Construction of a continuous pipeline for golden image generation
Image Generation Pipeline
Build a pipeline for the generation of your “golden images” (images used as base to deploy your applications)
- Starting from the latest OS version (with all patches applied)
- Apply configuration hardening according to your organizational policies
- Pre-install all the agents required for are pre-installed, agents such as an anti-malware, file integrity monitoring tools, and especially the AWS Systems Manager agent (SSM Agent).
Note: Many AWS Managed instances already have the SSM agent pre-installed
, such as Amazon Linux and Windows versions.
You can leverage AWS Config
(rules: approved-amis-by-tag
, approved-amis-by-id
), to verify that only approved amis are used (the ones generated by the pipeline).
EC2 Image Builder
3rd party alternatives
There are multiple ways to construct you base images with open source solutions and third party solutions, such as HCP packer
and Chef
Risk Mitigation
- Lack of a golden image pipeline often creates insconsistency in the OS configurations hardening, and vulnerabilities related to the use of unpatched OS and middleware, which may allow an andversary to exploit public-facing applications
for initial access.
Guidance for assessments
- Have you implemented any golden image pipeline ?
- is it widely used in your organization?
- Are you verifying that
Pricing
The service is free (you only pay for the resources/images generated by the solution)