SEC06-BP02: Provision compute from hardened images

Build your compute images (such as Amazon Machine Images (AMIs), container images, or VM images) from a hardened operating system, and keep your images up to date with the latest security patches. Remove or disable unnecessary services, and configure your images to meet your security requirements before deploying them to production.

Implementation guidance

Hardened images serve as the foundation for secure compute resources by providing a baseline security configuration that reduces the attack surface and ensures consistent security controls across your infrastructure. By starting with hardened images, you can significantly improve your security posture and reduce the time needed to secure new compute resources.

Key steps for implementing this best practice:

  1. Create hardened base images:
    • Start with minimal operating system installations
    • Remove unnecessary packages, services, and components
    • Apply security hardening guidelines (CIS benchmarks, STIG)
    • Configure secure default settings and parameters
    • Implement logging and monitoring configurations
  2. Implement automated image building:
    • Use Infrastructure as Code for consistent image creation
    • Implement automated security scanning during image build
    • Create versioned and immutable image artifacts
    • Establish automated testing for hardened configurations
    • Implement approval workflows for image releases
  3. Maintain image security and updates:
    • Establish regular image update schedules
    • Implement automated patching and security updates
    • Monitor for new vulnerabilities and security advisories
    • Create processes for emergency security updates
    • Maintain image inventory and lifecycle management
  4. Configure runtime security controls:
    • Implement host-based intrusion detection systems
    • Configure file integrity monitoring
    • Set up system call monitoring and filtering
    • Implement network security controls at the host level
    • Configure secure boot and trusted platform modules
  5. Establish image governance and compliance:
    • Create image approval and certification processes
    • Implement compliance scanning and validation
    • Establish image signing and verification
    • Create audit trails for image usage and modifications
    • Implement policy enforcement for image deployment
  6. Monitor and validate hardened configurations:
    • Implement continuous compliance monitoring
    • Set up configuration drift detection
    • Create automated remediation for configuration violations
    • Establish security metrics and reporting
    • Conduct regular security assessments of deployed images

Implementation examples

Example 1: Automated AMI hardening with Packer

Example 2: Security hardening scripts

Example 3: Container image hardening with multi-stage builds

Example 4: Infrastructure as Code for hardened EC2 instances

Copyright © 2025 Cloudvisor. Distributed under the MIT license.

Powered by Just the Docs, a documentation theme for Jekyll.