Leveraging EC2 ImageBuilder Pipelines for Infrastructure Security and Modernization at Scale
Challenge
Our customer in the cloud communications industry runs their incredibly robust and secure platform on AWS. As a global customer engagement platform that services over 250,000 customers, having a highly secure foundation is critical to the organization’s success. The client was facing the challenge of building highly secured Amazon Machine Images based on the latest Amazon Linux image. A need existed for an automated image building process that secures the base image based on the CIS Level 1 Benchmark.
Beyond the image building playbooks, the client was also in need of a pipeline that could seamlessly be adopted into the existing infrastructure.
Solution
Protagona first planned a discovery session with the client’s engineering team to determine their current image building process. We determined that while they did have a base AMI build pipeline, they were using Amazon Linux 1 and they were not securing the images based on the CIS benchmark.
We began building out the solution by creating a secure image based on the newest Amazon Linux 2022 AMI. Using Ansible playbooks, we were able to execute automatic rules against the image. The rules were created based on the CIS level 1 benchmark sections.
After the playbooks were finished, our team focused on automating the image building process using AWS Image Builder, Systems Manager Automations and scanning these AMIs using AWS Inspector. All infrastructure was built in Terraform and built in easy-to-adopt modules for the client engineering team.
Tech Stack
EC2 Image Builder
Systems Manager
AWS Inspector
Terraform
Ansible
AWS S3
IAM
Outcome
Business – The client can now ensure their customers that the platform meets the CIS Level 1 security benchmark. Using the newest Amazon Linux AMI also extends the Amazon support that is available to the client. The client gets the predictability and stability of a Long Term Support (LTS) release, but without compromising access to the latest versions of popular software packages.
Continuous Development – Now that the client has an automated build pipeline that scans their images and compares them to the benchmark, they can easily create new amis when Amazon releases package updates.