Control: 2.1.4 Ensure Images (AMI) are not older than 90 days
Description
Ensure that your AMIs are not older than 90 days.
Using up-to-date AMIs will provide many benefits from OS updates and security patches helping to ensure reliability, security and compliance.
Remediation
Perform these steps if the Creation date is older than 90 days.
From Console:
- Login to the EC2 console at https://console.aws.amazon.com/ec2/.
- In the left pane, under
Images, clickAMIs. - Select the
AMIto be updated. - Click on
Launch. - Go through the EC2 Instance creation process.
- Apply all system, security and application updates that are applicable to the EC2 instance.
- Once completed click on
Instance state,Stop instance. - Click on
Actions, Image and templates, Create image. - Once the image process has complete return to the AMI list but clicking on
Images, AMIs. - Select the AMI that is older than 90 days.
- Click on
Actions, Deregister.
Repeat these steps for any other AMIs older than 90 days.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_2_1_4 --shareSQL
This control uses a named query:
select image_id as resource, case when creation_date >= (current_date - interval '90 days') then 'ok' else 'alarm' end as status, title || ' created ' || to_char(creation_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - creation_date) || ' days).' as reason , region, account_idfrom aws_ec2_ami;