Organizations face significant challenges maintaining Security Technical Implementation Guide (STIG) compliance across their Amazon EC2 instances. Manual STIG implementation is error-prone, time-consuming, and difficult to scale. This solution demonstrates how to automate STIG compliance for Red Hat Enterprise Linux 9 (RHEL 9) using Amazon EC2 Image Builder and AWS CloudFormation. Manually configuring instances to meet STIG compliance can be complex and time-consuming
Solution Overview
This solution creates STIG-compliant Amazon Machine Images (AMIs) by combining Amazon EC2 Image Builder with Red Hat's official STIG Ansible role. The automated pipeline ensures consistent security controls across your EC2 instances while reducing operational overhead.
Security and compliance with specific industry regulations are primary considerations for organizations using cloud infrastructure. The Security Technical Implementation Guides (STIGs) developed by the US Department of Defense provide guidelines for enhancing the security of software and hardware systems. STIG compliance is crucial for organizations operating in regulated industries or those needing to meet government security requirements.
Amazon Web Services (AWS) offers a solution to automate the process of creating instances with enhanced STIG compliance features using Amazon EC2 Image Builder. EC2 Image Builder is a fully managed AWS service that simplifies the creation, maintenance, validation, sharing, and deployment of Amazon Machine Images (AMIs) for Elastic Compute Cloud (Amazon EC2) instances. By using EC2 Image Builder, organizations can automate the process of creating AMIs with enhanced STIG compliance features tailored to AWS GovCloud (US) regions.
To ensure that Red Hat Enterprise Linux 9 (RHEL 9) Amazon EC2 instances align with current DISA STIG requirements, automatically maintained and updated through the official Red Hat role, it's important to use the latest packages provided by Red Hat.
Red Hat regularly releases updated STIG packages that address new vulnerabilities and provide updated security controls. By using these packages, organizations can help ensure their RHEL 9 Amazon EC2 instances meet STIG security controls and configuration requirements.
Key Benefits of Automated STIG-Compliant AMI Creation with Image Builder
Creating instances with enhanced STIG compliance offers several advantages:
1. Alignment with STIG security standards, which is crucial for security and governance
2. Time and resource savings through automation of the instance creation process
3. Ability to quickly launch instances with enhanced security and compliance features
4. Consistent application of security controls across multiple instances
5. Easier maintenance and updating of security configurations
EC2 Image Builder Overview
EC2 Image Builder simplifies the process of creating, maintaining, and validating AMIs for EC2 instances. It can be accessed through the AWS Management Console, programmatically through APIs, or deployed using AWS CloudFormation or AWS Cloud Development Kit (AWS CDK) to automate AMI creation and management. With EC2 Image Builder, you can create customized images optimized for specific use cases that incorporate necessary security standards.
EC2 Image Builder supports multiple operating systems, including:
· Amazon Linux 2 and Amazon Linux 2023
· Red Hat Enterprise Linux (RHEL) 7, 8, 9, and 10
· Ubuntu 18.04, 20.04, 22.04, 24.04 LTS
· Windows Server 2012-2025
· SUSE Linux 12 and 15
· And more
You can use EC2 Image Builder to create AMIs optimized for specific use cases such as web servers, databases, or machine learning workloads. It also supports the creation of golden images that can serve as the foundation for new instances.
EC2 Image Builder integrates with other AWS services, including:
· Amazon EC2 Auto Scaling – Ensures your scaling applications always use the latest STIG-compliant AMIs when launching new instances
· AWS Organizations and AWS Resource Access Manager (AWS RAM) - Enables centralized management and sharing of STIG-compliant AMIs across your organization's accounts
· AWS Systems Manager - Provides automated patching and maintenance of your STIG-compliant instances
· AWS Identity and Access Management (IAM) - Controls access to Image Builder resources and AMI distribution
This integration enables automated creation, management, and deployment of AMIs with STIG compliance controls across your AWS environment
Implementation
A sample project for creating a STIG-compliant AMI for Red Hat Enterprise Linux (RHEL 9) EC2 instances on AWS is available at:
GitHub Repository: https://github.com/rezaarchi/ec2-imagebuilder-rhel9.git
The sample:
- Installs the official Red Hat RHEL 9 STIG Ansible role (RedHatOfficial.rhel9_stig) from Ansible Galaxy, ensuring compliance with current DISA Security Technical Implementation Guide requirements.
- Applies the official Red Hat RHEL 9 STIG role to an Amazon EC2 RHEL 9 instance using Ansible in local connection mode
- Creates a hardened AMI from the STIG-configured instance with encrypted EBS volumes
The resulting AMI can then be used to launch instances with enhanced STIG compliance features in the future.
The specific STIG controls implemented include:
- Ensuring proper file permissions and ownership
- Configuring system auditing
- Implementing password policies
- Configuring network security settings
By automating this process, organizations can maintain consistent security configurations across their Amazon EC2 instances and more easily stay current with the latest STIG requirements.
The diagram below illustrates the automated STIG compliance workflow for RHEL 9 EC2 instances, showing how AWS CloudFormation orchestrates EC2 Image Builder to pull the official Red Hat STIG Ansible role from GitHub and Ansible Galaxy, apply DISA STIG CAT I (High) security controls, and produce a hardened golden AMI that can be used to launch consistently compliant instances at scale.
Deployment Instructions
Prerequisites
- AWS CLI configured with appropriate credentials
- An existing VPC with at least one subnet
- An S3 bucket for STIG artifacts (or the stack will create one)
- An EC2 key pair named imagebuilder (or modify the template)
- Appropriate IAM permissions to create CloudFormation stacks and associated resources
Installation Steps
- Clone the repository:
bash
git clone https://github.com/rezaarchi/ec2-imagebuilder-rhel9.git
cd ec2-imagebuilder-rhel9
- Deploy the CloudFormation stack:
aws cloudformation create-stack \
--stack-name rhel9-stig-imagebuilder \
--template-body file://rhel9-stig.yml \
--parameters \
ParameterKey=VpcId,ParameterValue=vpc-xxxxxxxxx \
ParameterKey=VpcCidr,ParameterValue=10.0.0.0/16 \
ParameterKey=DemoSubnetIds,ParameterValue=subnet-xxxxxxxxx \
ParameterKey=STIGArtifactsBukcet,ParameterValue=my-stig-artifacts-bucket \
ParameterKey=BuildInstanceType,ParameterValue=t3.medium \
--capabilities CAPABILITY_IAM
- Monitor stack creation:
aws cloudformation describe-stacks \
--stack-name rhel9-stig-imagebuilder \
--query 'Stacks[0].StackStatus'
- Trigger the Image Builder pipeline: Once the stack is created, manually trigger the pipeline:
aws imagebuilder start-image-pipeline-execution \
--image-pipeline-arn arn:aws:imagebuilder:us-east-1:ACCOUNT-ID:image-pipeline/rhel9-stig-image-pipeline
- Monitor the build process: Check the Image Builder console or use the AWS CLI:
aws imagebuilder list-image-pipeline-images \
--image-pipeline-arn arn:aws:imagebuilder:us-east-1:ACCOUNT-ID:image-pipeline/rhel9-stig-image-pipeline
Parameter Definitions
|
Parameter
|
Type
|
Description
|
Example
|
|
VpcId
|
AWS::EC2::VPC::Id
|
The ID of the VPC where Image Builder instances will be launched. This VPC must have internet connectivity (via NAT Gateway or Internet Gateway) for package downloads.
|
vpc-0123456789abcdef0
|
|
DemoSubnetIds
|
AWS::EC2::Subnet::Id
|
The subnet where Image Builder will launch build instances. Should be a private subnet with outbound internet access via NAT Gateway for downloading packages and Ansible roles.
|
subnet-0123456789abcdef0
|
|
STIGArtifactsBukcet
|
String
|
Name for the S3 bucket where STIG configuration artifacts will be stored. If the bucket doesn't exist, it will be created. Use a unique name compliant with S3 naming requirements.
|
my-org-stig-artifacts-2024
|
|
BuildInstanceType
|
String
|
EC2 instance type for the Image Builder build process. Default is t3.medium. Larger instances will speed up the build but increase costs.
|
t3.medium (default), t3.large, t2.medium
|
IMPORTANT:
Running this solution will incur AWS charges. Estimated cost is $5-15/month for occasional builds, primarily from EC2 build instances, EBS snapshots ($1/month per AMI), and KMS keys ($1/month). To minimize costs, delete unused AMIs and snapshots, disable the pipeline when not in use, and set up AWS billing alerts.
Summary
Organizations can now automate STIG compliance for their Red Hat Enterprise Linux 9 (RHEL 9) instances on Amazon EC2 through an innovative solution combining Amazon EC2 Image Builder and AWS CloudFormation. This approach eliminates the complexity of manual configuration by automating the creation of STIG-compliant Amazon Machine Images (AMIs). The solution incorporates the latest Red Hat STIG packages, actively maintaining current security standards. Organizations will save time, apply consistent security controls across instances, and simplify their maintenance processes. The CloudFormation template creates an image pipeline that downloads and applies the latest STIG Ansible playbook, implementing crucial controls for file permissions, system auditing, password policies, and network security settings. This streamlined approach helps organizations maintain strong security configurations across their EC2 instances while reducing operational overhead in their cloud environments.
Additional Resources
To further deepen your understanding of STIG compliance and the tools involved, consider exploring the following resources:
· AWS EC2 Image Builder Documentation
· Red Hat Security Content
· STIG Compliance and Best Practices
· AWS Compliance Center
· STIG Automation with Ansible Playbooks
|
|
Reza Beykzadeh is an IBM Cloud Enterprise Solutions Architect responsible for defining the overall structure of AWS technical programs for Federal clients. He primarily designs functional technology solutions, oversees development and implementation of programs, and provides technical leadership as well as support to software development teams. He holds 13 AWS certifications, including SAP on AWS and Machine Learning. He has a strong focus on generative AI, leveraging it to innovate and optimize legacy code conversion solutions. IBM has recognized him as a ‘rockstar’ for his dedication to client success and his contributions to integrating GenAI with AWS solutions. He was recently named a Federal Market Circle Golden Circle Honoree, an elite group of top performing IBMers who delivered outstanding business results in 2024. He holds a B.A. in Information Technology from George Mason University.
|
|
|
Gary Zasman is a seasoned cloud architect at IBM with decades of experience in designing and implementing scalable, secure, and cost-effective solutions on AWS. With a passion for innovation and a knack for solving complex technical challenges, Gary has helped numerous organizations transform their Applications, IT infrastructure and achieve their business goals.
Gary holds multiple AWS certifications, including AWS Certified Solutions Architect – Professional and AWS Certified DevOps Engineer – Professional. He is known for his deep understanding of cloud-native technologies, DevOps practices, and his ability to translate business requirements into robust technical solutions.
|
|
|
Abby Wilson, is a US Consulting Partner Solutions Architect at Amazon Web Services (AWS). Her experience spans across various aspects of cloud solutions, with a particular focus on helping partners leverage AWS Generative AI technologies effectively. Abby’s industrial engineering background allows her to approach complex systems with an eye for efficiency and optimization.
|
|
|
Subhash Sharma is Sr. Partner Solutions Architect at Amazon
Web Services (AWS). He has more than 25 years of experience
in delivering distributed, scalable, highly available, and
secured software products using microservices, AI/ML, the
Internet of Things (IoT), and blockchain using a DevSecOps
approach. In his spare time, Subhash likes to spend time with
family and friends, hike, walk on beach, and watch TV
|