Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How can I create STIG hardened Images on Amazon Linux?
Hi all
I'd love to create a STIG hardened Image on Amazon Linux. I can see some AWS Marketplace products such as https://aws.amazon.com/marketplace/pp/prodview-i3vkpa6e3rfk6?sr=0-1&ref_=beagle&applicationId=AWS-Marketplace-Console. But it's a bit expensive.
I also can see a couple of alternatives as follows:
- Amazon managed STIG hardening components for Image Builder - https://docs.aws.amazon.com/imagebuilder/latest/userguide/ib-stig.html
- Systems Manager command document, AWSEC2-ConfigureSTIG - https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/awsec2-configure-stig.html.
- Other ways...?
Is there any pros & cons, or caveats for each approach? Or is there any generally accepted typical approaches?
Thanks.
- Newest
- Most votes
- Most comments
There are indeed several approaches to creating STIG hardened images on Amazon Linux, each with its own advantages and considerations:
-
Using EC2 Image Builder with Amazon managed STIG hardening components: This is a recommended and efficient approach. EC2 Image Builder provides STIG hardening components that scan for misconfigurations and run remediation scripts. These components help you build compliant images for baseline STIG standards more efficiently. The process is automated and can be integrated into a pipeline, making it easier to maintain and update hardened images over time. This method is cost-effective as there are no additional charges for using STIG-compliant components.
-
Using Systems Manager command document (AWSEC2-ConfigureSTIG): While this approach can be used to apply STIG settings, it's more suited for configuring existing instances rather than creating hardened images. It may require more manual intervention and might not be as efficient for creating and maintaining hardened AMIs at scale.
-
AWS Marketplace STIG-compliant images: These pre-hardened images can save time and effort in initial setup, but as you noted, they come with additional costs. They might be suitable if you need a quick, ready-to-use solution and the cost is justified for your use case.
-
Custom hardening: You can create your own hardening process by taking the Amazon EKS AMI as a base and adding hardening on top of it. This approach gives you more control but requires more expertise and effort to implement and maintain compliance.
The generally accepted approach among these options is using EC2 Image Builder with Amazon managed STIG hardening components. It offers a good balance of automation, cost-effectiveness, and ease of maintenance. You can create a pipeline that produces hardened Amazon Linux 2 base container images or AMIs. This method allows you to automate the process of updating and maintaining your hardened images, reducing manual effort and potential errors.
However, it's important to note that while these methods help in creating STIG-compliant images, AWS cannot guarantee full STIG compliance. You should always work with your organization's compliance team to verify that your final image meets all necessary compliance requirements.
Regardless of the method chosen, it's crucial to regularly update and test your hardened images to ensure they remain compliant with the latest STIG standards and security best practices.
Sources
Build a pipeline for hardened container images using EC2 Image Builder and Terraform - AWS Prescriptive Guidance
Amazon managed STIG hardening components for Image Builder - EC2 Image Builder
Compliance products for your Image Builder images - EC2 Image Builder
Automating AL2023 custom hardened AMI updates for Amazon EKS managed nodes | Containers
Relevant content
- asked 3 months ago
- asked 2 years ago
- asked a year ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
