Quick Start Guide: CIS Hardening Components for EC2 Image Builder

Owned by
Amanda McGown
Last updated: Apr 24, 2023 by
Nick Romanzo
4 min read

Requirements

  • AWS Account

  • Working Knowledge of EC2 Image Builder

  • Existing subscription, or ability to subscribe, to a CIS Hardened Image for Amazon Linux 2 Level 1, Red Hat Enterprise Linux 7 Level 1, Microsoft Windows Server 2019 Level 1, and/or Microsoft Windows Server 2022 Level 1.

Implementation Steps

1

To begin, open EC2 Image Builder in AWS console and click on Image recipes, then Create image recipe.

 

2

Name your recipe and assign it a version number. This version number will be incremented if you need to modify the recipe at a later date

3

For Base Image choose Marketplace images. You will see any subscribed CIS Hardened Images in the Subscriptions section. Choose your subscribed AMI if applicable.

4

If you do not see any Subscribed AMIs then you will need to subscribe to a CIS Hardened Image to use the associated CIS hardening components in the EC2 Image Builder pipeline.

In this case, select AWS Marketplace and browse through the available AMIs.

5

Select the CIS Hardened Image you wish to use with the EC2 Image Builder pipeline, then choose Go to Marketplace.

 

6

Select Continue to Subscribe in the Marketplace.

7

Accept the Terms and Conditions.

8

Once subscribed, return to EC2 Image Builder and the subscribed AMI should be available for use in the pipeline under Subscriptions in the Base Image section of the Image recipe. Select the AMI you wish to add to the recipe. You will see an Associated component listed with the image if it has a CIS hardening component available. Only AMIs tested with EC2 Image Builder will have an associated component.

Note: AWS automatically uses the latest version of the AMI when the build pipeline is run. You do not manually have to update the Image recipe to update the AMI version.

9

Add any Build components you wish to use with the AMI. Make sure you select the Third party managed component associated with the AMI you selected. It is required to sequence it last in the Build components you select to ensure the CIS hardening is not affected by other Build components in the Image recipe.

Note: custom components may be removed or modified by the hardening component.

10

Finish adding Test components, any final information, or tags to the Image recipe; then click Create recipe to utilize the recipe in a pipeline at a later time, or click Create pipeline for this recipe to define a pipeline immediately.

Any issues with this functionality should be directed to AWS Support.

Troubleshooting Steps

Please refer to the official AWS EC2 Image Builder Documentation

 

 

Copyright © 2023 Center for Internet Security® Privacy Policy