Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Blocklisted AMIs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-046

Ensure that all Amazon EC2 instances provisioned within your AWS cloud account are launched from approved Amazon Machine Images (AMIs) only in order to enforce security at the application stack level. Before running this rule by the Trend Cloud One™ – Conformity engine, the list of unapproved AMIs must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Removing unwanted or compromised AMIs from your AWS cloud account enables you to prevent specific security issues from reaching into your application stack and enforce the Amazon EC2 provisioning process to use only approved AMIs.


Audit

To determine if there are Amazon EC2 instances launched from unapproved AMIs within your AWS account, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Unapproved Amazon Machine Images conformity rule settings, and identify the ID(s) of the AMI(s) banned by your organization.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Instances, choose Instances.

05 Select the Amazon EC2 instance that you want to examine.

06 Choose the Details tab from the console bottom panel to access the instance configuration details.

07 In the Instance details section, check the AMI ID attribute value to identify the ID of the image used to launch the selected instance. Compare the AMI ID value against each ID listed in the rule configuration section, identified at step no. 1. If the instance AMI ID is marked as unapproved in the conformity rule settings, the selected Amazon EC2 instance was launched from a compromised AMI that may have security issues or potential vulnerabilities.

08 Repeat steps no. 5 – 7 for each Amazon EC2 instance available within the current AWS cloud region.

09 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Unapproved Amazon Machine Images conformity rule settings, and identify the ID(s) of the AMI(s) banned by your organization.

02 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
|  i-01234abcd1234abcd  |
+-----------------------+

04 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier and custom filtering to describe the ID of the image used to create the selected EC2 instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-0abcdabcdabcdabcd
  --query 'Reservations[*].Instances[*].ImageId[]'

05 The command output should return the requested image ID:

[
    "ami-0abcd1234abcd1234"
]

Compare the image ID returned by the describe-instances command output against each ID listed in the rule configuration section, identified at step no. 1. If the instance image ID is marked as unapproved in the conformity rule settings, the selected Amazon EC2 instance was launched from a compromised AMI that may have security issues or potential vulnerabilities.

06 Repeat steps no. 4 and 5 for each Amazon EC2 instance provisioned in the selected AWS cloud region.

07 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To re-create Amazon EC2 instances built with unapproved Amazon Machine Images (AMIs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Create EC2 instance from approved AMI",
    "Parameters":{
        "InstanceKeyName":{
            "Type":"AWS::EC2::KeyPair::KeyName",
            "Description":"The SSH key used to access the instance."
        },
        "InstanceSecurityGroup":{
            "Type":"AWS::EC2::SecurityGroup::Id",
            "Description":"The ID of the security group to use."
        }
    },
    "Resources":{
        "EncryptedEC2Instance":{
            "Type":"AWS::EC2::Instance",
            "Properties":{
            "ImageId":"ami-0abcd1234abcd1234",
            "InstanceType":"t3.micro",
            "KeyName":{
                "Ref":"InstanceKeyName"
            },
            "SubnetId":"subnet-abcd1234",
            "SecurityGroupIds":[
                {
                    "Ref":"InstanceSecurityGroup"
                }
            ],
            "BlockDeviceMappings":[
                {
                    "DeviceName":"/dev/xvda",
                    "Ebs":{
                        "VolumeSize":"150",
                        "VolumeType":"gp2"
                    }
                }
            ]
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Create EC2 instance from approved AMI
    Parameters:
        InstanceKeyName:
        Type: AWS::EC2::KeyPair::KeyName
        Description: The SSH key used to access the instance.
        InstanceSecurityGroup:
        Type: AWS::EC2::SecurityGroup::Id
        Description: The ID of the security group to use.
    Resources:
        EncryptedEC2Instance:
        Type: AWS::EC2::Instance
        Properties:
            ImageId: ami-0abcd1234abcd1234
            InstanceType: t3.micro
            KeyName:
            Ref: InstanceKeyName
            SubnetId: subnet-abcd1234
            SecurityGroupIds:
            - Ref: InstanceSecurityGroup
            BlockDeviceMappings:
            - DeviceName: "/dev/xvda"
            Ebs:
                VolumeSize: '150'
                VolumeType: gp2

