If you are using Amazon Machine Instance (AMI) in your AWS environment, it is important that you ensure it meets your security requirements. You can now reason on AMI attributes within the Dome9 Compliance Engine.
Some of the AMIs contain sensitive information that should not be made publicly available. With AMI support in Compliance Engine, you can now verify whether the AMIs in your account are kept private. It is also possible to make sure that the AMIs are properly tagged or contain the approved kernel ID. We also allow you to reason on the AMI that was used to launch EC2 instances and check that only authorized AMIs are in use – by either verifying the AMI owner, name or ID.
Below are a few queries that you could to analyze your AMI’s in your infrastructure:
1. GSL query to check if the image is private
AMI should have isPublic=’false’
2. GSL query to check if AMI is based on x86 image
AMI should have architecture='x86_64'
3. GSL query to check if an EC2 instances are using AMI with specific name pattern
Instance should have imageDetails.name like 'myBakedAMI%'
4. GSL query to check that AMI is owned by Amazon
Instance should have imageDetails.imageOwnerAlias='amazon'