Warning:
This project is designed to provide a starting point to reduce reproduction of work and promote public review.
Additional hardening and detection systems are advised when using these images.
Open-AMI
Public versions of my hardened AMIs based on Amazon Linux.
HAWL1 Vault
Summery: Hashicorp vault running on HAWL1
Usage: Central secret management solution.
Key Features:
- Unprivileged Vault Server Managed By Damon
- Dynamodb based HA secret storage backend
- Unseal Status Reported to CloudWatch via custom metrics
- Only exposes Vault HTTPS API
- Cert & Key Sync Over Encrypted S3
HAWL1 Bastion
Sumery: HAWL1 based SSH & TCP bastion jumpbox.
Use Case:
- Authenticated access to private networks.
- Routing traffic around restricted networks
- Accessing publicly inaccessible services and dashboards
Key Features:
- Allows tunneling exclusively
- Baked Backup Keys
- Good for emergency access (Primary Authentication Server down, but it's in the secured network)
- Useful for unsealing a vault in a private network (Use TCP proxy to perform unseal operations over TLS)
- CA Based SSH Access
- Can be used with hashicorp vault to provide short lived access
- Can use smart cards via OpenSSH PKCS#11 integration
HAWL1:
Sumery: Hardened Amazon Linux With Level 1 CIS Benchmark (HA W L1)
Use Case: Base image for better hardened applications
Key Fratures:
- Programmatic acceptance tests to verify conformance with CIS level 1
- Works well with amazon inspector
- Designed to work with Defense in Depth
- AIDE: Host file system integrity based incursion detection system
Important Notes:
- Disabled Systems:
- IPv6
- Disk Swapping
- X11 Window Server
Whishlist:
- Centralized Logging via AntMan
- BSD Jails
- Snort
- Bro IDE
- OSQuery
- SELinux
- Auto Configuration Scripts
- Read Only File System
NOTE:
HAWL1 is intended as a base image only; It is your responsibility to understand what hardening is required to handle your use case and threats.