aws-blog-integrate-administrator-approval-ec2imagebuilder-awssystemmanager

This repository contains two CloudFormation templates that support an AWS Blog Post:

• simple_web_server_pipeline.yml: a non production example of EC2 Image builder pipeline that could create a Tomcat Server image.
• system_manager_automation_document.yml: a non production automation document that orchestrates creation of the Tomcat Server image, integrating administrator approval and resources sharing. Since there is resource sharing involved, you must be careful on how you define your resources, and check inputs in order to avoid sharing a resources with an unauthorized principal.

simple_web_server_pipeline.yml

Description

This CloudFormation template creates an EC2 Image Builder pipeline. When launched, the pipeline will build an Amazon Machine Image (AMI) that will be tested for vulnerabilities with Amazon Inspector. Be aware that the AMI is not production ready, and is provided as an example of how you could create a Tomcat Server within a Golden AMI process. Note that all created resources that support tags will have the tags owner/golden-ami-automation. This tag is also used in Roles, when defining Conditions. If you wish to modify this tag, make sure to change all references to it.

Parameters

The list of parameters for this template:

CustomSubnetId

Type: String
Description: If you do not have a default VPC, or want to use a different VPC, specify the ID of a subnet in which to place the instance used to customize your EC2 AMI. If not specified, a subnet from your default VPC will be used.

CustomSecurityGroupId

Type: CommaDelimitedList
Description: Required if you specified a custom subnet ID. Comma-delimted list of one or more IDs of security groups belonging to the VPC to associate with the instance used to customize your EC2 AMI.

BuildInstanceType

Type: CommaDelimitedList Default: t2.micro Description: Comma-delimited list of one or more instance types to select from when building the image. Image Builder will select a type based on availability. The supplied default is compatible with the AWS Free Tier.

Resources

The list of resources this template creates:

InstanceRole

Type: AWS::IAM::Role

InstanceProfile

Type: AWS::IAM::InstanceProfile

TomcatImageInfrastructureConfiguration

Type: AWS::ImageBuilder::InfrastructureConfiguration

InstallTomcatComponent

Type: AWS::ImageBuilder::Component

TomcatServerImageRecipe

Type: AWS::ImageBuilder::ImageRecipe

AmazonLinux2WithTomcat

Type: AWS::ImageBuilder::ImagePipeline

Outputs

No outputs are exposed by this template

system_manager_automation_document.yml

Description

This CloudFormation template creates a System Manager Automation runbook that will orchestrate a process to integrate administrator approval in an EC2 Image builder pipeline, before sharing the outputs with selected principals. Be aware that the Template is not production ready. You need to remove the (optional) steps that you don't need. Also, notice that there is no mechanims in this automation document to prevent sharing with unauthorized principals. You must handle this before using that template in production. Ideas are discussed in the associated blog post. Note that some IAM actions are defined with the condition "StringEquals:'aws:ResourceTag/owner': golden-ami-automation" in order to further control access. Make sure to add this tag to the SNS Topic and the RAM resources share that you provide. If you wish to change the take, ensure you replace all mention of this tag in this template.

Parameters

There is not parameters for this template. However, the created automation document exposes parameters:

ImageBuilderPipelineArn:

Description: (Required) Corresponding EC2 Image Builder Pipeline to execute. Type: String

PipelineApproverArn:

Description: (Required) Arn of the Role that must approve the built image. Type: StringList

SnsNotificationArn:

Description: (Required) Arn of the SNS topics for notifications. Type: String

ResourceShareArn:

Description: (Optional) Arn of the resource share to use to share EC2 Builder images. Used in Step 7. If not necessary, this parameter must be removed along with the corresponding step. Type: String

AMIPrincipals:

Description: (Optional) The EC2 AMI will be shared with this list of principals. Enter Account IDs. Used in Step 8. If not necessary, this parameter must be removed along with the corresponding step. Type: StringList

Resources

The list of resources this template creates:

AutomationRole

Type: AWS::IAM::Role

EC2BuilderAutomation

Type: AWS::SSM::Document

Outputs

No outputs are exposed by this template

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.