EC2 Image Builder 的安全最佳实践 - EC2 Image Builder
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

EC2 Image Builder 的安全最佳实践

EC2 Image Builder 提供了在您开发和实施自己的安全策略时需要考虑的大量安全功能。以下最佳实践是一般指导原则,并不代表完整安全解决方案。这些最佳实践可能不适合您的环境或不满足您的环境要求,请将其视为有用的考虑因素而不是惯例。

  • 不要在 Image Builder 配方中使用过于宽松的安全组。

  • 不要与您不信任的账户共享镜像。

  • 不要公开包含私有或敏感数据的镜像。

  • 在镜像生成期间应用所有可用的 Windows 或 Linux 安全补丁。

脚本执行

使用 EC2 Image Builder 构建 Linux 映像时,Amazon强制执行在镜像生成过程结束时运行的脚本。同样,EC2 Image Builder 将运行 Microsoft 的Sysprep自定义 Windows 镜像后的实用程序。这些操作遵循Amazon强化和镜像清理最佳实践。. 不过,由于可以在镜像自定义期间进行其他自定义,Amazon不能保证生成的镜像符合任何特定的法规条件。如果你覆盖这种情况尤其如此用户数据在你的食谱里。

Amazon建议您测试镜像,以验证安全状况和适用的安全合规性级别。

对于 Linux 映像,在管道创建输出映像之前完成构建和测试阶段时,Image Builder 会自动运行以下清理脚本。但是,如果你覆盖用户数据在你的食谱中,脚本不会运行。在这种情况下,您有责任确保清理步骤运行,方法是在用户数据中包含一个命令,该命令创建名为perform_cleanup. Image Builder 会检测到此文件,然后在创建新映像之前运行清理脚本。

