Only Oteemo transforms business through acceleration, enablement, and adoption
Oteemo uniquely transforms teams and processes too
Why we’re different
Get to know us
Work with us
Cloud Security, Security
by Cloud Native Application Development Team | Mar 21, 2018
To set the stage, let’s define the TLAs in the title:
When a secure and compliant (to NIST and DISA standards) instance of Linux is desired in AWS, it can be a challenge knowing where to start. The standard encompasses filesystem layout, default configuration of the operating system, permissions on files and other bits. Below is one way to accomplish the task for CentOS or Red Hat Enterprise Linux (RHEL). This should work for other distributions with minor changes.
For STIG compliance, the file system needs to meet a specific layout. Luckily there is a public image (search for Public Images “spel-minimal-centos-7”; ami-a6ffeddc as of March 2018) that meets the requirement. There is a cost to use the image; you have been advised. You can instantiate the amazon machine image (AMI), modify the instance, save it and use that as base image for your secure instances.
The public AMI is a good starting place, but you may want to have an AMI in your account with an encrypted disk. This requires launching the public AMI, stopping it, converting to an AMI in your account and then encrypting the disk and saving as another AMI. I have included a bash script (provided by Jared Short) to automate the creation of an AMI with an encrypted in your account.
I currently use the MindPointGroup role. You can change the level of compliance you desire and if you want the role to apply changes. By default, the role audits and corrects CAT I, II and III findings. When the role completes, you have an instance that is providing the desired functionality and is STIG compliant to CAT I, II and III.
To check SCAP, there are tools provided by Red Hat that are easy to use on RHEL and CentOS. It requires installing two packages with their dependencies and running a command with options. The output can be saved as HTML and viewed interactively to determine compliance. The HTML page allows you to filter and see what failed and how to remediate. My experience is there are false positives, so please run the test to see if it is an error or not.
I hope you find this a concise document on how to deploy an instance in AWS that meets STIG compliance.
Cloud Identity and Access Management – A Customer’s Burden
HashiCorp Vault is Overhyped, and Mozilla SOPS with KMS and Git is Massively Underrated
As passionate technologists, we love to push the envelope. We act as strategists, practitioners and coaches to enable enterprises to adopt modern technology and accelerate innovation.
We help customers win by meeting their business objectives efficiently and effectively.
Join tens of thousands of your peers and sign-up for our best technology content curated by our experts. We never share or sell your email address!
© 2021 Oteemo Inc. All rights reserved