EC2 Image Builder 的安全最佳實務 - EC2 Image Builder
必要的建置後清理覆寫 Linux 清理指令碼

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

EC2 Image Builder 的安全最佳實務

EC2 Image Builder 提供許多安全性功能,可在您開發和實作自己的安全政策時考慮。以下最佳實務為一般準則,並不代表完整的安全解決方案。這些最佳實務可能不適用或無法滿足您的環境需求,因此請將其視為實用建議就好,而不要當作是指示。

  • 請勿在 Image Builder 方法中使用過於寬鬆的安全性群組。

  • 請勿與您不信任的帳戶共用影像。

  • 請勿將具有私人或敏感資料的影像公開。

  • 在映像檔建置期間套用所有可用的 Windows 或 Linux 安全性修補程式

強烈建議您測試映像檔,以驗證安全狀況和適用的安全性符合性層級。 Amazon Inspector 這樣的解決方案可協助驗證影像的安全性和合規狀態。

適用於 Image Builder 管線的 IMDSv2

當 Image Builder 管道執行時,它會傳送 HTTP 要求以啟動 Image Builder 用來建置和測試映像的 EC2 執行個體。若要設定管線用於啟動要求的 IMDS 版本,請在 Image Builder 基礎結構組態執行個體中繼資料設定中設定httpTokens參數。

注意

我們建議您將 Image Builder 從管線組建啟動的所有 EC2 執行個體設定為使用 IMDSv2,以便執行個體中繼資料擷取請求需要已簽署的權杖標頭。

如需 Image Builder 基礎結構組態的詳細資訊,請參閱管理 EC2 Image Builder 基礎設施組。如需有關 Linux 映像的 EC2 執行個體中繼資料選項的詳細資訊,請參閱 Amazon EC2 使用者指南中的設定執行個體中繼資料選項。對於 Windows 映像檔,請參閱 Amazon EC2 使用者指南中的設定執行個體中繼資料選項

必要的建置後清理

Image Builder 完成自訂映像檔的所有建置步驟後,映 Image Builder 會準備建置執行個體以進行測試和映像建立。在關閉組建執行個體以建立快照集之前,Image Builder 會執行下列清理,以確保映像檔的安全性:

Linux

Image Builder 管線會執行清理指令碼,以協助確保最終映像檔遵循安全性最佳作法,並移除任何不應轉移至快照集的建置成品或設定。但是,您可以跳過腳本的各個部分,或完全覆蓋用戶數據。因此,Image Builder 管線產生的映像不一定符合任何特定的法規標準。

管線完成其建置和測試階段時,Image Builder 會在建立輸出影像之前自動執行下列清理指令碼。

重要

如果您覆寫方案中的使用者資料,指令碼不會執行。在這種情況下,請確保在用戶數據中包含一個命令,該命令可以創建一個名為的空文件perform_cleanup。Image Builder 會偵測到此檔案,並在建立新映像之前執行清理程序檔。

#!/bin/bash
if [[ ! -f {{workingDirectory}}/perform_cleanup ]]; then
    echo "Skipping cleanup"
    exit 0
else
    sudo rm -f {{workingDirectory}}/perform_cleanup
fi

function cleanup() {
    FILES=("$@")
    for FILE in "${FILES[@]}"; do
        if [[ -f "$FILE" ]]; then
            echo "Deleting $FILE";
            sudo shred -zuf $FILE;
        fi;
        if [[ -f $FILE ]]; then
            echo "Failed to delete '$FILE'. Failing."
            exit 1
        fi;
    done
};


# Clean up for cloud-init files
CLOUD_INIT_FILES=(
    "/etc/sudoers.d/90-cloud-init-users"
    "/etc/locale.conf"
    "/var/log/cloud-init.log"
    "/var/log/cloud-init-output.log"
)
if [[ -f {{workingDirectory}}/skip_cleanup_cloudinit_files ]]; then
    echo "Skipping cleanup of cloud init files"
else
    echo "Cleaning up cloud init files"
    cleanup "${CLOUD_INIT_FILES[@]}"
    if [[ $( sudo find /var/lib/cloud -type f | sudo wc -l ) -gt 0 ]]; then
        echo "Deleting files within /var/lib/cloud/*"
        sudo find /var/lib/cloud -type f -exec shred -zuf {} \;
    fi;

    if [[ $( sudo ls /var/lib/cloud | sudo wc -l ) -gt 0 ]]; then
        echo "Deleting /var/lib/cloud/*"
        sudo rm -rf /var/lib/cloud/* || true
    fi;
fi;


