EC2 映像生成器 的安全最佳实践 - EC2 映像生成器
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

EC2 映像生成器 的安全最佳实践

EC2 映像生成器 提供了在您开发和实施自己的安全策略时需要考虑的一些安全功能。以下最佳实践是一般准则,并不代表完整的安全解决方案。由于这些最佳实践可能不适合您的环境或不满足您的环境要求,因此将其视为有用的考虑因素而不是惯例。

  • 不要在 镜像生成器 配方中使用过于宽松的安全组。

  • 不要与您不信任的账户共享镜像。

  • 不要公开包含私有或敏感数据的镜像。

  • 在镜像生成期间应用所有可用的 Windows 或 Linux 安全补丁。

脚本执行

在使用 EC2 映像生成器 生成 Linux 镜像时,AWS 将强制执行一个脚本,该脚本将在镜像生成过程结束时运行。同样,在自定义 Windows 镜像后,EC2 映像生成器 将运行 Microsoft 的 Sysprep 实用程序。这些操作遵循 AWS 强化和清理映像的最佳实践。。不过,由于可以在镜像自定义期间进行其他自定义,AWS 不能保证生成的镜像符合任何特定的法规条件。

AWS 建议您测试镜像,以验证安全状况和适用的安全合规性级别。

在使用 EC2 映像生成器 自定义 Amazon Linux 2 镜像时,以下脚本将作为必需步骤运行。

#!/bin/bash FILES=( # Secure removal of list of sudo users "/etc/sudoers.d/90-cloud-init-users" # Secure removal of RSA encrypted SSH host keys. "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" # Secure removal of ECDSA encrypted SSH host keys. "/etc/ssh/ssh_host_ecdsa_key" "/etc/ssh/ssh_host_ecdsa_key.pub" # Secure removal of ED25519 encrypted SSH host keys. "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" # Secure removal of "root" user approved SSH keys list. "/root/.ssh/authorized_keys" # Secure removal of "ec2-user" user approved SSH keys list. "/home/ec2-user/.ssh/authorized_keys" # Secure removal of file which tracks system updates "/etc/.updated" "/var/.updated" # Secure removal of file with aliases for mailing lists "/etc/aliases.db" # Secure removal of file which contains the hostname of the system "/etc/hostname" # Secure removal of files with system-wide locale settings "/etc/locale.conf" # Secure removal of cached GPG signatures of yum repositories "/var/cache/yum/x86_64/2/.gpgkeyschecked.yum" # Secure removal of audit framework logs "/var/log/audit/audit.log" # Secure removal of boot logs "/var/log/boot.log" # Secure removal of kernel message logs "/var/log/dmesg" # Secure removal of cloud-init logs "/var/log/cloud-init.log" # Secure removal of cloud-init's output logs "/var/log/cloud-init-output.log" # Secure removal of cron logs "/var/log/cron" # Secure removal of aliases file for the Postfix mail transfer agent "/var/lib/misc/postfix.aliasesdb-stamp" # Secure removal of master lock for the Postfix mail transfer agent "/var/lib/postfix/master.lock" # Secure removal of spool data for the Postfix mail transfer agent "/var/spool/postfix/pid/master.pid" # Secure removal of history of Bash commands "/home/ec2-user/.bash_history" # Secure removal of file which relabels all files in the next boot "/.autorelabel" ) for FILE in "${FILES[@]}"; do echo "Deleting $FILE" sudo shred -zuf $FILE if [[ -f $FILE ]]; then echo "Failed to delete '$FILE'. Failing." exit 1 fi done # Secure removal of TOE's log directories echo "Deleting {{workingDirectory}}/TOE_*" sudo find {{workingDirectory}}/TOE_* -type f -exec shred -zuf {} \; if [[ $( sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then echo "Failed to delete {{workingDirectory}}/TOE_*" exit 1 fi sudo rm -rf {{workingDirectory}}/TOE_* if [[ $( sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then echo "Failed to delete {{workingDirectory}}/TOE_*" exit 1 fi # Secure removal of system activity reports/logs echo "Deleting /var/log/sa/sa*" sudo shred -zuf /var/log/sa/sa* if [[ $( sudo find /var/log/sa/sa* -type f | sudo wc -l ) -gt 0 ]]; then echo "Failed to delete /var/log/sa/sa*" exit 1 fi # Secure removal of SSM logs echo "Deleting /var/log/amazon/ssm/*" sudo find /var/log/amazon/ssm -type f -exec shred -zuf {} \; if [[ $( sudo find /var/log/amazon/ssm -type f | sudo wc -l) -gt 0 ]]; then echo "Failed to delete /var/log/amazon/ssm" exit 1 fi sudo rm -rf /var/log/amazon/ssm if [[ -d "/var/log/amazon/ssm" ]]; then echo "Failed to delete /var/log/amazon/ssm" exit 1 fi # Secure removal of DHCP client leases that have been acquired echo "Deleting /var/lib/dhclient/dhclient*.lease" sudo shred -zuf /var/lib/dhclient/dhclient*.lease if [[ $( sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l ) -gt 0 ]]; then echo "Failed to delete /var/lib/dhclient/dhclient*.lease" exit 1 fi # Secure removal of cloud-init files echo "Deleting /var/lib/cloud/*" sudo find /var/lib/cloud -type f -exec shred -zuf {} \; if [[ $( sudo find /var/lib/cloud -type f | sudo wc -l ) -gt 0 ]]; then echo "Failed to delete /var/lib/cloud" exit 1 fi sudo rm -rf /var/lib/cloud/* if [[ $( sudo ls /var/lib/cloud | sudo wc -l ) -gt 0 ]]; then echo "Failed to delete /var/lib/cloud/*" exit 1 fi # Secure removal of temporary files echo "Deleting /var/tmp/*" sudo find /var/tmp -type f -exec shred -zuf {} \; if [[ $( sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then echo "Failed to delete /var/tmp" exit 1 fi sudo rm -rf /var/tmp/* if [[ $( sudo ls /var/tmp | sudo wc -l ) -gt 0 ]]; then echo "Failed to delete /var/tmp/*" exit 1 fi # Shredding is not guaranteed to work well on rolling logs # Removal of system logs echo "Deleting /var/lib/rsyslog/imjournal.state" sudo shred -zuf /var/lib/rsyslog/imjournal.state sudo rm -f /var/lib/rsyslog/imjournal.state if [[ -f "/var/lib/rsyslog/imjournal.state" ]]; then echo "Failed to delete /var/lib/rsyslog/imjournal.state" exit 1 fi # Removal of journal logs echo "Deleting /var/log/journal/*" sudo find /var/log/journal/ -type f -exec shred -zuf {} \; sudo rm -rf /var/log/journal/* if [[ $( sudo ls /var/log/journal/ | sudo wc -l ) -gt 0 ]]; then echo "Failed to delete /var/log/journal/*" exit 1 fi