Open menu
-->

AWS Blacklisted Amazon Machine Image

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that all EC2 instances provisioned in your AWS account are launched from approved Amazon Machine Images (AMIs) only and not from blacklisted AMIs in order to enforce security at application stack level. Prior to running this rule by the Cloud Conformity engine, you need to compile a list with the blacklisted AMIs by using the rule settings available on the Cloud Conformity Console.

This rule resolution is part of the Cloud Conformity Security Package

Blacklisting unwanted or compromised AMIs within you AWS account allows you to prevent specific security issues from reaching into your application stack and enforce the EC2 provisioning process to use only approved AMIs.

Audit

To determine if there are any EC2 instances launched from blacklisted Amazon Machine Images within your account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine.

05 Select the Description tab from the dashboard bottom panel.

06 In the right column, click on the AMI ID parameter value to display the description box for the image used to launch the selected instance.

07 Inside the description box, identify the AMI ID available next to the AMI name, i.e.

Inside the description box, identify the AMI ID available next to the AMI name

08 Now open your Cloud Conformity Console, select the AMIBlacklisted conformity rule and compare the AMI ID found at the previous step against each ID listed within the Blacklisted AMIs configuration section of the rule. If the instance image ID matches one of the blacklisted AMI IDs, the selected EC2 instance was launched using a compromised AMI, therefore its software stack is not well secured.

09 Repeat steps no. 4 – 8 to verify the AMI validity of other EC2 instances available within the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all EC2 instances currently available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0fffbd020cea81a0d  |
|  i-043801b9c55f55f4e  |
|  ...                  |
|  i-0b9cdfa00d01f78cu  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using custom query filters and the ID of the instance you that want to examine as parameters to expose the ID of the image used to create the selected instance:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0fffbd020cea81a0d
	--output table
	--query 'Reservations[*].Instances[*].ImageId'

04 The command output should return a table with the requested AMI ID:

-------------------
|DescribeInstances|
+-----------------+
|  ami-6369aa03   |
+-----------------+

05 Sign in to your Cloud Conformity Console, select the AMIBlacklisted conformity rule and compare the AMI ID returned at the previous step against each ID listed within the Blacklisted AMIs section of the rule. If the instance image ID matches one of the blacklisted AMI IDs, the selected EC2 instance was provisioned using a compromised AMI, therefore its software stack is not well secured.

06 Repeat steps no. 3 – 5 to verify the AMI validity of other EC2 instances available within the current region.

07 Change the AWS region and repeat the entire process for other regions.

Remediation / Resolution

To relaunch an EC2 instance that was built from a blacklisted Amazon Machine Image, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Click Launch Instance button from the EC2 dashboard top menu and create your new base Linux instance. During the creation process you have the option to pass user data (shell scripts, cloud-init directives, etc) or use configuration management tools such as Chef or Puppet to install server software automatically after the EC2 instance starts.

05 Once the instance is running, install and configure the necessary software to run your application, secure the OS and the software stack and transfer your application from the existing instance, i.e. the one launched using a blacklisted AMI (see Audit section part I to identify this instance based on its AMI ID). Test the entire software stack to make sure that the EC2 instance qualifies for a valid/approved image (AMI).

06 Now that the base instance is ready, it’s time to create the AMI that will be used to relaunch the compromised EC2 instance:

  1. Choose Instances from the navigation panel and select the instance created at the step no. 4.
  2. Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.
  3. Inside Create Image dialog box, perform the following:
    • Enter a name for the new AMI in the Image Name box.
    • In the Image description box, provide a description of the software stack installed, the purpose of the image and the version.
    • Leave No reboot option unchecked so the AWS can guarantee the file system integrity for the new image.
  4. Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The image build process may take few minutes and once is completed the AMI status should change from pending to available.

07 Use the new AMI to relaunch the existing instance by performing the following actions:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Click the Launch Instance button from the EC2 dashboard top menu to initiate the process.
  3. On the Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the AMI created at step no. 6.
  4. On the Choose an Instance Type page, select the same instance type used then click Next: Configure Instance Details button.
  5. On the Configure Instance Details page, configure the options available on the page based on your existing/running instance requirements. Click Next: Add Storage and go through the next pages until you reach the Configure Security Group page, without changing any configuration.
  6. On the Configure Security Groups, choose Select an existing security group and select the existing instance security group. Click the Review and Launch button, review your instance configuration details and click Launch.
  7. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the running EC2 instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
  8. Click View Instances to return to the Instances page.

08 Once you have verified and tested the relaunched instance, you can transfer the Elastic IP (EIP) from the old EC2 instance (i.e. the one launched using a blacklisted AMI) to the new instance for reference purposes. If the old instance does not have an EIP attached you will have to update the domain DNS record(s) or any other application references to switch to the new instance IP. To transfer the Elastic IP, perform the following actions:

  1. In the navigation panel, under NETWORK & SECURITY section, select Elastic IPs.
  2. Select the EIP address attached to the old running instance, click the Actions dropdown button then select Disassociate Address.
  3. In the Disassociate Address dialog box, review the details then click Yes, Disassociate.
  4. Select the same address, disassociated in the previous step, click the Actions dropdown button then select Associate Address.
  5. In the Associate Address dialog box, select the new EC2 instance created at step no. 6 from the Instance dropdown list and then click Associate to attach the EIP.

