Hopefully, you’ve been working with the Center for Internet Security (CIS) on securing your cloud infrastructure for a while now. Initially, you might have used our CIS Benchmarks and other free resources to manually configure your operating systems in the public cloud. Now, you might be using the CIS Hardened Images, virtual machine (VM) images that are pre-hardened to the CIS Benchmarks recommendations. They are both designed to help you avoid misconfigurations and stay secure against common cloud security threats.
We’re now making cloud security automation easier for you by releasing CIS hardening components in EC2 Image Builder on Amazon Web Services (AWS).
Automation as a pain point
Our CIS hardening components help give you more options for building a golden image, especially when you need to automate your image creation process. It can be time-consuming to spin up a VM and manually add your custom service/app, but it’s even harder if you have dozens of different components or configuration templates you want to use. That’s time and money for manual configurations you don’t have.
The CIS hardening components help you overcome this obstacle by integrating into EC2 Image Builder, an AWS service for building golden images. The components consist of Bash shell scripts for Linux and Group Policy Objects (GPOs) for Windows. Either format frees you from needing to manually develop a golden image for your desired operating system (OS).
Let’s take a look at the image creation process of EC2 Image Builder to understand how.
1. You begin with an OS base image to start your image customization. In the case of our CIS hardening component, you’re starting with a CIS Hardened Image from the AWS Marketplace.
2. Either with the EC2 Image Builder Console, CLI, API, Cloud Formation, or CDK, along with the console, you use your subscribed CIS Hardened Image in EC2 Image Builder and customize that image to your organizational needs. That could be adding applications like build environments, business productivity tools, and databases.
3. Execute the CIS hardening component in Ec2 Image Builder to secure your image to the CIS Benchmark Level 1 profile for that operating system.
4. Once you have the configurations you need for your golden image, you can go through the test phase in EC2 Image Builder to make sure the output image meets your criteria.
5. A successful test phase means you can begin using the golden image across your organization.
From a resources perspective, the main benefit of the CIS hardening components is that they let you buy and not build. By “buy,” we mean automatically configuring what you want. EC2 Image Builder works by adjusting your image to your desired criteria in an automated way. As a result, you can build a golden image more efficiently and with fewer errors while saving time and money.
Rollout of the CIS hardening components
We’re planning to roll out the CIS hardening component for EC2 Image Builder in two phases.
Phase 1 = General availability
As Phase 1, you’re now able to start with a CIS Hardened Image in EC2 Image Builder’s pipeline to get access to the CIS hardening component for your preferred operating system. The components are available for the following CIS Hardened Images in AWS:
- Amazon Linux 2 Level 1
- Microsoft Windows Server 2019 Level 1
- Microsoft Windows Server 2022 Level 1
- Red Hat Enterprise Linux 7 Level 1
Say you want to use the CIS hardening component for Amazon Linux 2 Level 1, as an example. You can subscribe to the CIS Hardened Image for Amazon Linux 2 Level 1 from the AWS Marketplace and use that as your base image in the pipeline. By using that Hardened Image, you gain access to the CIS hardening component and its use in EC2 Image Builder.
A few things to note. Initially, you don’t have the ability to customize specific settings within the CIS Benchmark content. You need to apply all of them or none of them during this phase. Once the image pipeline has created your golden image and you have manually configured any necessary settings or failures, CIS SecureSuite Members can use CIS-CAT Pro to scan the output image. It’s also possible to validate that the component worked correctly by using existing licenses for certified tools of CIS SecureSuite Product Vendor Members.
In terms of pricing, you’ll receive access to both the CIS Hardened Image and the associated CIS hardening component for the cost of the CIS Hardened Image on AWS, which is two cents per compute hour. Use of the Hardened Image grants you access to the CIS hardening component. There’s no separate pricing for the component itself.
Phase 2 = Additional functionality
We’re still defining the features of the next release and want to include changes that specifically address user feedback. So, subscribe to our CIS Hardened Images on the AWS Marketplace and reach out to us from the support section for feedback on the CIS hardening component. Alternatively, you can raise feature requests directly to EC2 Image Builder on AWS.
Integration: A key for security in the cloud
Are you looking for more automation to apply CIS best practices to your workloads in AWS? If so, you can use our CIS hardening components. With EC2 Image Builder, you can also leverage the broader AWS ecosystem for your cloud operations. It’s our effort to offer more features tailored for cloud services and to make it easier for you to uphold your cloud security.
We have more customization and functionality planned for Phase 2. For now, we encourage you to begin using our CIS hardening components and tell us what you think so that we can make it even better going forward.
Try out the CIS components today