AMI Age Should Not Exceed the Configured Age

More Info:

Your AMI age should be more than configured number of days. This ensures that your EC2 instances deployed are secure and reliable.

Risk Level

Low

Address

Operational Maturity, Security, Reliability

Compliance Standards

HITRUST, SOC2, NISTCSF, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “AMI Age Should Not Exceed the Configured Age” misconfiguration in AWS, you can follow the below steps using AWS CLI:

First, identify the AMIs that have exceeded the configured age by running the below command:
```
aws ec2 describe-images --owners self --query 'Images[?CreationDate<=`<configured_age>`].[ImageId,CreationDate]' --output text
```
Note: Replace <configured_age> with the age limit in the format yyyy-mm-dd.
Once you have identified the AMIs, you can deregister them using the below command:
```
aws ec2 deregister-image --image-id <image_id>
```
Note: Replace <image_id> with the ID of the AMI that you want to deregister.
Finally, to automate this process, you can create a Lambda function that runs the above commands on a scheduled basis to ensure that AMIs do not exceed the configured age limit.

Using Python

To remediate the AMI Age misconfiguration in AWS using Python, you can follow the steps below:

Identify the misconfigured AMIs by checking their age against the configured age.
Create a Lambda function in AWS that uses the Boto3 library to identify the misconfigured AMIs.
Use the EC2 client in Boto3 to get a list of all the AMIs in your AWS account.
Loop through the list of AMIs and check the age of each one against the configured age.
If an AMI is older than the configured age, deregister it using the EC2 client.
Set up a CloudWatch event to trigger the Lambda function at a regular interval to ensure that all misconfigured AMIs are remediated in a timely manner.

Here’s some sample Python code that can be used to identify and deregister misconfigured AMIs:

import boto3
from datetime import datetime, timedelta

# Set the configured age of AMIs in days
configured_age = 30

# Create an EC2 client
ec2 = boto3.client('ec2')

# Get a list of all the AMIs in the account
response = ec2.describe_images(Owners=['self'])

# Loop through the list of AMIs and check their age
for image in response['Images']:
    creation_date = datetime.strptime(image['CreationDate'], '%Y-%m-%dT%H:%M:%S.%fZ')
    age_in_days = (datetime.now() - creation_date).days
    if age_in_days > configured_age:
        # Deregister the AMI
        ec2.deregister_image(ImageId=image['ImageId'])

Note: This is just a sample code and it may need to be modified based on your specific requirements. Also, make sure to test the code thoroughly before running it in a production environment.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

AMI Age Should Not Exceed the Configured Age

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: