ami_bakery_org

AMI Bakery Organization

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents

• Table of Contents
• Introduction
• Deployed Resource Details
• Implementation Instructions
• Customization Instructions
• Deletion Instructions
• References

---

Introduction

The AMI Bakery Organization solution will automate creation of standardized and hardened Amazon Machine Operating Images with configurations and services that comply with security standards set by the Government and industry security standards/benchmarks such as and the Security Technical Implementation Guide (STIG) and the Center of Internet Security (CIS).

The solution also provides an easy way to deploy security services such as Amazon Inspector, Amazon Macie, and Amazon GuardDuty that track and report potential vulnerabilities found within the environment. Additionally, the solution, once created, reduces the need to re-create new images when customers move from one multi-account to another as it can be shared and re-used.

Key solution features:

• Amazon Linux 2023 STIG hardened image
• Ubuntu Pro CIS Level 1 hardened image
• Microsoft Windows Server 2022 Base STIG hardened image
• Windows CIS Level 1 - Work on progress

---

Deployed Resource Details

1.0 Organization Management Account

1.1 AWS CloudFormation

• All resources are deployed via AWS CloudFormation as a StackSet and Stack Instance within the management account or a CloudFormation Stack within a specific account.
• The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation StackSet.
• For parameter details, review the AWS CloudFormation templates.

1.2 Lambda Role

• The Organizaton Management Lambda Role is used by the Lambda function to assume a role in the target region.

1.3 DLQ

• SQS dead letter queue used for retaining any failed Lambda events.

1.4 Alarm Topic

• SNS Topic used to notify subscribers when messages hit the DLQ.

1.5 Lambda Function

• The Lambda function assumes a role in the Image Bakery Account and deploys resources to create Amazon Machine Images (AMIs). These resources include a Code Commit Repository to store CloudFormation Templates for creating AMIs, a Code Pipeline to deploy EC2 Image Builder to create AMIs, and other supporting resources such as an S3 Bucket and IAM Roles. The Lambda function also uploads an initial CloudFormation template to the Code Commit Repository.

1.6 CloudWatch Log Group

• All the AWS Lambda Function logs are sent to a CloudWatch Log Group </aws/lambda/<LambdaFunctionName> to help with debugging and traceability of the actions performed.
• By default the AWS Lambda Function will create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key.
• Parameters are provided for changing the default log group retention and encryption KMS key.

2.0 Image Bakery Account

2.1-2.3 Lambda Roles

• The Configuration Role is assumed by the Lambda function and used to create resources in the Image Bakery Account such as the Code Commit Repository, Code Pipeline, and S3 Bucket.
• The Code Pipeline Role is assumed by te Code Pipeline and used to create resources in the Image Bakery Account such as the EC2 Image Builder.
• The Cloud Formation Role is assumed by EC2 Image Builder and used to create Amazon Machine Images (AMIs) in the Image Bakery Account.

2.4 S3 bucket

• Amazon S3 Bucket for storing Code Commit artifacts.

2.5 Code Commit Repository

• A Code Commit Repository to store CloudFormation Templates that define EC2 Image Builder, Recipes, Components, etc.

2.6 CloudFormation

• AWS CloudFormation Templates describe the EC2 Image Builder, Recipes, Components, etc. used to build Amazon Machine Images (AMIs).

2.7 CodePipeline

• AWS CodePipeline monitors the CodeCommit Repository for changes to the CloudFormation Templates. When the Repository is updated, CodePipeline automatically updates EC2 Image builder.

2.8 EC2 Image Builder Pipeline

• EC2 ImageBuilder builds new Amazon Machine Images (AMIs) based on the CloudFormation Templates in the CodeCommit Repository.

2.9 Amazon Machine Images

• Amazon Machine Images (AMIs) are built by EC2 Image Builder. Then can then be used to launch EC2 Instances.

---

Implementation Instructions

Prerequisites

1. Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
2. Verify that the SRA Prerequisites Solution has been deployed.

Solution Deployment

Choose a Deployment Method:

• AWS CloudFormation
• Customizations for AWS Control Tower

AWS CloudFormation

In the management account (home region), launch the sra-ami-bakery-org-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.

aws cloudformation deploy --template-file $HOME/aws-security-reference-architecture-examples/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/templates/sra-ami-bakery-org-main-ssm.yaml --stack-name sra-ami-bakery-org-main-ssm --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAMIBakeryAccountId=<YOUR_ACCOUNT_ID> pAMIBakeryRegion=<YOUR_REGION> pAMIBakeryFileName=<SOLUTION_FILE_NAME.YAML>

Note: Below are available Cloudformation solution file templates, you can change the file names to meet your needs.

