Strategic insights into AMI hardening unraveling the complexity

By unraveling the complexity surrounding AMI hardening, we aim to provide strategic insights into fortifying your cloud infrastructure.

Section 1: The Evolution of Cloud Security

An overview of the escalating importance of cloud security

Two tendencies are making the problem of cloud storage safety an increasingly critical issue. At least for companies that maintain some form of IT solutions for themselves or their customers. On the one hand, more and more businesses are choosing to buy cloud stocks from cloud providers (e.g. Amazon Elastic Compute Cloud), disposing their web-sites, services and apps there, instead of building server rooms as before.

On the other hand, the quantity of hacker attacks on the infrastructure is growing. As for the first trend: it’s corroborated by the recent study, which has been undertaken by Gartner – an american big consulting agency in the Intech field. It’s emerged that companies and organizations now envelope 95% of their new projects, being accessed in the Internet, with cloud-native architecture in cloud storages. It seems obvious that companies will soon become accustomed with holding all their IT-infrastructure in cloud and private data centers will be a thing of the past.

As a comparison, the percentage of new projects in clouds constitutes 30% only for 2021. The data are added with the results of the Calico project. According to the experts, 75% of companies, whose representatives have been successfully polled, said that their teams are shifting old projects in cloud-native architecture ‘right now’. As so many companies are working with clouds as ever more often cyberattack’s methods on cloud storages are appearing. Calico is an open-source project and framework which helps to broaden the Kubernetes features. Kubernetes, in its turn, is a special software for managing a number of operating systems, Linux in particular. Every OS could be in charge of compiling some part of a united application, like in microservice architecture. An application in a cloud could be arbitrary: a web-site, a service, a company intranet, a company CRM or ERP).

Dmitry Chernikov, head of presale at Xello, recently noted that in the near future, the activity of attackers will shift from the Internet perimeter to the cloud. According to him, the most high-profile incidents in 2023 will be just that: STORM-0558 at Microsoft, critical data leaks at JumpCloud and Okta. According to experts, attackers are searching for and sharing information about vulnerabilities on the Darknet, and are constantly inventing new approaches to horizontal movement across the Web. Everything is being used, even quite common and legal technologies such as RDP, SSH and WinRM. In 2024, there is a trend toward more attacks on Linux systems, adds D. Chernikov.

Darknet has introduced hacking training systems for beginners, as well as wide access to easy-to-use hacking software. It is possible to acquire data on yet undiscovered vulnerabilities in popular cloud software, including 0-day vulnerabilities for which no countermeasures have yet been invented. All this will lead to a quantitative and qualitative increase in the number of attacks on IT infrastructure available on the Internet. "In 2024, cloud services will be the main target of cyberattacks," says Denis Korbakov, Traffic Inspector expert.

Attack variants can range from DDoS and bruteforce attacks to specialized attacks using AI and neural networks, social engineering, automated penetration testing and phishing. An example of how big problems can be caused by successful penetration into cloud services of companies is the August 2021 attack on the cloud of the international consulting company Accenture by the hacker group LockBit. The attackers gained access to 50 terabytes of data, including Accenture's client management software (CSI). The data was blocked, and the hackers demanded that the company pay a $50 million ransom. The true scale of the consequences has not become public, as Accenture claims to have managed to restore all the necessary infrastructure from backups.

The iconic world IT-company IBM regularly generates reports on material damage to the company from data leaks and infrastructure hacks. The average cost of damage per year is 4.45 million USD.

The shifting paradigm towards cloud-native architectures

Even more high profile safety incident has happened in 2023 with the Toyota cloud-native infrastructure. Due to the cloud software, which has been configured wrong, 260 000 clients’ data have leaked on the Internet.

Despite this and many other successful attacks in recent years, native cloud architectures are recognized as more secure than services and web-sites hosted on their own server. A cloud service, compared to previously common data centers (DCs), has four main advantages:

