Automating AL2023 Custom Hardened AMI Updates for Amazon EKS Managed Nodes

By /

Listen to this Post

2025-02-14

Keeping your container and OS images updated is crucial in today’s cybersecurity landscape. With vulnerabilities emerging daily, automating the process of updating worker node images in Amazon Elastic Kubernetes Service (EKS) is essential. AWS regularly releases new images, and automating their deployment ensures your EKS cluster remains secure and up-to-date.

Abhishek Nanda, Jayaprakash Alawala, and Rajesh Singh provide a detailed guide on automating this process using AL2023 custom hardened AMIs. Their approach ensures your EKS cluster runs the latest, most secure images.

Key Steps to Automate AMI Updates for EKS:

  1. Set Up AWS CodePipeline: Create a pipeline to monitor and deploy new AMI updates.
  2. Use AWS Systems Manager (SSM): Automate the patching and hardening of AMIs.
  3. Integrate with EKS: Ensure seamless deployment of updated AMIs to your EKS worker nodes.

Example Commands:

  • To check for the latest AMI ID: 
    aws ec2 describe-images --owners amazon --filters "Name=name,Values=amzn2-ami-hvm-<em>-x86_64-gp2" --query 'Images[</em>].[ImageId,CreationDate]' --output text | sort -k2 | tail -n1
  • To update EKS worker nodes: 
    eksctl upgrade nodegroup --name=<nodegroup-name> --cluster=<cluster-name> --kubernetes-version=<version>

What Undercode Say

In the ever-evolving world of cybersecurity, staying ahead of vulnerabilities is non-negotiable. Automating AMI updates for Amazon EKS managed nodes is a proactive approach to ensure your infrastructure remains secure. By leveraging AWS CodePipeline, Systems Manager, and EKS, you can streamline the process of deploying hardened AMIs.

Linux commands like `aws ec2 describe-images` and `eksctl upgrade nodegroup` are invaluable for managing cloud resources efficiently. Additionally, integrating tools like Terraform or Ansible can further enhance automation. For instance, using Terraform to manage infrastructure as code ensures consistency and repeatability:
[hcl]
resource “aws_eks_node_group” “example” {
cluster_name = aws_eks_cluster.example.name
node_group_name = “example-nodegroup”
node_role_arn = aws_iam_role.example.arn
subnet_ids = aws_subnet.example[*].id
scaling_config {
desired_size = 2
max_size = 3
min_size = 1
}
}
[/hcl]

For Windows users, PowerShell commands can be used to interact with AWS services: 

Get-EC2Image -Owner amazon -Filter @{Name="name";Values="Windows_Server-2022-English-Full-Base*"}

By adopting these practices, you not only enhance security but also improve operational efficiency. Regularly updating your AMIs and automating the process ensures your EKS clusters are resilient against emerging threats.

For more details, refer to the original article: Automating AL2023 Custom Hardened AMI Updates for Amazon EKS Managed Nodes.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: