AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
Generate CIS Compliance Reports from Amazon ECS Managed Instances
Security teams often need to verify that their container hosts comply with industry standards like the CIS (Center for Internet Security) Benchmarks. In this post, I'll show you how to generate CIS compliance reports for Bottlerocket OS running on Amazon ECS Managed Instances.
Generate CIS compliance reports from Amazon ECS Managed Instances
Introduction
Amazon ECS Managed Instances is a fully managed compute option that uses AWS-managed Bottlerocket operating system AMIs with automatic security patching. Bottlerocket is a Linux-based operating system designed specifically for hosting containers. Bottlerocket image has most of the controls required by CIS Benchmark Level 1 configuration profile. While it's built with security in mind, organizations still need to validate their compliance with security benchmarks. The CIS Bottlerocket Benchmark provides prescriptive guidance for establishing a secure configuration posture.
Solution Overview
We'll create a privileged ECS task that can access the host system to run CIS compliance checks using Bottlerocket's built-in apiclient tool. Here's how it works:
- Create a task definition for a privileged container
- Run the task on an ECS managed instance
- View the Amazon ECS task logs
Prerequisites
To follow this walkthrough, you'll need:
- The AWS CLI installed and configured with appropriate permissions. For more information, see Installing or updating to the latest version of the AWS Command Line Interface in the AWS Command Line Interface User Guide.
- Access to a cluster with Amazon ECS Managed Instances capacity provider. For more information, see Creating a cluster for Amazon ECS Managed Instances.
- Amazon ECS task execution IAM role to send container logs to CloudWatch Logs using the
awslogslog driver.
Walkthrough
Set the following environment variables. Replace the variables with your values.
export ECS_CLUSTER_NAME="your-cluster-name"
export AWS_REGION="your-region"
export ACCOUNT_ID="your-account-id"
Create a task definition using a CLI JSON file called cis-node-debugger.json.
cat<< EOF > cis-node-debugger.json
{
"family": "cis-node-debugger",
"taskRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole",
"executionRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole",
"cpu": "256",
"memory": "512",
"networkMode": "host",
"pidMode": "host",
"requiresCompatibilities": ["MANAGED_INSTANCES", "EC2"],
"containerDefinitions": [
{
"name": "cis-node-debugger",
"image": "public.ecr.aws/amazonlinux/amazonlinux:2023",
"essential": true,
"privileged": true,
"command": [
"sh",
"-c",
"yum install -q -y util-linux-core; nsenter -t 1 -m apiclient report cis --level 1 --format text; sleep infinity"
],
"healthCheck": {
"command": [
"CMD-SHELL",
"echo debugger || exit 1"
],
"interval": 30,
"retries": 3,
"timeout": 5
},
"linuxParameters": {
"initProcessEnabled": true
},
"mountPoints": [
{
"sourceVolume": "host-root",
"containerPath": "/host",
"readOnly": false
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/ecs/cis-node-debugger",
"awslogs-create-group": "true",
"awslogs-region": "${AWS_REGION}",
"awslogs-stream-prefix": "ecs"
}
}
}
],
"volumes": [
{
"name": "host-root",
"host": {
"sourcePath": "/"
}
}
]
}
EOF
Register, and then run the task. Run the following commands.
aws ecs register-task-definition --cli-input-json file://cis-node-debugger.json
TASK_ARN=`aws ecs run-task \
--cluster $ECS_CLUSTER_NAME \
--task-definition cis-node-debugger \
--enable-execute-command \
--capacity-provider-strategy capacityProvider=managed-instances-default,weight=1 \
--query 'tasks[0].taskArn' --output text`
echo $TASK_ARN
# Wait for task to be in running state..."
aws ecs wait tasks-running --cluster $ECS_CLUSTER_NAME --tasks $TASK_ARN
View the CloudWatch Logs for the Amazon ECS task
- Open the console at https://console.aws.amazon.com/ecs/v2.
- On the Clusters page, choose the cluster.
- Choose the Tasks tab.
- Choose the Logs tab.
The CIS compliance report shows the Individual CIS control IDs, Pass, Fail, or Skip status for each check in the following example report:
Understanding the Results
The CIS compliance report shows :
- Total checks: 15
- Passed: 11
- Failed: 0
- Skipped: 4
Cleaning Up
To avoid ongoing charges, clean up the resources you created:
aws ecs stop-task --cluster $ECS_CLUSTER_NAME --task $TASK_ARN
Conclusion
In this post, I showed how to generate CIS compliance reports for Bottlerocket OS running on Amazon ECS Managed Instances. This approach helps security teams validate their container host configurations against industry-standard security benchmarks.
To learn more, you can:
- Review the CIS Bottlerocket Benchmark documentation
- Explore Bottlerocket's OS features
- Topics
- ComputeContainers
- Language
- English
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked a year ago
