Automated generation and deployment of hardened golden images

We helped a Fortune 500 organization with more than 400+ AWS accounts generate and distribute hardened security compliant golden images AMIs to all their accounts and regions. The solution creates 100+ variants of golden images across 15+ operating systems variants. The golden images ensure uniformity across the enterprise and help with mitigation of security vulnerabilities and ensure compliance with security best practices.

About the Client

The client is an insurance analytics company with 400+ AWS accounts across multiple business units having annual AWS spend north of tens of millions of dollars. DataGrokr has been their strategic partner for cloud adoption and cloud migrations since 2016.

Client’s need and Problem statement

Client wanted to minimize patching of their cloud servers and wanted to minimize or eliminate zero-day vulnerabilities. They also wanted their cloud infrastructure (AWS EC2, EMR, Batch instances) to have the same security agents and software as their on-prem infrastructure and have the servers be compliant with industry standards (e.g. STIG and CIS). All of this had to be done across 15+ operating system variants and all of their 400+ AWS accounts and 17 regions.

Tech Stack

Image Builder

CloudFormation

Lambda

DynamoDB

S3

PowerShell

SNS

Python

Bash

Power Shell

Jenkins

Our solution and outcomes

  • We designed, developed and deployed a custom solution based on AWS Image builder. We automated end-to-end workflows for image creation of 100+ AMIs, validation and seamless distribution across 400+ accounts (via AMI cross-account sharing)
  • The images are built using AWS EC2 Image builder and fortified by incorporating CIS and STIG standards. They have custom agents (such as Nessus, Crowdstrike) installed for compliance with internal security standards.
  • We implemented an advanced AMI-Notifier component to proactively track and adopt the latest base AMI releases by AWS, ensuring up-to-date and secure images.
  • Implemented a routine cleanup mechanism for aging images, optimizing costs while maintaining optimal performance.
AWS Cloud Migration of IOT based ship tracking platform