Description:

An Amazon Machine Image (AMI) provides the information required to launch an instance. You must specify an AMI when you launch an instance. You can launch multiple instances from a single AMI when you need multiple instances with the same configuration. You can use different AMIs to launch instances when you need instances with different configurations.

You can select an AMI to use based on the following characteristics:

  • Region (see Regions and Zones)

  • Operating system

  • Architecture (32-bit or 64-bit)

  • Launch permissions 

  • Storage for the root device

Rationale:

Checks if running instances are using specified AMIs. Amazon Machine Image is a template that contains a preconfigured OS and a well-defined stack of server software fully configured to run your application. Using  Amazon Machine Image to create new EC2 instances within your AWS environment provides major benefits such as fast and stable application deployment and scaling, secure application stack upgrades, and versioning. 

Impact:

AWS Config rules can now check that running instances are using approved Amazon Machine Images or AMIs. You can specify a list of approved AMI by ID or provide a tag to specify the list of AMI Ids.

Default Value:

The default user name is determined by the AMI that was specified when you launched the instance. Checks if running instances are using specified AMIs.

By default, Config rule is disabled.

Pre-requisites:

At least one EC2 should be launched 

Remediations:

Test Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. In the left navigation, choose Rules.

  3. Click on a view detail to check APPROVED_AMIS_BY_ID in the rule.

  4. If not, go to implementation plan below.

  • Using AWS CLI

  1. Use the command to list the Config rules has APPROVED_AMIS_BY_TAG rule.

    aws configservice describe-config-rules
    --query 'Source[?SourceIdentifier=='APPROVED_AMIS_BY_TAG']'

    Implementation Plan:

    • AWS Console Process

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. In the left navigation, choose Rules.

  3. On the Rules page, choose Add rule.

  4. In the general settings select record specific resource types.

  5. Click on next.

  6. Search APPROVED_AMIS_BY_TAG in the AWS Managed rule search bar, select it.

  7. Click on next and click on confirm.

  • Using AWS CLI

Use the put-config-rule command with the --generate-cli-skeleton parameter to create a local JSON file that has the parameters for your rule:

aws configservice put-config-rule --generate-cli-skeleton > putConfigRule.json

For example, the following JSON code updates the resource types that are in the scope of a custom rule:

{
    "ConfigRuleName": "approved-amis-by-id",
    "Description": "A config rule that checks whether running instances are using specified AMIs. Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are noncompliant.",
    "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "APPROVED_AMIS_BY_TAG",
        "SourceDetails": []
    },
    "Scope": {
        "ComplianceResourceTypes": [
            "AWS::EC2::Instance"
        ]
    },
    "InputParameters": "{}"
}

And put the config rule by using below command. 

 aws configservice put-config-rule --cli-input-json file://putConfigRule.json

Backout plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. In the left navigation, choose Rules.

  3. Choose a rule from the table that you want to delete.

  4. From the Actions dropdown list, choose Delete rule.

  5. When prompted, type "Delete" (case-sensitive) and then choose Delete.

  • Using AWS CLI

Use the delete-config-rule command as shown in the following example: