Open menu
-->

Check for AWS AMI Age

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability
Security

Risk level: Low (generally tolerable level of risk)

Ensure that your existing AWS Amazon Machine Images (AMIs) are not older than 180 days in order to ensure their reliability and to meet security and compliance requirements.

Using up-to-date AMIs to launch your EC2 instances brings major benefits to your AWS application stack, maintaining your EC2 deployments secure and reliable. You can go even further and automate your old AMIs update process with AWS Systems Manager or open source tools like Packer and Netflix Aminator. Note: The default value set for the maximum AMI age is 180 days, however, you can change the default threshold for this rule using the Cloud Conformity console and set your own value for the AMI age based on your needs.

Audit

To determine if you have any outdated (> 180 days) AMIs available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the image that you want to examine.

05 Select the Details tab from the dashboard bottom panel to access the resource configuration details.

06 In the left column, check the Creation date parameter value:

Creation Date

to determine the image age. If the age of the selected Amazon Machine Image is greater than 180 days, the AMI is considered outdated and it must be updated.

07 Repeat steps no. 4 – 6 to verify the provision date for other AMIs available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom filtering to list the IDs of all Amazon Machine Images (AMIs) currently available in the selected AWS region:

aws ec2 describe-images
	--region us-east-1
	--owners self
	--output table
	--query 'Images[*].ImageId'

02 The command output should return the IDs of the requested AMIs:

------------------
| DescribeImages |
+----------------+
|  ami-abcd1234  |
|  ami-1234abcd  |
|  ami-aabbccdd  |
+----------------+

03 Run describe-images command (OSX/Linux/UNIX) using the image ID returned at the previous step as identifier and custom query filters to expose the creation date for the selected AMI:

aws ec2 describe-images
	--region us-east-1
	--image-ids ami-abcd1234
	--query 'Images[*].CreationDate'

04 The command output should return the selected AMI launch date in human readable format:

[
    "2018-07-19T18:42:49.000Z"
]

Based on the output returned by the describe-images command, if the selected AWS AMI was provisioned more than 180 days ago, it is considered outdated and needs to be updated.

05 Repeat step no. 3 and 4 to verify the creation date for other AMIs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To re-create each outdated AWS AMI with an up-to-date software stack, perform the following:

Note: As an example, this conformity rule demonstrates how to update an outdated AWS Linux AMI.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the old image that you want to recreate (see Audit section part I to identify the right EC2 resource).

05 Click Launch button from the EC2 dashboard top menu to initiate the launch process using the selected AMI.

06 On Choose an Instance Type page, select the appropriate EC2 instance type, then click Next: Configure Instance Details button.

07 On Configure Instance Details page, configure any options available, based on your application requirements. Click Next: Add Storage and go through the next pages until you reach the Review and Launch page, without changing any configuration settings.

08 On Review Instance Launch page, review your EC2 instance configuration details, then click Launch.

09 In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the key pair associated with the AMI that you want to recreate. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.

10 Click View Instances to return to the Instances page.

11 Once the instance is running, update the OS and the rest of the software stack (including application stack) to its latest version.

12 Now that the instance is ready, it’s time to create the new (updated) AMI. Choose Instances from the navigation panel and select the newly created EC2 instance.

13 Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.

14 Inside Create Image dialog box, perform the following:

  1. Enter a name for the new AMI in the Image Name box.
  2. In the Image description box, provide a description of the software stack installed, the purpose of the image and the version.
  3. Leave No reboot option unchecked so the AWS can guarantee the file system integrity for the new image.
  4. If required, update the image volume size and/or type inside the Instance Volumes section.

15 Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The image creation process may take few minutes. Once the process is complete the AMI status should change from pending to available. The description defined for the new AMI should contain the image version, necessary for resource management.

16 (Optional) If the new AMI is not encrypted, follow the steps outlined within this conformity rule to enable data-at-rest encryption for the newly created image.

17 Repeat steps no. 4 – 16 to re-create and update other outdated AWS AMIs available within the current region.

18 Change the AWS region from the navigation bar and repeat the remediation process for the other regions.

Using AWS CLI

01 Run run-instances command (OSX/Linux/UNIX) to launch the necessary EC2 instance using the outdated AMI that you want to re-create (see Audit section part II to identify the image). The following command example launches a new EC2 instance using an old AMI, identified by the ID ami-abcd1234 (Amazon Linux AMI), within the US East AWS region:

aws ec2 run-instances
	--region us-east-1
	--image-id ami-abcd1234
	--count 1
	--instance-type t2.large
	--key-name cc-ssh-key-pair
	--security-groups cc-web-stack-sg

02 The command output should return the new EC2 instance configuration metadata:

{
    "OwnerId": "123456789012",
    "ReservationId": "r-06917b8359ad96cd0",
    "Groups": [],
    "Instances": [
        {
 
             ...
 
            "EbsOptimized": false,
            "LaunchTime": "2018-07-19T20:55:12.000Z",
            "PrivateIpAddress": "172.33.22.95",
            "ProductCodes": [],
            "VpcId": "vpc-12345678",
            "StateTransitionReason": "",
            "InstanceId": "i-00d31c5834a73eb46",
            "ImageId": "ami-abcd1234",
            "RootDeviceName": "/dev/xvda",
            "VirtualizationType": "hvm",
            "AmiLaunchIndex": 0
 
		...
 
        }
    ]
}

03 Once the instance is running, update the OS and the software stack installed to its latest version.

04 Now that the software stack is up-to-date, it’s time to create the new AMI. Run create-image command (OSX/Linux/UNIX) to create the updated AMI using the EBS-backed instance created earlier. Include the –no-reboot command parameter to guarantee the file system integrity for the new AMI:

aws ec2 create-image
	--region us-east-1
	--instance-id i-00d31c5834a73eb46
	--name "cc-web-stack-image"
	--description "Production Web Stack AMI ver. 1.2"
	--no-reboot

05 The command output should return the new Amazon Machine Image (AMI) ID:

{
    "ImageId": "ami-abcdabcd"
}

06 (Optional) If the new AMI is not encrypted, follow the steps outlined within this conformity rule to enable data-at-rest encryption for the newly created image.

07 Repeat steps no. 1 – 5 to re-create and update other outdated AWS AMIs available within the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the entire process for other regions.

References

Publication date Aug 6, 2018