Hardened AMIs
Purpose
The Center for Internet Security (CIS) provide benchmarks for hardening a variety of operating systems and software packages. This repo provides a workflow to facilitate the creation of CIS compliant Amazon Linux Machines Images (AMIs).
Tools
- Ansible is used to configure the machine images
- Packer is used to produce the AMIs
- Inspec is used to provide an automated way of verifying compliance
Assumptions
- You have an AWS account with appropriate permissions
Prerequisites
- Install Packer (confirmed working with 1.1.2)
- Install Ruby (confirmed working with 2.4.2)
- Install Inspec (Confirmed working with 1.45.9)
- Install Python3 (confirmed working with 3.6.3)
- Install Ansible (confirmed working with 2.4.1.0)
- Get Python dependencies:
pip3 install -r requirements.txt
Creating an AMI
- To build an image run
python3 create-ami.py
- Packer will bring up an EC2 instance with the AMI specified in the script
- Then the Ansible contained in
packer-ansible
will be run against the instance - A snapshot is then taken
- The AMI ID is outputted to a file called
packer-image.json
Testing an AMI
- To test the created image run
python3 test-ami.py
- Creates a security group that allows SSH ingress
- Brings up a new instance with the AMI ID found in
packer-image.json
and a temporary key pair - Runs the Inspec tests
- Cleans up the instance, security group and keypair.
Limitations / Low Hanging Fruit
- Region currently hardcoded to
us-west-1
- Base AMI hardcoded within python script
create-ami.py
(parameterised inamazon-linux.json
)