This AMI extends the Amazon EKS Optimized AMI with the hardening typically required to meet NIST 800-53 based compliance frameworks such as FedRAMP. This repository uses Packer to enable FIPS 140-2 validated modules and apply the Amazon Linux 2, Docker, and EKS CIS Benchmarks.
Disclaimer: This AMI is not gaurenteed to meet FedRAMP requirements and you should always confirm with your compliance, security, and 3PAO that this AMI is sufficient. This is not an official AMI from AWS and is not officially supported.
Similar to the EKS Optimized AMI, this AMI is built using the same tooling.
# build a x86 AMI for EKS
packer build \
-var 'eks_version=1.18' \
-var 'vpc_id=vpc-xxxxxxxxxxxxxxxxx' \
-var 'subnet_id=subnet-xxxxxxxxxxxxxxxxx' \
-var 'volume_size=100' \
./amazon-eks-node.json
# build a arm64 AMI for EKS
packer build \
-var 'eks_version=1.18' \
-var 'vpc_id=vpc-xxxxxxxxxxxxxxxxx' \
-var 'subnet_id=subnet-xxxxxxxxxxxxxxxxx' \
-var 'volume_size=100' \
./amazon-eks-node-arm64.json| Parameter | Default | Supported | Description |
|---|---|---|---|
| eks_version | 1.18 |
Any major version supported by EKS | The major Kubernetes version that aligns to your EKS cluster. |
| vpc_id | vpc-xxxxxxxxxxxxxxxxx |
The ID of the VPC to place the Packer builder. | |
| subnet_id | subnet-xxxxxxxxxxxxxxxxx |
The ID of the Subnet to place the Packer builder. | |
| volume_size | 100 |
Any whole number in Gb | The size of the secondary volume. |
This repository applies the following benchmarks as part of the NIST 800-53 requirements:
The repository also utilizes the Amazon Linux 2 FIPS validated modules:
| Module | Status | Certification | Date |
|---|---|---|---|
| Amazon Linux 2 Libreswan Cryptographic Module | ✅ | 3652 | 05/08/2020 |
| Amazon Linux 2 NSS Cryptographic Module | ✅ | 3646 | 04/20/2020 |
| Amazon Linux 2 GnuTLS Cryptographic Module | ✅ | 3643 | 04/20/2020 |
| Amazon Linux 2 Libgcrypt Cryptographic Module | ✅ | 3618 | 02/19/2020 |
| Amazon Linux 2 OpenSSH Client Cryptographic Module | ✅ | 3567 | 11/20/2019 |
| Amazon Linux 2 OpenSSH Server Cryptographic Module | ✅ | 3562 | 11/14/2019 |
| Amazon Linux 2 OpenSSL Cryptographic Module | ✅ | 3553 | 10/23/2019 |
| Amazon Linux 2 Kernel Cryptographic API | ✅ | 3709 | 09/14/2020 |
The resulting images consists of two disks, a root disk and a secondary disk. The secondary disk is used to add the required partitions to meet CIS Benchmark requirements.
| Disk | Mount Point | % of Secondary Volume Size | Description |
|---|---|---|---|
/dev/nvme1n1p1 |
/ |
20% | This is the root disk used by the EKS optimized AMI. |
/dev/nvme2n1p1 |
/var |
20% | A separate partition for /var as required by the CIS Benchmark. |
/dev/nvme2n1p2 |
/var/log |
20% | A separate partition for /var/log as required by the CIS Benchmark. |
/dev/nvme2n1p3 |
/var/log/audit |
20% | A separate partition for /var/log/audit as required by the CIS Benchmark. |
/dev/nvme2n1p4 |
/home |
10% | A separate partition for /home as required by the CIS Benchmark. |
/dev/nvme2n1p5 |
/var/lib/docker |
30% | A separate partition for /var/lib/docker as required by the CIS Benchmark. |
This library is licensed under the MIT-0 License. See the LICENSE file.