Profile Applicability:

  • Level 1

Description:
 It is crucial to ensure that only approved AMIs (Amazon Machine Images) are used within the organization. An approved AMI refers to a base EC2 machine image that is pre-configured to run your application, ensuring security, consistency, and compliance. Using non-approved AMIs can lead to the use of outdated or insecure configurations that may expose the system to vulnerabilities.

Rationale:
 Using approved AMIs ensures consistency across the organization’s infrastructure, promoting standardization and security. Approved AMIs are typically configured with security patches and best practices, ensuring a secure baseline for all EC2 instances. It also helps in achieving compliance with regulatory requirements, reducing the risk of deploying insecure or untested configurations in your environment.

Impact:
 Pros:

  • Security consistency across the organization by ensuring all EC2 instances are based on a known, secure image.

  • Easier maintenance of EC2 instances as updates to approved AMIs can be centrally managed.

  • Compliance with security policies and regulations by ensuring all AMIs meet organizational security standards.

Cons:

  • Requires continuous monitoring and verification of AMI usage within the organization.

  • May require the removal or rebuild of EC2 instances that do not conform to the approved AMI policy, which could result in temporary downtime or configuration changes.

Default Value:
 By default, AWS does not restrict the creation or use of AMIs, and any AMI can be launched without approval. It is up to the organization to establish and enforce policies regarding the use of AMIs.

Pre-requisites:

  • AWS IAM permissions to manage EC2 instances, AMIs, and security groups:
     ec2:DescribeInstances, ec2:DescribeImages, ec2:DeregisterImage, ec2:LaunchInstances

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to EC2 and click Images in the left pane, then select AMIs.

  3. Ensure that Owned by me is selected.

  4. Review the list of AMIs and verify that each one follows the approved AMI naming and usage policy.

  5. In the Instances section, select an EC2 instance and check the Details tab to confirm:

    • AMI Name

    • AMI Location (ensure it is within the organization's account)

  6. If any AMI does not match the approved list, refer to the Remediation section to remove the unauthorized AMI.

Using AWS CLI:

  1. Run the following command to list all AMIs:

    aws ec2 describe-images --region <region> --owner self

  2. Check the AMI Name and AMI Location for each listed AMI.

  3. If any AMI does not match the approved AMI list, note it for remediation.

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. In the left pane, under Images, click AMIs.

  3. Review the list of AMIs and ensure all listed AMIs are approved for use.

  4. If any AMI is not approved, select it and click Actions > Deregister to remove the unauthorized AMI.

  5. After deregistering, review all EC2 instances using the unauthorized AMI:

    • Select the EC2 instance.

    • In the Details tab, confirm that the AMI Name and AMI Location are aligned with the approved list.

  6. If the instance was built from an unauthorized AMI, follow organizational steps to secure and replace the instance with one created from an approved AMI.

Using AWS CLI:

  1. Run the following command to list all EC2 instances and their associated AMI:

    aws ec2 describe-instances --query "Reservations[].Instances[].[InstanceId, ImageId]"

  2. For each instance, verify that the ImageId (AMI ID) matches an approved AMI.

  3. If any EC2 instance is found to be using an unauthorized AMI, follow the remediation steps to deregister the AMI and replace the instance with one based on an approved AMI:

    aws ec2 deregister-image --image-id <IMAGE_ID>

Backout Plan:

Using AWS Console:

  1. If deregistering an AMI causes issues, sign in to the AWS Management Console.

  2. Re-enable the original AMI by copying it again if necessary, ensuring it follows the approved AMI policy.

  3. Ensure that all instances are built from approved AMIs.

Using AWS CLI:

  1. If the deregistering process needs to be reversed, restore the original AMI by creating a new image:

    aws ec2 copy-image --name "<Original_AMI_Name>" --source-image-id <Image-ID> --source-region <region>

  2. Re-deploy EC2 instances from the restored AMI and ensure all instances meet the approved AMI policy.

References:

  1. AWS CLI: describe-images

  2. AWS CLI: deregister-image

  3. AWS EC2 AMIs Documentation

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Establish and maintain a detailed inventory of enterprise assets, including AMIs, and ensure that only approved AMIs are used within the environment.

v7

1.4

Maintain an accurate and up-to-date inventory of all technology assets, including AMIs, and ensure that only approved AMIs are in use.