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

# Create EC2 instance from approved AMI
resource "aws_instance" "compliant-ec2-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "t3.micro"
    key_name = "ssh-key"
    subnet_id = "subnet-abcd1234"
    vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]

    ebs_block_device {
        device_name = "/dev/xvda"
        volume_size = 150
        volume_type = "gp2"
    }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Choose Launch instances and perform the following actions:

  1. For Step 1: Choose an Amazon Machine Image (AMI), choose the Amazon Machine Image (AMI) required to launch your new EC2 instance. You can select an AMI provided by AWS, AWS user community, AWS Marketplace, or you can choose your own AMI. To create your own approved (golden) AMI, see this conformity rule.
  2. For Step 2: Choose an Instance Type, select the required instance type (must match the instance type used by the source, non-compliant EC2 instance). Choose Next: Configure Instance Details to continue the setup process.
  3. For Configure Instance Details, configure the instance network, identity management, behavior, and metadata settings. The new instance configuration must match the source, non-compliant instance configuration. Choose Next: Add Storage to continue the setup process.
  4. For Step 4: Add Storage, configure the storage device settings, then click Next: Add Tags to set up the instance tags.
  5. For Step 5: Add Tags, use the Add tag button to create and apply user-defined tags to the new EC2 instance. You can track compute cost and other criteria by tagging your instance. Choose Configure Security Group to continue the setup process.
  6. For Step 6: Configure Security Group, chooseSelect an existing security group and select the security group(s) associated with the source, non-compliant EC2 instance. Choose Review and Launch to continue.
  7. For Step 7: Review Instance Launch, review your EC2 instance configuration details, then choose Launch.
  8. In the Select an existing key pair or create a new key pair configuration box, select Choose an existing key pair and use the same key pair as the source instance. Select the I acknowledge that I have access to the selected private key file (<key-name>.pem), and that without this file, I won't be able to log into my instance checkbox for confirmation, then choose Launch Instances to launch your new Amazon EC2 instance.
  9. Choose View Instances to return to the Instances page.

05 Once the new EC2 instance is running, install and configure the necessary software to run your application, then transfer your application files from the source instance (i.e. the one launched from an unapproved AMI) to the new EC2 instance.

06 (Optional) After you have verified and tested your new Amazon EC2 instance, you can transfer the Elastic IP (EIP) from the source (non-compliant) instance to the new instance. If the source instance does not have an EIP attached, you must update the domain DNS record(s) or any other application settings that point to the source instance, in order to switch to the new instance IP. To transfer the Elastic IP, perform the following actions:

  1. In the navigation panel, under Network & Security, select Elastic IPs.
  2. Select the Elastic IP address attached to the source instance, choose Actions, and select Disassociate Elastic IP address.
  3. In the Dissociate Elastic IP addressconfirmation box, review the EIP details, then choose Disassociate.
  4. Select the same IP address, choose Actions and select Associate Elastic IP address.
  5. In the Associate Elastic IP addressconfiguration box, perform the following:
    • For Resource type, choose Instance.
    • For Instance, select the ID of the newly created EC2 instance created at step no. 4.
    • Choose Associate to attach the Elastic IP.

07 (Optional) You can terminate the source EC2 instance in order to stop incurring charges for it. To shut down the instance, perform the following actions:

  1. In the navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to terminate.
  3. Choose Instance state and select Terminate instance.
  4. In the Terminate instance? confirmation box, review the instance details, then choose Terminate to shut down the selected EC2 instance.

08 Repeat steps no. 4 – 7 for each Amazon EC2 instance that you want to re-create, available within the selected AWS cloud region.

09 Change the AWS region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to re-create as the identifier parameter (i.e. the instance launched from an unapproved AMI) to list the configuration information available for the selected instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-0abcdabcdabcdabcd
  --query 'Reservations[*].Instances[]'

