I'm currently looking to create a hardened Amazon Linux 2023 AMI for our extensive EC2 setup, which includes around 1800-2000 instances. I noticed that there's a CIS hardened version available in the Amazon marketplace, but it seems pretty pricy. Reflecting on my past experiences, particularly from the late 90s when we used OpenBSD, I'm considering a similar approach with Amazon Linux 2023 where I would install only the essential packages. However, I'm unsure about which packages I should remove. Have any of you gone through this process? What steps did you take to effectively harden your Amazon Linux 2023 instance? Any insights would be greatly appreciated!
4 Answers
Definitely utilize Packer for this! It streamlines the AMI creation process. You can also refer to the CIS benchmarks for Amazon Linux here: https://www.cisecurity.org/benchmark/amazon_linux.
You could create a custom AMI tailored to your requirements. Once you figure out what to uninstall, using tools like Ansible for cleanup and Packer to build your new AMI would work well.
Exactly! My plan is to do just that—remove unnecessary packages with Ansible and build the new image with Packer.
Have you considered using Bottlerocket instead? It’s designed for containerized applications and might better suit your needs.
Bottlerocket sounds interesting! I haven't looked into it before, but I’ll do some research now.
CIS provides detailed hardening guidelines for their benchmarks. You might want to check out their hardening routines, as they can be quite useful for your setup.
Thanks for the tip! I’ll definitely look for that.
Awesome, I’ll make sure to use Packer for the AMI creation. Just shared that link with someone else who was curious!