• DevOps/DevSecOps: a set of practices and tools that, when applied systematically by development teams, achieve software reliability, security, and efficiency. Used by many cloud providers because the security of the cloud is outsourced to the provider by the owners of the software that is hosted in it. Access by attackers to the private data of dozens of companies can be fatal for cloud storage administrators. Many companies that provide such services are not satisfied with the minimum DevOps requirements, but apply DevSecOps. The latter concentrates on security against any threats and involves even more systematic and effective actions that eliminate breaches;
• continuous delivery: a system of practices that ensures that changes and updates are uploaded into production in small batches and in a continuous flow so that they definitely do not cause the application to start functioning unexpectedly and open new vulnerabilities;
• microservices: since, the cost of a cloud failure is likely to be completely unacceptable, their architecture today is initially built on multiple virtual machines and encapsulated by separate ‘sub-servers’ (containers). Microservice architecture allows you to create a completely separate environment for each small component of the application, virtually unrelated to the rest of the functionality (except for the point through which the microservice connects to the whole (often an HTTP header or REST API header)). Among other things, this provides more security for the cloud. Hacking into one microservice will not lead to access to the others. In addition, some parts of the code are so independent that they can even be written in different programming languages. Thus, even at the level of programming languages, it is possible to cut off some threats for better security. However, as the examples above show, complete security cannot be achieved even in the cloud;
• containers: the last word in cloud architecture. To make it possible to deploy tens or hundreds of Linux systems, one for each component of an application, managers of such systems are needed. Orchestrating their interaction and facilitating deployment. Some development environments utilize Docker and its container system. The popular cloud storage provider Amazon Elastic Compute Cloud provides Amazon Machine Images (AMI) for its customers. The latter also allows you to manage containers, in particular through the container (images) functionality.

Data from another study shows that 45% of all attacks on IT infrastructure are cloud storage attacks. 80% of organizations have experienced a cloud security incident at least once in the past year. For 27%, such issues resulted in a public scandal. Despite these disappointing numbers, the cloud remains the safest way to produce and support IT products today.

The inherent vulnerabilities in cloud environments, emphasizing the pivotal role of AMI hardening

The ‘zest’ of Amazon Web Services (AWS), which provides cloud storage to businesses, is precisely the best and preventative security practices for containers and container images (AMIs) that are created in the cloud infrastructure from this provider. Secure practices are well documented in cloud documentation.

For example, there are specific guidelines for securely configuring Linux systems that are deployed in AMIs and AMI’s images. By following the guidelines, you can maximize the protection of your data and code. Other materials freely available to Amazon Elastic Compute Cloud customers include the following recommendations:

• you should install Linux virtual machines in containers with as few packages and utilities as possible to reduce the "footprint" of possible hacker attacks;
• use encryption such as SSL as much as possible, as this allows you to securely shield HTTP requests between you and your customers (e.g. e-commerce payments);
• every time you install new versions of packages and software in the cloud, check the security groups that have been granted access to the relevant functionality;
• Conduct penetration tests on your AWS cloud infrastructure. Do this on a regular basis;
• It is worth conducting specific security audits for specific vulnerabilities that are most commonly exploited by hackers and lead to breaches.

There are classifications of common bugs and vulnerabilities in cloud infrastructure, such as CWE Top-25 and OWASP Top-10. For example, IT systems in clouds often fall victim to DoS due to CWE-787 – ‘writing outside the buffer’ and CWE-78 – ‘improper neutralization of operating system commands’.

According to a Soc Investigation special study, 16% of cloud security breaches are due to misconfiguration of the S3 (Simple Storage Service - ‘bin’). Keep an eye on the ports used, which are often targeted. If the main aim of the web-site, located in the next container or AMI’s image, is to simply broadcast information on the Internet, it is best to disable the alternate port, associated with the mail server (unused).

Section 2: Navigating the Amazon Machine Image (AMI) Landscape

A deep dive into the structure and significance of Amazon Machine Images

Suppose a user needs to quickly create ten servers with the same settings. This is just the core function of AMI (Amazon Machine Images). First, an EC2 instance is configured – this is the reference container configuration from which all new virtual machines can be spawned. The instance in question is started simply by clicking the "launch instance" button in the client. Next, you select the AMI distribution you want to work with. For example, AMI Amazon Linux 2. Some of these distributions are paid and some are free to use.

Then, with a button, you can create as many machine images as you want, with which you can implement a microservice architecture. All peculiarities of them would be extended from the parent's configuration. In the security settings, you can easily create groups according to access levels, so that no vulnerability is created in any single piece of software on microservices. All the necessary procedures are simple and easy to follow. Security-critical information is traceable, accessible and manageable.

Understanding the lifecycle of an AMI and its impact on system integrity

Since lifecycle management is automated and all important security procedures are "stitched" into standard actions: tag attachment, image creation, AMI deletion and AMI images, it is enough to adhere to simple routines to minimize the possibility of your cloud infrastructure being compromised.

For example, the AMI template that all new operating systems for your microservices are based on includes a setting for creating backups.