02 The command output should return an array with the requested configuration information:

[
    {
        "AmiLaunchIndex": 0,
        "ImageId": "ami-0abcd1234abcd1234",
        "InstanceId": "i-0abcdabcdabcdabcd",
        "InstanceType": "t2.micro",
        "KeyName": "conformity",
        "LaunchTime": "2021-03-10T10:00:00+00:00",
        "Monitoring": {
            "State": "disabled"
        },
        "Placement": {
            "AvailabilityZone": "us-east-1a",
            "GroupName": "",
            "Tenancy": "default"
        },
        "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
        "PrivateIpAddress": "10.0.0.15",
        "ProductCodes": [],
        "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
        "PublicIpAddress": "10.0.1.20",
        "State": {
            "Code": 16,
            "Name": "running"
        },
        "StateTransitionReason": "",
        "SubnetId": "subnet-abcd1234",
        "VpcId": "vpc-1234abcd",
        "Architecture": "x86_64",
        "BlockDeviceMappings": [
            {
                "DeviceName": "/dev/xvda",
                "Ebs": {
                    "AttachTime": "2021-03-10T10:00:00+00:00",
                    "DeleteOnTermination": true,
                    "Status": "attached",
                    "VolumeId": "vol-0abcd1234abcd1234"
                }
            }
        ],
        "ClientToken": "",
        "EbsOptimized": false,
        "EnaSupport": true,
        "Hypervisor": "xen",
        "IamInstanceProfile": {
            "Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
            "Id": "ABCDABCDABCDABCDABCDA"
        },
        "NetworkInterfaces": [
            {
                "Association": {
                    "IpOwnerId": "amazon",
                    "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
                    "PublicIp": "10.0.1.20"
                },
                "Attachment": {
                    "AttachTime": "2021-03-10T10:00:00+00:00",
                    "AttachmentId": "eni-attach-0abcd1234abcd1234",
                    "DeleteOnTermination": true,
                    "DeviceIndex": 0,
                    "Status": "attached",
                    "NetworkCardIndex": 0
                },
                "Description": "Primary network interface",
                "Groups": [
                    {
                        "GroupName": "cc-prod-security-group",
                        "GroupId": "sg-01234abcd1234abcd"
                    }
                ],
                "Ipv6Addresses": [],
                "MacAddress": "0e:53:19:7b:62:6b",
                "NetworkInterfaceId": "eni-0abcd1234abcd1234",
                "OwnerId": "123456789012",
                "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
                "PrivateIpAddress": "10.0.0.15",
                "PrivateIpAddresses": [
                    {
                        "Association": {
                            "IpOwnerId": "amazon",
                            "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
                            "PublicIp": "10.0.1.20"
                        },
                        "Primary": true,
                        "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
                        "PrivateIpAddress": "10.0.0.15"
                    }
                ],
                "SourceDestCheck": true,
                "Status": "in-use",
                "SubnetId": "subnet-abcd1234",
                "VpcId": "vpc-1234abcd",
                "InterfaceType": "interface"
            }
        ],
        "RootDeviceName": "/dev/xvda",
        "RootDeviceType": "ebs",
        "SecurityGroups": [
            {
                "GroupName": "cc-prod-security-group",
                "GroupId": "sg-01234abcd1234abcd"
            }
        ],
        "SourceDestCheck": true,
        "VirtualizationType": "hvm",
        "CpuOptions": {
            "CoreCount": 2,
            "ThreadsPerCore": 4
        },
        "CapacityReservationSpecification": {
            "CapacityReservationPreference": "open"
        },
        "HibernationOptions": {
            "Configured": false
        },
        "MetadataOptions": {
            "State": "applied",
            "HttpTokens": "optional",
            "HttpPutResponseHopLimit": 1,
            "HttpEndpoint": "enabled"
        },
        "EnclaveOptions": {
            "Enabled": false
        }
    }
]

03 Run run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance using the information returned at the previous step for the configuration parameters. Choose an approved Amazon Machine Image (AMI) to create the new EC2 instance (to create your own approved/golden AMI, see this conformity rule):

aws ec2 run-instances
  --region us-east-1
  --image-id ami-01234abcd1234abcd
  --count 1
  --instance-type t2.micro
  --key-name conformity
  --security-group-ids sg-01234abcd1234abcd
  --iam-instance-profile Name="ec2-manager-role"