# Clean up for temporary instance files
INSTANCE_FILES=(
    "/etc/.updated"
    "/etc/aliases.db"
    "/etc/hostname"
    "/var/lib/misc/postfix.aliasesdb-stamp"
    "/var/lib/postfix/master.lock"
    "/var/spool/postfix/pid/master.pid"
    "/var/.updated"
    "/var/cache/yum/x86_64/2/.gpgkeyschecked.yum"
)
if [[ -f {{workingDirectory}}/skip_cleanup_instance_files ]]; then
    echo "Skipping cleanup of instance files"
else
    echo "Cleaning up instance files"
    cleanup "${INSTANCE_FILES[@]}"
fi;


# Clean up for ssh files
SSH_FILES=(
    "/etc/ssh/ssh_host_rsa_key"
    "/etc/ssh/ssh_host_rsa_key.pub"
    "/etc/ssh/ssh_host_ecdsa_key"
    "/etc/ssh/ssh_host_ecdsa_key.pub"
    "/etc/ssh/ssh_host_ed25519_key"
    "/etc/ssh/ssh_host_ed25519_key.pub"
    "/root/.ssh/authorized_keys"
)
if [[ -f {{workingDirectory}}/skip_cleanup_ssh_files ]]; then
    echo "Skipping cleanup of ssh files"
else
    echo "Cleaning up ssh files"
    cleanup "${SSH_FILES[@]}"
    USERS=$(ls /home/)
    for user in $USERS; do
        echo Deleting /home/"$user"/.ssh/authorized_keys;
        sudo find /home/"$user"/.ssh/authorized_keys -type f -exec shred -zuf {} \;
    done
    for user in $USERS; do
        if [[ -f /home/"$user"/.ssh/authorized_keys ]]; then
            echo Failed to delete /home/"$user"/.ssh/authorized_keys;
            exit 1
        fi;
    done;
fi;


# Clean up for instance log files
INSTANCE_LOG_FILES=(
    "/var/log/audit/audit.log"
    "/var/log/boot.log"
    "/var/log/dmesg"
    "/var/log/cron"
)
if [[ -f {{workingDirectory}}/skip_cleanup_instance_log_files ]]; then
    echo "Skipping cleanup of instance log files"
else
    echo "Cleaning up instance log files"
    cleanup "${INSTANCE_LOG_FILES[@]}"
fi;

# Clean up for TOE files
if [[ -f {{workingDirectory}}/skip_cleanup_toe_files ]]; then
    echo "Skipping cleanup of TOE files"
else
    echo "Cleaning TOE files"
    if [[ $( sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then
        echo "Deleting files within {{workingDirectory}}/TOE_*"
        sudo find {{workingDirectory}}/TOE_* -type f -exec shred -zuf {} \;
    fi
    if [[ $( sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then
        echo "Failed to delete {{workingDirectory}}/TOE_*"
        exit 1
    fi
    if [[ $( sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then
        echo "Deleting {{workingDirectory}}/TOE_*"
        sudo rm -rf {{workingDirectory}}/TOE_*
    fi
    if [[ $( sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then
        echo "Failed to delete {{workingDirectory}}/TOE_*"
        exit 1
    fi
fi

# Clean up for ssm log files
if [[ -f {{workingDirectory}}/skip_cleanup_ssm_log_files ]]; then
    echo "Skipping cleanup of ssm log files"
else
    echo "Cleaning up ssm log files"
    if [[ $( sudo find /var/log/amazon/ssm -type f | sudo wc -l) -gt 0 ]]; then
        echo "Deleting files within /var/log/amazon/ssm/*"
        sudo find /var/log/amazon/ssm -type f -exec shred -zuf {} \;
    fi
    if [[ $( sudo find /var/log/amazon/ssm -type f | sudo wc -l) -gt 0 ]]; then
        echo "Failed to delete /var/log/amazon/ssm"
        exit 1
    fi
    if [[ -d "/var/log/amazon/ssm" ]]; then
        echo "Deleting /var/log/amazon/ssm/*"
        sudo rm -rf /var/log/amazon/ssm
    fi
    if [[ -d "/var/log/amazon/ssm" ]]; then
        echo "Failed to delete /var/log/amazon/ssm"
        exit 1
    fi
fi


if [[ $( sudo find /var/log/sa/sa* -type f | sudo wc -l ) -gt 0 ]]; then
    echo "Deleting /var/log/sa/sa*"
    sudo shred -zuf /var/log/sa/sa*
fi
if [[ $( sudo find /var/log/sa/sa* -type f | sudo wc -l ) -gt 0 ]]; then
    echo "Failed to delete /var/log/sa/sa*"
    exit 1
fi

