Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 AMI Too Old

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-062

Ensure that your existing Amazon Machine Images (AMIs) are not older than 180 days in order to ensure their reliability and to meet cloud security and compliance requirements.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Reliability

Using up-to-date AMIs to launch your Amazon EC2 instances brings major benefits to your AWS application stack, maintaining your EC2 deployments secure and reliable. You can go even further and automate your old AMI update process with AWS Systems Manager or open-source tools like Packer and Netflix Aminator.

Note: The default value set for the maximum AMI age is 180 days. However, you can change the default threshold for this rule using the Trend Cloud One™ – Conformity console and set your own value for the AMI age based on your needs.


Audit

To determine if you have any outdated (> 180 days) AMIs available within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image (AMI) that you want to examine.

05 Select the Details tab from the console bottom panel to access the image configuration details.

06 Check the Creation date attribute value to determine the age of the verified image. If the age of the selected Amazon Machine Image (AMI) is greater than 180 days, the AMI is considered outdated and requires updates.

07 Repeat steps no. 4 – 6 for each Amazon Machine Image available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon Machine Image (AMI) available in the selected AWS cloud region:

aws ec2 describe-images
  --region us-east-1
  --owners self
  --output table
  --query 'Images[*].ImageId'

02 The command output should return the requested resource identifiers (IDs):

---------------------------
|     DescribeImages      |
+-------------------------+
|  ami-01234abcd1234abcd  |
|  ami-0abcd1234abcd1234  |
|  ami-0abcdabcdabcdabcd  |
+-------------------------+

03 Run describe-images command (OSX/Linux/UNIX) using the ID of the AMI that you want to examine as the identifier parameter and custom query filters to describe the creation date for the selected image:

aws ec2 describe-images
  --region us-east-1
  --image-ids ami-01234abcd1234abcd
  --query 'Images[*].CreationDate'

04 The command output should return the image creation date in human readable format:

[
	"2020-07-19T10:30:00.000Z"
]

Check the date/time returned by the describe-images command output to determine the age of the verified image. If the age of the selected Amazon Machine Image (AMI) is greater than 180 days, the AMI is considered outdated and requires updates.

05 Repeat steps no. 3 and 4 for each Amazon Machine Image available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To re-create outdated Amazon Machine Images (AMIs) with up-to-date software, perform the following operations:

Note: As an example, this conformity rule demonstrates how to update an outdated Amazon Linux AMI.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the outdated Amazon Machine Image (AMI) that you want to re-create.

05 Choose Launch to initiate the setup process using the selected AMI, and perform the following actions:

  1. For Step 1: Choose an Amazon Machine Image (AMI), make sure that the outdated AMI is selected.
  2. For Step 2: Choose an Instance Type, select the appropriate instance type, then choose Next: Configure Instance Details to continue the setup process.
  3. For Step 3: Configure Instance Details, configure the instance network, identity management, behavior, and metadata settings. Choose Next: Add Storage to continue the setup process.
  4. For Step 4: Add Storage, configure the storage device settings. Choose Next: Add Tags to set up the instance tags.
  5. For Step 5: Add Tags, use the Add tag button to create and apply user-defined tags to the new instance. Choose Configure Security Groupto continue the setup process.
  6. For Step 6: Configure Security Group, chooseSelect an existing security group and select the appropriate security group(s) for the new instance. Choose Review and Launch to continue.
  7. For Step 7: Review Instance Launch, review your Amazon EC2 instance configuration details, then choose Launch.
  8. In the Select an existing key pair or create a new key pair configuration box, select Choose an existing key pair and use the same key pair as the source image. Select the I acknowledge that I have access to the selected private key file (<key-name>.pem), and that without this file, I won't be able to log into my instance checkbox for confirmation, then choose Launch Instances to launch your new Amazon EC2 instance.
  9. Choose View Instances to return to the Instances page.

06 After you have verified and tested your new Amazon EC2 instance, you can update the operating system (OS) and the rest of the software stack (including application stack) to its latest version.

07 Once the software is up to date, you can create the new (updated) Amazon Machine Image (AMI). Select the new instance, click on the Actions dropdown menu from the console top menu, select Image and templates, and choose Create image.

08 On the Create image setup page, provide the following information:

  1. In the Image name box, enter a unique name for the new AMI.
  2. (Optional) In the Image description box, provide a short description that reflects the usage of the updated AMI.
  3. Deselect Enable under No reboot so that Amazon EC2 service can guarantee the file system integrity for the new AMI.
  4. (Optional) For Tags, chooseTag image and snapshots together and use the Add tag button to create and apply user-defined tags to the new image.
  5. Choose Create image to create your new, updated Amazon Machine Image (AMI).