#!/bin/bash if [[ ! -f {{workingDirectory}}/perform_cleanup ]]; then echo "Skipping cleanup" exit 0 else sudo rm -f {{workingDirectory}}/perform_cleanup fi function cleanup() { FILES=("$@") for FILE in "${FILES[@]}"; do if [[ -f "$FILE" ]]; then echo "Deleting $FILE"; sudo shred -zuf $FILE; fi; if [[ -f $FILE ]]; then echo "Failed to delete '$FILE'. Failing." exit 1 fi; done }; # Clean up for cloud-init files CLOUD_INIT_FILES=( "/etc/sudoers.d/90-cloud-init-users" "/etc/locale.conf" "/var/log/cloud-init.log" "/var/log/cloud-init-output.log" ) if [[ -f {{workingDirectory}}/skip_cleanup_cloudinit_files ]]; then echo "Skipping cleanup of cloud init files" else echo "Cleaning up cloud init files" cleanup "${CLOUD_INIT_FILES[@]}" if [[ $( sudo find /var/lib/cloud -type f | sudo wc -l ) -gt 0 ]]; then echo "Deleting files within /var/lib/cloud/*" sudo find /var/lib/cloud -type f -exec shred -zuf {} \; fi; if [[ $( sudo ls /var/lib/cloud | sudo wc -l ) -gt 0 ]]; then echo "Deleting /var/lib/cloud/*" sudo rm -rf /var/lib/cloud/* || true fi; fi; # Clean up for temporary instance files INSTANCE_FILES=( "/etc/.updated" "/etc/aliases.db" "/etc/hostname" "/var/lib/misc/postfix.aliasesdb-stamp" "/var/lib/postfix/master.lock" "/var/spool/postfix/pid/master.pid" "/var/.updated" "/var/cache/yum/x86_64/2/.gpgkeyschecked.yum" ) if [[ -f {{workingDirectory}}/skip_cleanup_instance_files ]]; then echo "Skipping cleanup of instance files" else echo "Cleaning up instance files" cleanup "${INSTANCE_FILES[@]}" fi; # Clean up for ssh files SSH_FILES=( "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" "/etc/ssh/ssh_host_ecdsa_key" "/etc/ssh/ssh_host_ecdsa_key.pub" "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" "/root/.ssh/authorized_keys" ) if [[ -f {{workingDirectory}}/skip_cleanup_ssh_files ]]; then echo "Skipping cleanup of ssh files" else echo "Cleaning up ssh files" cleanup "${SSH_FILES[@]}" USERS=$(ls /home/) for user in $USERS; do echo Deleting /home/"$user"/.ssh/authorized_keys; sudo find /home/"$user"/.ssh/authorized_keys -type f -exec shred -zuf {} \; done for user in $USERS; do if [[ -f /home/"$user"/.ssh/authorized_keys ]]; then echo Failed to delete /home/"$user"/.ssh/authorized_keys; exit 1 fi; done; fi; # Clean up for instance log files INSTANCE_LOG_FILES=( "/var/log/audit/audit.log" "/var/log/boot.log" "/var/log/dmesg" "/var/log/cron" ) if [[ -f {{workingDirectory}}/skip_cleanup_instance_log_files ]]; then echo "Skipping cleanup of instance log files" else echo "Cleaning up instance log files" cleanup "${INSTANCE_LOG_FILES[@]}" fi; # Clean up for TOE files if [[ -f {{workingDirectory}}/skip_cleanup_toe_files ]]; then echo "Skipping cleanup of TOE files" else echo "Cleaning TOE files" if [[ $( sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then echo "Deleting files within {{workingDirectory}}/TOE_*" sudo find {{workingDirectory}}/TOE_* -type f -exec shred -zuf {} \; fi if [[ $( sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then echo "Failed to delete {{workingDirectory}}/TOE_*" exit 1 fi if [[ $( sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then echo "Deleting {{workingDirectory}}/TOE_*" sudo rm -rf {{workingDirectory}}/TOE_* fi if [[ $( sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then echo "Failed to delete {{workingDirectory}}/TOE_*" exit 1 fi fi # Clean up for ssm log files if [[ -f {{workingDirectory}}/skip_cleanup_ssm_log_files ]]; then echo "Skipping cleanup of ssm log files" else echo "Cleaning up ssm log files" if [[ $( sudo find /var/log/amazon/ssm -type f | sudo wc -l) -gt 0 ]]; then echo "Deleting files within /var/log/amazon/ssm/*" sudo find /var/log/amazon/ssm -type f -exec shred -zuf {} \; fi if [[ $( sudo find /var/log/amazon/ssm -type f | sudo wc -l) -gt 0 ]]; then echo "Failed to delete /var/log/amazon/ssm" exit 1 fi if [[ -d "/var/log/amazon/ssm" ]]; then echo "Deleting /var/log/amazon/ssm/*" sudo rm -rf /var/log/amazon/ssm fi if [[ -d "/var/log/amazon/ssm" ]]; then echo "Failed to delete /var/log/amazon/ssm" exit 1 fi fi if [[ $( sudo find /var/log/sa/sa* -type f | sudo wc -l ) -gt 0 ]]; then echo "Deleting /var/log/sa/sa*" sudo shred -zuf /var/log/sa/sa* fi if [[ $( sudo find /var/log/sa/sa* -type f | sudo wc -l ) -gt 0 ]]; then echo "Failed to delete /var/log/sa/sa*" exit 1 fi if [[ $( sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l ) -gt 0 ]]; then echo "Deleting /var/lib/dhclient/dhclient*.lease" sudo shred -zuf /var/lib/dhclient/dhclient*.lease fi if [[ $( sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l ) -gt 0 ]]; then echo "Failed to delete /var/lib/dhclient/dhclient*.lease" exit 1 fi if [[ $( sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then echo "Deleting files within /var/tmp/*" sudo find /var/tmp -type f -exec shred -zuf {} \; fi if [[ $( sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then echo "Failed to delete /var/tmp" exit 1 fi if [[ $( sudo ls /var/tmp | sudo wc -l ) -gt 0 ]]; then echo "Deleting /var/tmp/*" sudo rm -rf /var/tmp/* fi # Shredding is not guaranteed to work well on rolling logs if [[ -f "/var/lib/rsyslog/imjournal.state" ]]; then echo "Deleting /var/lib/rsyslog/imjournal.state" sudo shred -zuf /var/lib/rsyslog/imjournal.state sudo rm -f /var/lib/rsyslog/imjournal.state fi if [[ $( sudo ls /var/log/journal/ | sudo wc -l ) -gt 0 ]]; then echo "Deleting /var/log/journal/*" sudo find /var/log/journal/ -type f -exec shred -zuf {} \; sudo rm -rf /var/log/journal/* fi sudo touch /etc/machine-id