04 The command output should return the metadata available for the newly created Amazon EC2 instance:

{
    "Groups": [],
    "Instances": [
        {
            "AmiLaunchIndex": 0,
            "ImageId": "ami-01234abcd1234abcd",
            "InstanceId": "i-01234123412341234",
            "InstanceType": "t2.micro",
            "KeyName": "conformity.aws",
            "LaunchTime": "2021-03-22T17:29:43+00:00",
            "Monitoring": {
                "State": "disabled"
            },
            "Placement": {
                "AvailabilityZone": "us-east-1e",
                "GroupName": "",
                "Tenancy": "default"
            },
            "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
            "PrivateIpAddress": "10.0.0.5",
            "ProductCodes": [],
            "PublicDnsName": "",
            "State": {
                "Code": 0,
                "Name": "pending"
            },
            "StateTransitionReason": "",
            "SubnetId": "subnet-abcd1234",
            "VpcId": "vpc-1234abcd",
            "Architecture": "x86_64",
            "BlockDeviceMappings": [],
            "EbsOptimized": false,
            "EnaSupport": true,
            "Hypervisor": "xen",
            "IamInstanceProfile": {
                "Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
                "Id": "ABCDABCDABCDABCDABCD"
            },
            "NetworkInterfaces": [
                {
                    "Attachment": {
                        "AttachTime": "2021-03-22T17:29:43+00:00",
                        "AttachmentId": "eni-attach-0abcd1234abcd1234",
                        "DeleteOnTermination": true,
                        "DeviceIndex": 0,
                        "Status": "attaching",
                        "NetworkCardIndex": 0
                    },
                    "Description": "",
                    "Groups": [
                        {
                            "GroupName": "cc-prod-security-group",
                            "GroupId": "sg-01234abcd1234abcd"
                        }
                    ],
                    "Ipv6Addresses": [],
                    "MacAddress": "06:00:c7:12:51:99",
                    "NetworkInterfaceId": "eni-0abcd1234abcd1234",
                    "OwnerId": "123456789012",
                    "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
                    "PrivateIpAddress": "10.0.0.5",
                    "PrivateIpAddresses": [
                        {
                            "Primary": true,
                            "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
                            "PrivateIpAddress": "10.0.0.5"
                        }
                    ],
                    "SourceDestCheck": true,
                    "Status": "in-use",
                    "SubnetId": "subnet-abcd1234",
                    "VpcId": "vpc-1234abcd",
                    "InterfaceType": "interface"
                }
            ],
            "RootDeviceName": "/dev/xvda",
            "RootDeviceType": "ebs",
            "SecurityGroups": [
                {
                    "GroupName": "cc-prod-security-group",
                    "GroupId": "sg-01234abcd1234abcd"
                }
            ],
            "SourceDestCheck": true,
            "StateReason": {
                "Code": "pending",
                "Message": "pending"
            },
            "VirtualizationType": "hvm",
            "CpuOptions": {
                "CoreCount": 1,
                "ThreadsPerCore": 1
            },
            "CapacityReservationSpecification": {
                "CapacityReservationPreference": "open"
            },
            "MetadataOptions": {
                "State": "pending",
                "HttpTokens": "optional",
                "HttpPutResponseHopLimit": 1,
                "HttpEndpoint": "enabled"
            },
            "EnclaveOptions": {
                "Enabled": false
            }
        }
    ],
    "OwnerId": "123456789012",
    "ReservationId": "r-0abcd1234abcd1234"
}

05 Once the new EC2 instance is running, install and configure the necessary software to run your application, then transfer your application files from the source instance (i.e. the one launched from an unapproved AMI) to the new EC2 instance.

06 (Optional) After you have verified and tested your new Amazon EC2 instance, you can transfer the Elastic IP (EIP) from the source (non-compliant) instance to the new instance. If the source instance does not have an EIP attached, you must update the domain DNS record(s) or any other application settings that point to the source instance, in order to switch to the new instance IP. To transfer the Elastic IP, perform the following commands:

  1. Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the source, non-compliant Amazon EC2 instance (the command does not produce an output):
    aws ec2 disassociate-address
      --association-id eipassoc-0abcd1234abcd1234
    
  2. Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new EC2 instance:
    aws ec2 associate-address
      --instance-id i-01234abcd1234abcd
      --allocation-id eipalloc-0abcd1234abcd1234
    
  3. The command output should return the EIP association ID:
    {
        "AssociationId": "eipassoc-01234abcd1234abcd"
    }
    

07 (Optional) You can terminate the source EC2 instance in order to stop incurring charges for it. To shut down the instance, run terminate-instances command (OSX/Linux/UNIX) using the non-compliant instance ID as the identifier parameter:

aws ec2 terminate-instances
  --instance-ids i-0abcdabcdabcdabcd

08 The output should return the terminate-instances command request metadata:

{
    "TerminatingInstances": [
        {
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "InstanceId": "i-0abcdabcdabcdabcd",
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

09 Repeat steps no. 1 – 8 for each Amazon EC2 instance that you want to re-create, available in the selected AWS cloud region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Sep 4, 2016