In this Cloud Computing world, organizations of all sizes continue to focus on eliminating the need for monotonous tasks and improving processes. However, many organizations still rely on using high valued resources to perform manual tasks. Not only is this a waste of time and money, but it is highly inefficient and will lead to human errors.
Traditional way of AMI:
- Manually create an AMI from the instance.
- Launch the instance for security patching and install required software’s
- Manually share the AMI to other accounts
Currently, many organizations are moving into cloud computing to scale up their business. They spin up more workloads to Amazon Web Services (AWS). But how does the team ensure when a new VM is provisioned: can be scalable, in a reliable manner, error free, with no vulnerabilities.
A golden AMI is an AMI that can be standardized through configuration, consistent security patching, and hardening. It also contains agents to approve for logging, security, and performance monitoring.
AMIs use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions for better performance. Windows AMIs are HVM AMIs.
The old saying goes: if you are doing something more than a couple of times, automate it.
Golden AMI Pipeline
This blog is about building a secured, approved Golden AMI image for providing a reliable, scalable, and approved application stack factory that increases innovation swiftness, reduces effort, and increases the confidence of Securiy team to ensure that the teams are compliant.
Automated Golden AMI Pipeline Process Flow
AMI Factory Pipeline:
- Step 1 (optional): Subscribe to the AWS marketplace product you want to distribute
- Step 2: Create a cross-account role in the child account
- Step 3: Set up the golden AMI pipeline environment
- Step 4 (optional): Set up a compliance check in the child account(s)
- Step 5: Create a golden AMI
- Step 6: Approve the golden AMI
- Step 7: Review the golden AMI metadata
- Step 8 (optional): Manually trigger continuous vulnerability assessment of golden AMIs
- Step 9: Distribute the golden AMI to child account
- Step 10: Decommission the golden AMI
Once you have shared the base golden AMI with development teams, they can consume the latest golden AMI in the simplest way possible, often through automation. They can customize the OS specific golden AMIs with the required software components, but also ensure that the AMIs continue to meet the organization’s requirements.
The development teams can repeat the above process. Each team within the business can use the golden OS AMI shared by the Security team and can add their own software and produce a new golden AMI that is secured, scanned, distributed, and consumed as necessary.
To assess different features of the golden AMI pipeline:
- Create golden AMI and then distribute the same to a child account.
- Manually perform a continuous vulnerability assessment of the active golden AMI.
- Deploy an instance of a golden AMI in a governed manner.
- Finally, decommission the golden AMI.
Cloud Comrade’s expertise in Automation can help businesses in setting up a consistent template model, which ensures consistency, secured, scalable, and reliable Golden Image pipeline.