09 Repeat steps no. 4 – 7 to re-create other outdated AMIs available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Execute run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the outdated Amazon Machine Image (AMI) that you want to re-create:

aws ec2 run-instances
  --region us-east-1
  --image-id ami-01234abcd1234abcd
  --count 1
  --instance-type t2.micro
  --key-name conformity
  --security-group-ids sg-01234abcd1234abcd

02 The command output should return the configuration metadata for the newly created EC2 instance:

{
	"Groups": [],
	"Instances": [
		{
			"AmiLaunchIndex": 0,
			"ImageId": "ami-01234abcd1234abcd",
			"InstanceId": "i-01234123412341234",
			"InstanceType": "t2.micro",
			"KeyName": "conformity.aws",
			"LaunchTime": "2021-03-22T17:29:43+00:00",
			"Monitoring": {
				"State": "disabled"
			},
			"Placement": {
				"AvailabilityZone": "us-east-1e",
				"GroupName": "",
				"Tenancy": "default"
			},
			"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
			"PrivateIpAddress": "10.0.0.5",
			"ProductCodes": [],
			"PublicDnsName": "",
			"State": {
				"Code": 0,
				"Name": "pending"
			},
			"StateTransitionReason": "",
			"SubnetId": "subnet-abcdabcd",
			"VpcId": "vpc-1234abcd",
			"Architecture": "x86_64",
			"BlockDeviceMappings": [],
			"EbsOptimized": false,
			"EnaSupport": true,
			"Hypervisor": "xen",
			"IamInstanceProfile": "",
			"NetworkInterfaces": [
				{
					"Attachment": {
						"AttachTime": "2021-03-22T17:29:43+00:00",
						"AttachmentId": "eni-attach-0abcd1234abcd1234",
						"DeleteOnTermination": true,
						"DeviceIndex": 0,
						"Status": "attaching",
						"NetworkCardIndex": 0
					},
					"Description": "",
					"Groups": [
						{
							"GroupName": "cc-prod-security-group",
							"GroupId": "sg-01234abcd1234abcd"
						}
					],
					"Ipv6Addresses": [],
					"MacAddress": "06:00:c7:12:51:99",
					"NetworkInterfaceId": "eni-0abcd1234abcd1234",
					"OwnerId": "123456789012",
					"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
					"PrivateIpAddress": "10.0.0.5",
					"PrivateIpAddresses": [
						{
							"Primary": true,
							"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
							"PrivateIpAddress": "10.0.0.5"
						}
					],
					"SourceDestCheck": true,
					"Status": "in-use",
					"SubnetId": "subnet-abcdabcd",
					"VpcId": "vpc-1234abcd",
					"InterfaceType": "interface"
				}
			],
			"RootDeviceName": "/dev/xvda",
			"RootDeviceType": "ebs",
			"SecurityGroups": [
				{
					"GroupName": "cc-prod-security-group",
					"GroupId": "sg-01234abcd1234abcd"
				}
			],
			"SourceDestCheck": true,
			"StateReason": {
				"Code": "pending",
				"Message": "pending"
			},
			"VirtualizationType": "hvm",
		"HibernationOptions": {
				"Configured": true
			},
			"CpuOptions": {
				"CoreCount": 1,
				"ThreadsPerCore": 1
			},
			"CapacityReservationSpecification": {
				"CapacityReservationPreference": "open"
			},
			"MetadataOptions": {
				"State": "pending",
				"HttpTokens": "optional",
				"HttpPutResponseHopLimit": 1,
				"HttpEndpoint": "enabled"
			},
			"EnclaveOptions": {
				"Enabled": false
			}
		}
	],
	"OwnerId": "123456789012",
	"ReservationId": "r-0abcd1234abcd1234"
}

03 After you have verified and tested your new Amazon EC2 instance, you can update the operating system (OS) and the rest of the software stack to its latest version.

04 Once the software is up to date, you can create the new (updated) Amazon Machine Image (AMI). Run create-image command (OSX/Linux/UNIX) to create the updated AMI using the Amazon EC2 instance created at step no. 1. Include the --no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
  --region us-east-1
  --instance-id i-01234123412341234
  --name "Project5 Updated AMI"
  --description "Project5 Web Stack AMI ver. 1.2"
  --no-reboot

05 The command output should return the ID of the new Amazon Machine Image (AMI):

{
	"ImageId": "ami-0abcdabcdabcdabcd"
}

06 Repeat steps no. 1 – 5 to re-create other outdated AMIs available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Aug 6, 2018