Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EC2 Image Builder - Windows STIG Hardening Implementation guidance

0

Hi,

I am currently in the process of implementing the EC2 Image Builder managed components for STIG compliance.

I have tried using all 3 versions, low, medium and high but my application keeps breaking and I can’t seem to identify what in the components is breaking them. Even then, I wouldn’t be able to disable a specific finding ID because the component does not allow parameters/is not customizable.

Therefore, I’m after some advice of how to practically implement these components in a safe manor and scope down as needed.. the inability to scope down seems like a general problem, surely loads of people run into this?

Topics
Compute
Tags
Amazon EC2WindowsEC2 Image Builder
Language
English
asked a year ago468 views
2 Answers
3

May worth to considering on below:

  1. Understand the STIG Compliance Levels: o The "low," "medium," and "high" compliance levels correspond to different categories of vulnerabilities. High compliance (Category I) addresses the most severe risks, while low compliance (Category III) focuses on less critical vulnerabilities.
  2. Review Logs for Insights: o Image Builder logs can provide details on which STIG settings are applied or skipped. Reviewing these logs can help identify the specific settings causing issues.
  3. Create Custom Components: o If the managed components are too restrictive, consider creating custom components to apply only the necessary STIG settings. This allows you to tailor the hardening process to your application's requirements.
  4. Test Incrementally: o Start with the "low" compliance level and test your application thoroughly. Gradually move to "medium" and "high" compliance levels, addressing issues as they arise.
  5. Use AWS Systems Manager: o AWS Systems Manager provides the AWSEC2-ConfigureSTIG command document, which allows you to apply STIG settings to instances. This document supports scoping down by selecting specific compliance categories.

https://docs.aws.amazon.com/imagebuilder/latest/userguide/ib-stig.html

https://aws.amazon.com/blogs/security/quickly-build-stig-compliant-amazon-machine-images-using-amazon-ec2-image-builder/

EXPERT
answered a year ago
0

Hey,

Hope you're keeping well.

The AWS-managed STIG components apply a fixed set of hardening steps with no parameters, so if they break your application the best approach is to clone the workflow using custom Image Builder components. You can review the applied changes by checking the Image Builder build logs in CloudWatch and comparing them against the DISA STIG documentation to pinpoint which settings cause the breakage. A common pattern is to start with the low baseline, export its commands into a custom component, then selectively remove or adjust specific steps before moving up in severity. This way you maintain compliance controls you need while avoiding blanket changes that impact your app.

Thanks and regards,
Taz

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content