If it was initially set that they will be formed once every 11 hours, then this is exactly what will happen in all the AMI-based images.

The cloud storage client also supports an interesting recycle and ‘cleansing’ interface. In it, you can perform similar actions on those AMIs and images that have been taken out of use. For example, you can clean up whatever is left of them automatically, so that no unexpected vulnerability is formed in the system, connected to forgotten packs and code fragments.

Highlighting the potential risks associated with unhardened AMIs

While threats in AMI are prevented at the level of standard virtual machine management procedures, these procedures still need to be implemented correctly, taking advantage of all the useful settings. "Embedded" security simply won't work if dedicated cloud storage management software is not used correctly by administrators, or settings are set without regard for useful features that can be used in a particular case.

To ensure that the expectation of complete end-to-end security for your cloud is not cheated, you must apply AWS' Benchmark for CIS, which allows Amazon Elastic Compute Cloud owners and administrators to apply all of the system's security tools on time and in full.

Section 3: The CIS Benchmark Framework

Unpacking the CIS benchmark as a comprehensive set of guidelines for securing AMIs

AWS' Benchmark for CIS is based on The CIS Benchmark from the Center for Internet Security (CIS – a non-profit organization that encircles regularly updated specifications on the field of cloud storage hardening). The CIS’s documentation contains a number of best practices for using the cloud safely. Inherently, this is a guide for users who can implement all of its requirements and learn nothing else. "One-stop shop" for secure use of Amazon Machine Image.

By applying it alone, administrators can realize the security potential of AWS automated procedures. The Documents include clear, unambiguous, step-by-step instructions, as well as ways to self-test for correct implementation. CIS Assessment Testing (some of which you can download for free in PDF) was developed with input from security experts from around the world. The recommendations span deployment and configuration programmes and packages of more than 25 products from various vendors (including virtual machines with Windows and Linux installed in them). Similarly, you can automate checks to ensure that your AWS deployment meets the recommendations outlined in the CIS AWS Core Assessment Metrics standard, but more on that below.

Examining the specific controls and recommendations outlined by the CIS benchmark

CIS Benchmarks include a number of documents. One of the most interesting is Critical Security Controls Version 6.1. We will use it here as an example, It has a number of specific requirements, by fulfilling which a cloud storage user can significantly improve the security of their IT infrastructure and harden AMIs:

• It is necessary to inventory the connectivity of devices connected to private and public networks at certain intervals. To do this, deploy automated device discovery packages;
• Identify authorized and unauthorized software. Monitor automated file integrity checks for elements of the ecosystem that may be at risk;
• Establish standard, threat-free configuration that you will apply to all of your operating systems (when spawning images), and reproduce only those configurations;
• Minimize who has privileged access (e.g. sudo-access in Linux and Ubuntu) in virtual machines and throughout the system. Audit users' use of administrative privileges, log and respond to any anomalous activity with such privileges;
• Use automated tools for regular antivirus scanning in the cloud;
• Identify sensitive information to target additional encryption and protection tools.

How adherence to CIS benchmarks aligns with industry best practices and regulatory compliance

For many companies that maintain publicly available services, web-sites and applications, cloud storage security is also a matter of regulatory compliance. After all, a failure not only puts the organization at the mercy of fraudsters, but also breaks the law. AWS automated tools and CIS documents help with this, because they incorporate and comply with key security, privacy, and data protection standards. Specifically, the assessment testing puts into practice the requirements of the following organizations and documents:

• National Institute of Standards and Technology (NIST) Cybersecurity Fundamentals;
• Health Insurance Portability and Accountability Act (HIPAA);
• Payment Card Industry Data Security Standard (PCI DSS).

Implementing CIS assessment testing is a big step towards achieving compliance for organizations. This argument is especially relevant for organizations in industries whose activities are highly regulated: medicine, food industry, banking and so on.

Section 4: The Imperative of AMI Hardening

Exploring real-world examples of security breaches related to unhardened AMIs

An incident involving a cloud storage leak happened to the Taobao marketplace owned by Alibaba in November 2019. The cloud hack due to a vulnerability found affected 1.1 billion users of the marketplace. The attack succeeded just 8 months after a security check from Alibaba developers.

The unauthorized scraping of corporate data affected user IDs, cell phone numbers, and customer comments. Since the incident occurred in China, the consequences of the attack and the results of the police check have never been made public.

