We will not select any test components for this demo. It is recommended that test components are created to test your output images from EC2 Image Builder.
  • Scroll to the bottom of the page and select Create recipe.

You will now see your recipe in the EC2 Image Builder console under the Image recipes section in the navigation pane.

The picture shows us our newly created image recipe with name demo-cis-recipe version 1.0.0, its operating system as Linux along with base image, the creation date, owner of the recipe and its ARN.

Figure 6: Finding your newly created Image recipe

You now have a recipe containing the CIS hardening component ready for use in your pipeline.

Create a pipeline from the image recipe

EC2 Image pipeline which will produce the desired AMI as an output. EC2 Image Builder image pipelines provide an automation framework for creating and maintaining custom AMIs and container images. Pipelines deliver the following functionality:

  • Assemble the base image, components for building and testing, infrastructure configuration, and distribution settings.
  • Use pipeline scheduler to run image pipeline on a fixed schedule.
  • Enable change detection for the base image and components, to automatically skip scheduled builds when there are no changes.
  • Enable rule-based automation through Amazon EventBridge.

To create a pipeline from your hardening recipe:

  • Click your image recipe from the Image recipes and click Create pipeline from this recipe

In this image, we open the demo-cis-recipe and creating a new pipeline from this recipe by clicking on the Create pipeline from this recipe on top right corner of the page.
Figure 7: Creating pipeline from the newly created recipe

Configure your pipeline

For this demo we will use the following values for our pipeline

  • Pipeline name: demo-cis-pipeline
  • Build Schedule: Manual, and click next
  • Choose recipe screen: accept the default option of use existing recipe.
  • recipe details: select your recipe from the dropdown list and click next
  • Define infrastructure configuration screen: you can either add an existing infrastructure configuration or build a new one with service default settings which is Create infrastructure configuration using service defaults. Select default and click next
  • Define distribution settings: use default and click next

Review your pipeline settings. If you see anything that needs to be changed, edit appropriate settings. If everything looks fine, click Create pipeline.

Note that pipeline creation can take some time to complete.

After a few minutes, you will see below screen that displays the pipeline you just made using the image recipe you created earlier.

The picture shows us our newly created image pipeline with name demo-cis-pipeline. We also see that the pipeline is enabled and its of AMI type. Its date of creation, version, ARN is also listed on the screen with security findings status as Enabled.

Figure 8: Finding your newly created Image pipeline

Create an image from your image pipeline

  • Select your new image pipeline, click actions, and select Run pipeline.

This image shows is selecting our Image pipeline in EC2 Image Builder console by clicking on checkbox right beside it and then going to actions Menu on top right and selecting "Run pipeline".

Figure 9: Creating an Image from your Image pipeline

The Run pipeline will initiate the build of the image which will show up in the Output images tab.

This image shows us the output images tab in Image pipelines from EC2 Image Builder console. We see that we have our first image is visible with version 1.0.0/1. Its type Is AMI and creation date is also listed on the console. You also see the status as Available. Resource ARN is also visible along with Log stream hyperlink which can directly take you to Amazon CloudWatch to fire logs for this image.

Figure 10: Finding newly created Image from Output Images

View Image creation logs

  • Select log stream and it will take you directly to log groups in CloudWatch to show the events.

We clicked on the Log stream as visible on visible screen which takes us to Amazon CloudWatch where we see the log stream of the newly built image under Log groups in CloudWatch logs. Last line of the logs shows Image transmitted to Available for the newly created Image ARN.

Figure 11: Viewing Image creation logs from Amazon CloudWatch Log groups

Clean up

Make sure to regularly clean up temporary resources that you created for testing. Otherwise, you might forget about those resources, and then later, not remember what they were used for. From our demo, we will delete demo-cis-pipeline, demo-cis-recipe and then delete the AMI created by running the pipeline. Also unsubscribe to CIS Amazon Linux 2 Kernel base image within Free Trial period if you are testing the procedure. Refer Delete EC2 Image Builder resources for instruction and the order to prevent any dependency issues while clean up.

Conclusion

In this blog we provided an overview of how customers can search AWS Marketplace Amazon Machine Images (AMIs) directly in the EC2 Image Builder Console and use those AMIs as base images in their image build workflows. We also shared how customers can use EC2 Image Builder to create custom Amazon Machine Images (AMIs) that are hardened using Center for Internet Security (CIS) Benchmarks to build CIS hardened Golden Images and pipelines using EC2 Image Builder.

Get started today

EC2 Image Builder now supports AWS Marketplace subscriptions for custom AMIs. It is available in all AWS Regions, excluding the AWS GovCloud (US) Regions and AWS China Regions (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD). CIS Benchmarks for security hardening of Amazon Machine Images is available in all AWS Regions, including the AWS GovCloud (US) Regions, but excluding AWS China regions (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD).

Get started on these features from the EC2 Image Builder Console, CLI, API, CloudFormation, or CDK, and learn more about the service in the EC2 Image Builder user guide. Learn about what’s upcoming up at EC2 Image Builder roadmap.

If you have any questions, comments, or suggestions, please leave a comment. You can also visit the AWS re:Post

About the authors:

Jason Livingston

Jason Livingston is a Cloud Infrastructure Architect for Amazon Web Services. He has over 20 years of experience building and scaling infrastructure to support business needs. His passion is designing systems that can take full advantage of cloud.

Yogesh Aggarwal

Yogesh Aggarwal is a Technical Account Manager with AWS Enterprise Support based out of Toronto. He works with enterprise-scale financial customers to educate, empower and guide them on their AWS journey. He helps customers to build solutions on AWS, optimize their AWS environment and advocate them within AWS. His proactive approach aims to expedite customer progress and maximize the value they get from AWS.