Cloud security and functionality: Don’t settle for just one
Cloud security is important to you, but that doesn’t mean you’re willing to trade security for functionality. You need security to work for you. Whatever cloud security resources you’re using must be compatible with the services you use to power your environments.
I get it. Which is why I’m pleased to announce that the Center for Internet Security (CIS) has tested its CIS Hardened Images with two popular cloud services: Azure Update Manager and Amazon EC2 Image Builder. In this blog, I’ll explain why we started to pursue testing, provide some examples of issues we tested for, and briefly discuss the future of our testing.
Making sure the essentials are covered to help YOU
The CIS Hardened Images are virtual machine images that are pre-hardened to the security recommendations of the CIS Benchmarks. Every Hardened Image comes with a CIS-CAT Pro assessment report. This enables you to see how well the image conforms to the corresponding CIS Benchmark so that you can make an informed decision about securing your operating systems in the cloud.
Want to learn more about how CIS Hardened Images deliver security in the cloud? Check out our video below.
We decided to pursue compatibility testing for our CIS Hardened Images for two main reasons. First, the cloud services we selected perform essential functions related to your use of virtual images. Azure Update Manager enables you to monitor, manage, schedule, and implement updates for your Azure virtual machines, while EC2 Image Builder helps you automate the process of building a golden image in Amazon Web Services (AWS).
This leads to the second reason: customers like you have requested that CIS review the compatibility of CIS Hardened Images with these services. We’ve seen your requests about Azure Update Manager and EC2 Image Builder specifically via support tickets, and we want to help.
Two common requests we’ve resolved through testing
We heard your feedback on EC2 Image Builder and Azure Update Manager. Through testing, we identified the root cause of the following two issues.
EC2 Image Builder: Hardening recommendations for Noexec
We adjusted the CIS Hardened Images for CIS Red Hat Enterprise Linux 8 Benchmark Level 2 and CIS Red Hat Enterprise Linux 8 STIG Benchmark for integration with EC2 Image Builder. EC2 Image Builder uses AWS Systems Manager Automation in the custom image-building pipeline. AWS Systems Manager requires the installation of the AWS SSM Agent. The AWS SSM Agent installs into and executes scripts from directories within var and var/tmp. To authorize proper execution, we ensured that the noexec option was not set on var and var/tmp on these two CIS Hardened Images.
To configure this recommendation with the CIS Benchmark, please follow the remediation instructions in the CIS Benchmark PDF. You can also learn more about this issue by checking out our Knowledge Base article.
Azure Update Manager: Hardening recommendation for Shell Timeout
Azure Update Manager requires a shell to execute the updates, gather instance information, and send information back to Azure from the omsagent. To accommodate this in the CIS Linux Hardened Images, we removed the hardening for recommendation, “Ensure default user shell timeout is 900 seconds or less.”
You can configure this recommendation manually by following the remediation instructions in the CIS Benchmark PDF, which will inhibit the functionality of Azure Update Manager with a CIS Linux Hardened Image. Additionally, you can review our Knowledge Base article for more information.
Our plans for future compatibility testing
We will continue to test some of the highly requested services and applications to help you balance security and functionality going forward. We can’t always make changes, nor can we test everything; if a recommendation causing conflict brings significant security value, we won’t change the configuration. But it can still help to identify where the issue is so we can document it, communicate it to you, and explain the impact of the setting.
With this in mind, we encourage you to give us feedback on services for which you’re using with CIS Hardened Images that may have compatibility issues. This is completely user-generated work. We’re willing to listen and to try to help.
Ready to balance security and functionality in your cloud environments?