Using AMIs in Production
Overview
This lecture covers the process of ensuring that only pre-approved Amazon Machine Images (AMIs) are used to launch EC2 instances in a production environment.
Key Concepts
- Pre-approved AMIs: AMIs tagged with specific identifiers indicating they are cleared for production use.
- IAM Policies: Used to restrict users to launch instances only from pre-approved AMIs.
- Tagging AMIs: Assigning tags to AMIs to categorize them as approved or not approved.
- AWS Config: A service to monitor and assess the compliance of AWS resources, including EC2 instances launched from AMIs.
Steps to Enforce Usage of Pre-approved AMIs
-
Tagging AMIs:
- Approved AMIs must be tagged appropriately (e.g., with an "environment: prod" tag).
- It is crucial to control who has the permissions to add tags to AMIs.
-
IAM Policy Configuration:
- Create and apply IAM policies that include conditions to allow launching instances only from AMIs with specific tags.
- Example condition:
"ResourceTag/environment": "prod"
-
Monitoring with AWS Config:
- Set up AWS Config rules to monitor EC2 instances.
- AWS Config will identify non-compliant instances, i.e., those launched from unapproved AMIs.
- Compliant instances will be marked as such, and actions can be taken against non-compliant ones.
Example IAM Policy Snippet
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:region:account:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/environment": "prod",
"ec2:ResourceTag/environment": "prod"
}
}
}
]
}
Conclusion
By combining tagging strategies with IAM policies and AWS Config, you can create a secure and compliant environment for launching EC2 instances in production. This ensures that only approved AMIs are used, which is crucial for maintaining standards and security in a production environment.
Next Steps
- Implement the discussed IAM policies and tagging strategies.
- Configure AWS Config to monitor compliance.