09 Now it’s safe to terminate the old EC2 instance in order to stop incurring charges for it. To shut down the instance, perform the following:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Select the EC2 instance that you want to terminate.
  3. Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom filtering to list the existing EC2 instance metadata. The metadata will be useful later when this instance will be recreated from a valid AMI:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0fffbd020cea81a0d
	--query 'Reservations[*].Instances[*].[KeyName,InstanceType,SecurityGroups]'

01 The command output should return the running (existing) EC2 instance metadata requested:

[
    "MyEC2KeyPair",
    "m3.large",
    [
        {
            "GroupName": "MyEC2SecurityGroup",
            "GroupId": "sg-a942c5d0"
        }
    ]
]

02 Run run-instances command (OSX/Linux/UNIX) to launch your base Linux instance. The following command example provision a new c4.large EC2 instance using an AMI with the ID ami-6869aa05 (Amazon Linux AMI 2016.03.3 base AMI) and the existing EC2 instance RSA key pair and security group returned at the previous step, within the US East region:

aws ec2 run-instances
	--region us-east-1
	--image-id ami-6869aa05
	--count 1
	--instance-type c4.large
	--key-name MyEC2KeyPair
	--security-groups MyEC2SecurityGroup

03 The command output should return the base EC2 instance metadata:

{
    "OwnerId": "123456789012",
    "ReservationId": "r-05587b8359ad06cu5",
    "Groups": [],
    "Instances": [
        {
            ...

            "EbsOptimized": false,
            "LaunchTime": "2016-09-03T15:41:23.000Z",
            "PrivateIpAddress": "172.31.12.25",
            "ProductCodes": [],
            "VpcId": "vpc-2fb56548",
            "StateTransitionReason": "",
            "InstanceId": "i-003b1c5834a73e5ae",
            "ImageId": "ami-6869aa05",

            ...
        }
    ]
}

04 Once the new EC2 instance is running log in as root using the existing key pair and install the necessary software to run your application, secure the OS and the software stack then transfer your application from the existing instance, i.e. the one launched using a blacklisted AMI, to the newly created instance. Test the entire software stack to make sure that the new EC2 instance qualifies for a valid image (AMI).

05 Run create-image command (OSX/Linux/UNIX) to create the approved AMI using the base instance created at step no. 3. Include the –no-reboot command parameter to guarantee the file system integrity of the new image:

aws ec2 create-image
	--region us-east-1
	--instance-id i-003b1c5834a73e5ae
	--name "Valid/Approved Production Image"
	--description "Web App Stack Production AMI ver. 1.9"
	--no-reboot

06 The command output should return the new Amazon Machine Image ID:

{
    "ImageId": "ami-e91fe5du"
}

07 Run again run-instances command (OSX/Linux/UNIX) to launch the instance that will replace the compromised one using the image created at step no 6. The following command example creates an EC2 instance using an AMI with the ID ami-e91fe5du and the rest of the old running EC2 instance configuration attributes:

aws ec2 run-instances
	--region us-east-1
	--image-id ami-e91fe5du
	--count 1
	--instance-type c4.large
	--key-name MyEC2KeyPair
	--security-groups MyEC2SecurityGroup

08 The command output should return the new EC2 instance metadata:

{
    "OwnerId": "123456789012",
    "ReservationId": "r-03ef4a3ce591f5bc0",
    "Groups": [],
    "Instances": [
        {
            ...

            "EbsOptimized": false,
            "LaunchTime": "2016-09-03T16:05:21.000Z",
            "PrivateIpAddress": "172.31.52.76",
            "ProductCodes": [],
            "VpcId": "vpc-2fb56548",
            "StateTransitionReason": "",
            "InstanceId": "i-003b1c5834a0ca75e",
            "ImageId": "ami-68091afe",

            ...
        }
    ]
}

09 Now transfer the Elastic IP from the old EC2 instance to the new instance in order to reference the new one on the Internet. To transfer the Elastic IP, perform the following commands:

  1. Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the old EC2 instance:
    aws ec2 disassociate-address
    	--association-id eipassoc-70df08fcu
    
  2. Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new EC2 instance:
    aws ec2 associate-address
    	--instance-id i-003b1c5834a0ca75e
    	--allocation-id eipalloc-70df08fcu
    

10Once you have verified that your new EC2 instance is working 100%, you should terminate the old instance to stop incurring charges for it. To terminate the old EC2 instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:

aws ec2 terminate-instances
	--instance-ids i-0fffbd020cea81a0d

11 The command output should return the shutdown request information:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-0fffbd020cea81a0d",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

References

Publication date Sep 4, 2016