Add section on hardening AMI's for nodes #664
Description
Is your idea request related to a problem that you've solved? Please describe.
I have worked with customers who are interested in how to best harden the AMI's of their nodes to meet security regulations (PCI, CIS, etc.). I would like to have a resource I can easily point to that informs people about how to improve the security posture of their nodes' AMI's for security regulations. I understand that they'll still need to fine-tune things themselves, but I think it would be nice to have general guidance nonetheless.
Describe the best practice
The best practices I've found are as follows:
- Launch a bootstrap container on node startup to harden the node's AMI (typical approach for bottlerocket) (additional source)
- Automate the AMI build and testing against relevant standards in a pipeline (blog post)
- Purchase hardened AMI from AWS Marketplace (example)
- Use a standard AMI provided by AWS and then run necessary tooling that every node needs as a daemonset
The customer should certainly use Amazon Inspector, kube-bench, or some other tool to double check that they are meeting their regulatory requirements.
Describe alternatives you've considered
The only other alternatives I know are to manually bake tools into an AMI to eventually create a custom AMI. Then after that people can adjust resources to point to the new custom AMI.
Additional context
Customers are interested in how to optimally harden their AMI's for regulatory requirements and want guidance on what the "best practice" or "recommended methods" are. I don't actually know if these are the optimal best practices. These are simply the strategies I've found online in public resources and I think it would be nice officially determine what the best practice is.