iCompaas Support

Profile Applicability:

• Level 1

Description:
The naming convention for Amazon Machine Images (AMIs) should be standardized and documented. This naming policy must be followed for all AMIs created in the organization’s AWS environment. Consistent naming conventions help manage and organize AMIs, making them easier to identify, track, and audit.

Rationale:
 A consistent naming convention ensures that AMIs can be easily identified and classified. Standardizing the naming process helps avoid confusion, ensures compliance with internal policies, and enhances security by making it easier to identify AMIs that belong to specific applications, environments, or compliance requirements.

Impact:
 Pros:

• Simplifies the management of AMIs, especially in large-scale environments.

• Enhances security by easily identifying and controlling AMIs.

• Improves auditing and compliance by ensuring the consistent use of naming conventions across all AMIs.

Cons:

• Requires administrative effort to implement and enforce a consistent naming policy.

• Existing AMIs that do not follow the naming convention will need to be renamed and potentially re-registered.

Default Value:
 By default, AMIs may not have a standardized naming convention unless explicitly enforced by the organization’s policies.

Pre-requisites:

• AWS IAM permissions to view and manage AMIs and security groups:
   ec2:DescribeImages, ec2:DeregisterImage, ec2:CopyImage

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the AWS Management Console.

2. Navigate to EC2 and in the left pane, under Images, select AMIs.

3. Review the list of AMIs in the console.

4. Confirm that the AMI Name matches the organization's image naming policy.

   • If the name does not conform, note the AMI for remediation.

Using AWS CLI:

1. Run the following AWS CLI command to list AMIs:
   

   aws ec2 describe-images --owner self --region us-west-2

2. Review the list of AMIs in the output.
   3. Confirm that the AMI Name follows the organization’s naming policy.

• If any AMI name does not match the naming policy, proceed with remediation steps.
  

Implementation Plan:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to EC2.

2. In the Images section, select AMIs.

3. Find the AMI that does not comply with the naming policy.

4. Click Actions and then Copy AMI.

   • Set a new name that follows the naming policy.

   • Set a description that complies with the policy.

   • Choose encryption settings if applicable.

5. Click Copy AMI and wait for the process to finish.

6. After copying, select the original AMI and click Deregister.

Using AWS CLI:

1. To list the AMIs, run:
   

   aws ec2 describe-images --owner self --region us-west-2

2. Review the output and identify any AMI that doesn’t match the naming convention.

3. To copy and rename the AMI, use the following command:
   

   aws ec2 copy-image --name "<NEW_AMI_NAME>" --source-image-id <SOURCE_AMI_ID> --source-region us-west-2 --region us-west-2

4. After the new AMI is created, deregister the old non-compliant AMI:
   

   aws ec2 deregister-image --image-id <OLD_AMI_ID>

Backout Plan:

Using AWS Console:

1. If copying and renaming the AMI causes issues, navigate back to AMIs in the EC2 console.

2. Select the newly created AMI and click Deregister to remove it.

3. Re-register the original AMI if necessary by following the steps to copy it again.

Using AWS CLI:

1. To restore the original AMI, if the new one causes issues, run:
   

   aws ec2 deregister-image --image-id <NEW_AMI_ID>

2. Recreate the AMI with the original name and description if needed:
   

   aws ec2 copy-image --name "<ORIGINAL_AMI_NAME>" --source-image-id <SOURCE_AMI_ID> --source-region us-west-2 --region us-west-2

References:

• AWS CLI: describe-images

• AWS EC2 AMIs Documentation

CIS Controls: