Auditing Amazon Machine Images with Tripwire For DevOps
Tripwire For DevOps continues to add new features and capabilities. The newest of these is the ability to perform vulnerability scans against Amazon Machine Images (AMIs) in the same Tripwire For DevOps workflow used for your Docker containers. This blog will discuss the creation of AMIs and how to audit them for vulnerabilities within Tripwire For DevOps.
Amazon Web Services (AWS) uses the Amazon Machine Image mechanism to provide some of the DevOps practices to more monolithic application stacks. AMIs are templates stored in AWS used to launch new operating system instances in the AWS cloud. This is equivalent to virtual machine file formats and infrastructure used by most virtualization technologies. Not all applications or services can be easily containerized, and AMI usage is one method of achieving continuous delivery for monolithic applications and services.
Tripwire For DevOps allows you to evaluate your Amazon Machine Images for vulnerabilities at build time before they have been instantiated in your environment. This removes the risk of having vulnerabilities present for any period of time.
The first step in deploying an AMI template in AWS is creating one suited to your application stack. There are multiple ways of making a new AMI, including converting other popular virtualization formats into an AMI.
One tool we make use of at Tripwire is Packer by HashiCorp, which can be used to create and configure AMIs. For purposes of a demo, I used a Packer template found online to create an AMI containing an Apache webserver. The AMI is built with the following command:
Upon running the packer AMI creation command, you will be given the AMI ID for your newly created AMI within AWS. You can use this or any other AMI ID within Tripwire For DevOps.
Using your new AMI ID (ami-00dd51d2 in this example), (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Ben Layer. Read the original post at: https://www.tripwire.com/state-of-security/devops/auditing-amazon-machine-images-tripwire-for-devops/