The financial and reputational consequences of a compromised cloud infrastructure

An incident involving a cloud storage leak happened to the Taobao marketplace owned by Alibaba in November 2019. A cloud hack due to a vulnerability found affected 1.1 billion users of the marketplace. The attack succeeded just 8 months after a special security check from Alibaba developers. The unauthorized scraping of corporate data affected user IDs, cell phone numbers, and customer comments. Since the incident occurred in China. The consequences of the attack and the results of the police check have not been made public.

The role of AMI hardening as a proactive defense mechanism against cyber threats

As is clear to anyone who has experienced an attack on their cloud infrastructure, at the stage when a successful penetration has occurred and the fraudster is parsing private data, there is no way to avoid negative consequences in the form of loss of reputation and fines, the size of which can become astronomical! The only way out is to behave proactively and maximize the use of preventive practices. This is exactly what The CIS Benchmark offers IT infrastructure owners in the cloud.

Section 5: Nuts and Bolts of AMI Hardening Using CIS Benchmarks

A step-by-step breakdown of implementing AMI hardening strategies based on CIS benchmarks

CIS cloud storage protection specifications are being adopted by many cloud providers. Among others, they are implemented in AWS]], Alibaba Cloud, Amazon Web Services, Google Cloud Computing Platform, and Google Workspace. Amazon Elastic Compute Cloud has created its own Internet Security Center for this purpose, which is a conduit for CIS specifications in the AWS infrastructure. For example, administrators can follow the step-by-step guide Basic AWS CIS Evaluation Metrics to help them establish a strong password policy for AWS Identity and Access Management (AWS IAM).

Enforcing password policies, use multifactor authentication (MFA). AWS offers free and premium tools that you can use to scan IT systems and create CIS compliance reports. These tools alert system administrators if existing configurations do not meet CIS assessment testing recommendations. Owners of IT infrastructures in the cloud can choose the level of security that should be provided in their case. To do so, the Internet Security Center provides two types of Profiles with self-checking tools and recommendations. Using Profile 1 is less of a hassle and provides the minimum level of security required. Profile 2 is suitable for companies for whom data privacy is a key priority.

Practical tips and best practices for ensuring compliance

The CIS AWS Foundations Benchmark, as well as the CIS specifications in general, provide step-by-step guidance on how to provide the right level of cloud security.

As an example, the CIS Amazon Web Services Foundations Benchmark v1.2.0 - 1.13 gives specific advice: provide MFA root access to virtual machine users. It also gives advice on how to do this and how to verify that the changes are implemented.

Automation tools and techniques for streamlining the AMI hardening process

To add an automated CIS requirements enforcement tool to your cloud simply sign up in the AWS Marketplace section of the EC2 Image Builder Console and use the AMI where it was made as the basis for creating snapshots (images). The AWS Security Hub supports the AWS CIS CIS Core Assessment Metrics standard, which consists of 43 controls and 32 Payment Card Industry Data Security Standards (PCI DSS) requirements across 14 AWS services.

Once AWS Security Hub is enabled, it immediately begins performing continuous, automated security audits of each control and each relevant resource associated with the control. Registration on the CIS site is required. You can supplement this toolkit with traditional automatic unit testing of code by installing testing libraries in the corresponding virtual machines.

Section 6: Beyond Compliance: Strategic Considerations

Discussing the broader implications of AMI hardening beyond regulatory compliance

Fulfilling CIS security requirements also ensures system optimization, code refactoring, and removal of unnecessary ports and packages.

In fact, the principles of lean management and business excellence are being implemented, when the system becomes more efficient as everything unnecessary that does not add value is removed from it.

The impact of hardened AMIs on operational efficiency and system performance

Since any unused component slows down applications, AMI's security enhancement and hardening activities improve the performance and speed of IT infrastructure in the cloud.

Strategies for continuous monitoring and adaptation to emerging threats

CIS and the AWS security and assessment testing center integrated into cloud management continually update specifications in near real time.

This ensures that despite the changing threat landscape and the emergence of new types of attacks and vulnerabilities, customers' IT infrastructure maintains the level of security it has achieved.

Conclusion

In conclusion, this article illuminates the intricate tapestry of AMI hardening within the context of CIS benchmarks. By recognizing the strategic significance of securing Amazon Machine Images, organizations can proactively fortify their cloud infrastructure against evolving cyber threats. Embracing the CIS benchmark guidelines becomes not just a compliance necessity but a strategic imperative for the resilience and sustainability of cloud-based systems.

Author: Bibin Babu Skaria, DevOps Engineer and System Architect with more than 9 years of experience