if [[ $( sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l ) -gt 0 ]]; then
        echo "Deleting /var/lib/dhclient/dhclient*.lease"
        sudo shred -zuf /var/lib/dhclient/dhclient*.lease
fi
if [[ $( sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l ) -gt 0 ]]; then
        echo "Failed to delete /var/lib/dhclient/dhclient*.lease"
        exit 1
fi

if [[ $( sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then
        echo "Deleting files within /var/tmp/*"
        sudo find /var/tmp -type f -exec shred -zuf {} \;
fi
if [[ $( sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then
        echo "Failed to delete /var/tmp"
        exit 1
fi
if [[ $( sudo ls /var/tmp | sudo wc -l ) -gt 0 ]]; then
        echo "Deleting /var/tmp/*"
        sudo rm -rf /var/tmp/*
fi

# Shredding is not guaranteed to work well on rolling logs

if [[ -f "/var/lib/rsyslog/imjournal.state" ]]; then
        echo "Deleting /var/lib/rsyslog/imjournal.state"
        sudo shred -zuf /var/lib/rsyslog/imjournal.state
        sudo rm -f /var/lib/rsyslog/imjournal.state
fi

if [[ $( sudo ls /var/log/journal/ | sudo wc -l ) -gt 0 ]]; then
        echo "Deleting /var/log/journal/*"
        sudo find /var/log/journal/ -type f -exec shred -zuf {} \;
        sudo rm -rf /var/log/journal/*
fi

sudo touch /etc/machine-id
Windows

Image Builder 管線自訂視窗映像後,它會執行 Microsoft Sysprep 公用程式。 這些動作會遵循強化和清理影像的AWS 最佳作法

覆寫 Linux 清理指令碼

Image Builder 會建立預設安全的映像檔,並遵循我們的安全性最佳做法。但是,某些更進階的使用案例可能需要您略過內建清理指令碼的一或多個區段。如果您確實需要略過某些清理,我們強烈建議您測試輸出 AMI 以確保映像的安全性。

重要

略過清理指令碼中的區段可能會導致機密資訊,例如擁有者帳戶詳細資料或安全殼層金鑰包含在最終映像檔中,以及從該映像檔啟動的任何執行個體。在不同的可用區域、區域或帳戶中啟動時,您也可能會遇到問題。

下表概述清理指令集的各個區段、在該區段中刪除的檔案,以及可用來標記 Image Builder 應略過的區段的檔案名稱。若要略過清理指令碼的特定區段,您可以使用CreateFile元件動作模組或使用者資料中的指令 (如果覆寫),以 「略過區段檔案名稱」欄中指定的名稱建立空白檔案

注意

您建立用來略過清理指令碼某個區段的檔案不應包含副檔名。例如,如果您想略過指令碼CLOUD_INIT_FILES區段,但建立名為的檔案skip_cleanup_cloudinit_files.txt,Image Builder 將無法辨識略過檔案。

輸入

清理區段

已移除檔案

略過段落檔案名稱

CLOUD_INIT_FILES

/etc/sudoers.d/90-cloud-init-users

/etc/locale.conf

/var/log/cloud-init.log

/var/log/cloud-init-output.log

skip_cleanup_cloudinit_files

INSTANCE_FILES

/etc/.updated

/etc/aliases.db

/etc/hostname

/var/lib/misc/postfix.aliasesdb-stamp

/var/lib/postfix/master.lock

/var/spool/postfix/pid/master.pid

/var/.updated

/var/cache/yum/x86_64/2/.gpgkeyschecked.yum

skip_cleanup_instance_files

SSH_FILES

/etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_rsa_key.pub

/etc/ssh/ssh_host_ecdsa_key

/etc/ssh/ssh_host_ecdsa_key.pub

/etc/ssh/ssh_host_ed25519_key

/etc/ssh/ssh_host_ed25519_key.pub

/root/.ssh/authorized_keys

/home/<all users>/.ssh/authorized_keys;

skip_cleanup_ssh_files

INSTANCE_LOG_FILES

/var/log/audit/audit.log

/var/log/boot.log

/var/log/dmesg

/var/log/cron

skip_cleanup_instance_log_files

TOE_FILES

{{workingDirectory}}/TOE_*

skip_cleanup_toe_files

SSM_LOG_FILES

/var/log/amazon/ssm/*

skip_cleanup_ssm_log_files