1. sra-ami-bakery-org-amazon-linux-stig-hardened.yaml
2. sra-ami-bakery-org-ubuntu-pro-20-04-cis-level-1-hardened.yaml
3. sra-ami-bakery-org-windows-server-2022-stig-hardened.yaml

Verify Solution Deployment

1. Log into the EC2 ImageBuilder console.
2. Navigate to the Image pipelines tab on the top left pane. It will display sra-ami-bakery-org-image-type-pipeline under the pipeline name column with Pipeline status set to Green. Note:
i. You can manually create the image by running the pipeline with the following steps: Click on Pipeline -> Actions dropdown -> Run pipeline OR 2. Leave the Pipeline to automatically create it for you daily at midnight (UTC).
3. Verify that the image has been created by selecting the Images tab on the left pane or under the Output Images column below the pipeline's Summary

Customization Instructions

The AMI Bakery solution can be customized to meet customer needs. This can be done by updating the image recipe of each supplied Cloudformation solution file template with the addition of one or more Amazon-managed or customer-managed components. Note: To avoid errors when updating the recipe, the EC2 Image Builder Recipe version number, i.e, pSRAAMIBakeryImageRecipeVersionNumber parameter value in the available Cloudformation solution file templates above must be changed from the default value 1.0.0 to something like 1.1.0 or any version number in ^[0-9]+\.[0-9]+\.[0-9]+$ pattern. You can make the changes either in the available CloudFormation files BEFORE the deployment OR from inside the CodeCommit repo after the deployment. Once updated from inside the CodeCommit repo console, go back to AWS CodePipeline console, open the solution's pipeline, and click Release change for the change to take effect.

• Example 1: Adding Amazon Managed Microsoft Web Server IIS into Windows Server 2022 Image

  1. Add the Component's ARN as follows: - ComponentArn: arn:aws:imagebuilder:us-east-1:aws:component/windows-server-iis/x.x.x under the rSRAAMIBakeryAMIBakeryImageBuilderRecipe's Components property.
  2. You can do the same for all Amazon managed tools/clients found in the EC2 Image Builder component's console for other images (Amazon Linux and Ubuntu Pro 20.04) in your region.

• Example 2: Adding a custom component (Customer-Managed) for Apache Httpd Web server with PHP and MariaDB into Amazon Linux 2023 Image

  1. Copy the code below and paste it into the file right at the top of the rSRAAMIBakeryAMIBakeryImageBuilderRecipe resource under the CloudFormation Resources section.

     rInstallApachePHPMariaDB:
       Type: AWS::ImageBuilder::Component
       Properties:
           Name: apache-install
           Version: !Ref pSRAAMIBakeryImageRecipeVersionNumber
           Platform: Linux
           Data: |
             name: InstallApachePHPMariaDB 
             description: This will install Apache Httpd Web server with PHP and MariaDB
             schemaVersion: 1.0
             phases:
                 - name: build
                   steps:
                     - name: Install
                       action: ExecuteBash
                       inputs:
                         commands:
                           - sudo yum update -y
                           - sudo yum install -y amazon-linux-extras
                           - sudo amazon-linux-extras install mariadb10.5
                           - sudo amazon-linux-extras install php8.2
                           - sudo yum install -y httpd
                           - sudo systemctl start httpd
                           - sudo systemctl enable httpd
     

  2. Add the customized Component's ARN - ComponentArn: !Ref rInstallApachePHPMariaDB under the rSRAAMIBakeryAMIBakeryImageBuilderRecipe's Components property.

Deletion Instructions

Choose one of the two options below:

• Option 1: Use AWS Management Console

1. In the management account (home region), delete the AWS CloudFormation Stack (sra-ami-bakery-org-main-ssm). Note: This will delete all SRA Staging resources
2. In the management account (home region), verify that the Lambda function processing is complete by confirming no more CloudWatch logs are generated.
3. In the management account (home region), delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed.
4. In the account (home region) identified by pAMIBakeryAccountId parameter, delete the AWS CloudFormation Stack (sra-ami-bakery-org-cloudformation-stack). Note: This will delete your solution with associated resources (IAM roles and policies, EC2 Image Builder resources, S3 Bucket, Codepipeline resources, etc)
5. Delete sra-ami-bakery-org-cloudformation-role role in the IAM console in the account (home region) identified by pAMIBakeryAccountId parameter Note: this will delete both cloudformation role and associated policy
6. Go to EC2 Image Builder console and choose Images from the navigation pane. Select the image versions created by the AMI Bakery solution. Select the images and on the Actions menu, choose Delete.

• Option 2: Use AWS CLI
• Note: For steps 1 and 2, we assume you are running the commands below against the management (home region), and for Steps 3 - 5, we assume you are running them in the account (home region) identified by pAMIBakeryAccountId parameter.

1. aws cloudformation delete-stack --stack-name sra-ami-bakery-org-main-ssm. Note: This will delete all SRA Staging resources
2. aws logs delete-log-group --log-group-name /aws/lambda/sra-ami-bakery-org. Note: This will delete the log group for AMI bakery solution
3. aws cloudformation delete-stack --stack-name sra-ami-bakery-org-cloudformation-stack. Note: This will delete your solution with associated resources (IAM roles and policies, EC2 Imagebuilder resources, S3 Bucket, CodepiPeline resources, etc)
4. aws iam delete-role-policy --role-name sra-ami-bakery-org-cloudformation-role --policy-name sra-ami-bakery-org-cloudformation-policy. Note: This will delete CloudFormation policy
5. aws iam delete-role --role-name sra-ami-bakery-org-cloudformation-role. Note: This will delete CloudFormation role.
6. aws imagebuilder delete-image --image-build-version-arn <ARN_OF_THE_IMAGE_RESOURCE_VERSION_TO_BE_DELETED >. Note: The image's arn can be fetched using this command aws imagebuilder list-mages

---

References

• Managing AWS SDKs in Lambda Functions
• Lambda runtimes
• Python Boto3 SDK changelog
• CIS compliance with Ubuntu LTS
• Creating AMI mappings for CloudFormation
• Building an Ubuntu PRO CIS hardened AMI with EC2 Image Builder