Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support input params for component #4

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Support input params for component #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a61d9e2
use input params instead of manual replacing S3 bucket name
jarrettyeo May 1, 2023
97b8d60
update index.md with new instructions for specifying S3BucketNamePara…
jarrettyeo May 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 21 additions & 16 deletions cis-benchmarks/cis-benchmarks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,35 +1,40 @@
name: CISBenchmarks
description: This component builds an hardened image according to CIS Amazon Linux 2 Benchmark version 1.0.0
description: "This component builds an hardened image according to CIS Amazon Linux 2 Benchmark version 1.0.0 (source: https://github.com/sufleio/ec2-image-builder)"
schemaVersion: 1.0

parameters:
- S3BucketNameParameter:
type: string
description: Name of S3 bucket containing conf files

phases:
- name: build
steps:

- name: DisableCramfsMount
action: S3Download
inputs:
- source: 's3://<bucket-name>/disable_cramfs_mount.conf'
- source: 's3://{{ S3BucketNameParameter }}/disable_cramfs_mount.conf'
destination: '/etc/modprobe.d/cramfs.conf'
- name: DisableHfsMount
action: S3Download
inputs:
- source: 's3://<bucket-name>/disable_hfs_mount.conf'
- source: 's3://{{ S3BucketNameParameter }}/disable_hfs_mount.conf'
destination: '/etc/modprobe.d/hfs.conf'
- name: DisableHfsplusMount
action: S3Download
inputs:
- source: 's3://<bucket-name>/disable_hfsplus_mount.conf'
- source: 's3://{{ S3BucketNameParameter }}/disable_hfsplus_mount.conf'
destination: '/etc/modprobe.d/hfsplus.conf'
- name: DisableSquashfsMount
action: S3Download
inputs:
- source: 's3://<bucket-name>/disable_squashfs_mount.conf'
- source: 's3://{{ S3BucketNameParameter }}/disable_squashfs_mount.conf'
destination: '/etc/modprobe.d/squashfs.conf'
- name: DisableUdfMount
action: S3Download
inputs:
- source: 's3://<bucket-name>/disable_udf_mount.conf'
- source: 's3://{{ S3BucketNameParameter }}/disable_udf_mount.conf'
destination: '/etc/modprobe.d/udf.conf'
- name: ShmConfiguration
action: ExecuteBash
Expand All @@ -52,7 +57,7 @@ phases:
- name: AideCheck
action: S3Download
inputs:
- source: 's3://<bucket-name>/aide_check.conf'
- source: 's3://{{ S3BucketNameParameter }}/aide_check.conf'
destination: '/etc/cron.d/aide'
- name: BootloaderConfig
action: ExecuteBash
Expand All @@ -79,17 +84,17 @@ phases:
- name: MessageOfTheDay
action: S3Download
inputs:
- source: 's3://<bucket-name>/message_of_the_day.txt'
- source: 's3://{{ S3BucketNameParameter }}/message_of_the_day.txt'
destination: '/etc/motd'
- name: LocalLoginBanner
action: S3Download
inputs:
- source: 's3://<bucket-name>/local_login_banner.txt'
- source: 's3://{{ S3BucketNameParameter }}/local_login_banner.txt'
destination: '/etc/issue'
- name: RemoteLoginBanner
action: S3Download
inputs:
- source: 's3://<bucket-name>/remote_login_banner.txt'
- source: 's3://{{ S3BucketNameParameter }}/remote_login_banner.txt'
destination: '/etc/issue.net'
- name: MotdPermissions
action: ExecuteBash
Expand Down Expand Up @@ -228,23 +233,23 @@ phases:
- name: DisableIPv6
action: S3Download
inputs:
- source: 's3://<bucket-name>/grub_configuration.txt'
- source: 's3://{{ S3BucketNameParameter }}/grub_configuration.txt'
destination: '/etc/default/grub'

- name: ConfigureAuditd
action: S3Download
inputs:
- source: 's3://<bucket-name>/auditd.conf'
- source: 's3://{{ S3BucketNameParameter }}/auditd.conf'
destination: '/etc/audit/auditd.conf'
- name: ConfigureAuditRules
action: S3Download
inputs:
- source: 's3://<bucket-name>/audit_rules.txt'
- source: 's3://{{ S3BucketNameParameter }}/audit_rules.txt'
destination: '/etc/audit/rules.d/audit.rules'
- name: RsyslogConfiguration
action: S3Download
inputs:
- source: 's3://<bucket-name>/rsyslog_configuration.conf'
- source: 's3://{{ S3BucketNameParameter }}/rsyslog_configuration.conf'
destination: '/etc/rsyslog.conf'
- name: LogFilePermissions
action: ExecuteBash
Expand Down Expand Up @@ -302,10 +307,10 @@ phases:
- name: SSHConfiguration
action: S3Download
inputs:
- source: 's3://<bucket-name>/sshd_configuration.conf'
- source: 's3://{{ S3BucketNameParameter }}/sshd_configuration.conf'
destination: '/etc/ssh/sshd_config'
- name: UmaskConfiguration
action: S3Download
inputs:
- source: 's3://<bucket-name>/bashrc'
- source: 's3://{{ S3BucketNameParameter }}/bashrc'
destination: '/etc/bashrc'
6 changes: 3 additions & 3 deletions docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ Custom Build and Test Components developed for AWS EC2 Image Builder (https://do
2. Create IAM Role and attach following required policies:
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
- arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder
3. Replace `<bucket-name>` with your newly created bucket name (configuration-bucket) in yaml component file
4. [Create EC2 Image Builder](https://eu-west-1.console.aws.amazon.com/imagebuilder/home#createPipeline) pipeline with Amazon Linux 2
5. [Create Components](https://eu-west-1.console.aws.amazon.com/imagebuilder/home#createComponent) that you want to use by coping yaml component file
3. [Create Components](https://eu-west-1.console.aws.amazon.com/imagebuilder/home#createComponent) that you want to use by copying yaml component file
4. [Create EC2 Image Builder](https://eu-west-1.console.aws.amazon.com/imagebuilder/home#createPipeline) pipeline with Amazon Linux 2 and specify the component from step 3
5. Specify your bucket name under `S3BucketNameParameter` with your newly created bucket name (configuration-bucket) in yaml component file
6. Select IAM Role that you have created on Step 2
7. Name your pipeline
8. Name your AMI
Expand Down