Profile Applicability:
- Level 1
Description:
It is important to ensure that all Amazon Machine Images (AMIs) are up-to-date and not older than 90 days. Using outdated AMIs can result in missing critical security patches, bug fixes, and operating system (OS) updates. To ensure the reliability, security, and compliance of EC2 instances, AMIs should be regularly updated.
Rationale:
Using up-to-date AMIs helps to ensure:
Security patches are applied, reducing the vulnerability surface.
OS updates and application updates are current, preventing issues from deprecated software versions.
Compliance with security best practices and industry regulations.
Outdated AMIs may expose the environment to known vulnerabilities and security risks due to the lack of updates and patches. Regularly reviewing and updating AMIs ensures the infrastructure remains secure, reliable, and in compliance with security standards.
Impact:
Pros:
Improved security by ensuring AMIs are updated with the latest security patches.
Reduces the risk of security breaches due to outdated software.
Ensures compliance with industry regulations that require up-to-date software environments.
Helps maintain stability and reliability in the environment by using the latest OS and application versions.
Cons:
Requires regular updates and maintenance for AMIs, which can be time-consuming.
Outdated instances might need to be replaced or updated, causing operational disruption.
Default Value:
By default, AMIs are created when a new EC2 instance is launched, but their age is not automatically managed. AMIs that are not regularly reviewed may become outdated over time.
Pre-requisites:
AWS IAM permissions to describe, create, and deregister AMIs:
ec2:DescribeImages, ec2:CopyImage, ec2:DeregisterImage, ec2:CreateImage
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Management Console at AWS EC2 Console.
In the left pane, under Images, click on AMIs.
Review the list of AMIs.
For each AMI, confirm the Creation Date by checking the Details tab.
If the AMI is older than 90 days, it should be updated.
Repeat the process for other regions and verify the age of all AMIs.
Using AWS CLI:
Run the following command to list the AMIs:
aws ec2 describe-images --region <region> --image-ids <image-ID>
Look for the CreationDate field in the response.
If the CreationDate is older than 90 days, note the AMI as outdated.
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
Under Images, click AMIs.
Select the outdated AMI.
Click Launch to create a new instance using the outdated AMI.
Apply all necessary system, security, and application updates to the EC2 instance.
Once the updates are completed, click on Instance state, then Stop the instance.
Click on Actions, then Image and templates, and select Create image.
After the image creation completes, go to AMIs and select the outdated AMI.
Click on Actions and choose Deregister to remove the outdated AMI.
Using AWS CLI:
To copy and create a new AMI with updated software:
aws ec2 copy-image --name "<New_AMI_Name>" --source-image-id <Image-ID> --source-region <region> --encrypted
Once the new AMI is created, deregister the old, outdated AMI:
aws ec2 deregister-image --image-id <Image-ID>
Backout Plan:
Using AWS Console:
If updating or deregistering the AMI causes issues, log in to the AWS Management Console.
Restore the original AMI by following the steps to copy and launch it again.
Apply the necessary system and security updates as required.
Using AWS CLI:
If the AMI update disrupts operations, run:
aws ec2 copy-image --name "<Original_AMI_Name>" --source-image-id <Image-ID> --source-region <region>
Verify that the old AMI is restored and that it is functional:
aws ec2 describe-images --image-id <Image-ID>
References:
CIS Controls: