EC2 Image Builder を使用して AMI を作成しましたが特定のファイルが削除されています。なぜですか?

2020.10.17

困っていた内容

EC2 Image Builder を使用して AMI を作成しましたが特定のファイルが削除されています。なぜですか?

例)

  • /etc/hostname

原因について

こちらは EC2 Image Builderを使用してAMIを作成する際に 強制的に実行されるスクリプトが原因です。

AMI作成時に作成したファイルが削除されている場合、こちらが原因の可能性がありますので以下、ドキュメントに記載されていますスクリプトに対象のファイルがないかご確認ください。

Security best practices for EC2 Image Builder

#!/bin/bash

FILES=(
        # Secure removal of list of sudo users
        "/etc/sudoers.d/90-cloud-init-users"

        # Secure removal of RSA encrypted SSH host keys.        
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"

        # Secure removal of ECDSA encrypted SSH host keys.
        "/etc/ssh/ssh_host_ecdsa_key"
        "/etc/ssh/ssh_host_ecdsa_key.pub"

        # Secure removal of ED25519 encrypted SSH host keys.
        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"

        # Secure removal of "root" user approved SSH keys list.
        "/root/.ssh/authorized_keys"

        # Secure removal of "ec2-user" user approved SSH keys list.
        "/home/ec2-user/.ssh/authorized_keys"

        # Secure removal of file which tracks system updates
        "/etc/.updated"
        "/var/.updated"

        # Secure removal of file with aliases for mailing lists
        "/etc/aliases.db"

        # Secure removal of file which contains the hostname of the system
        "/etc/hostname"

        # Secure removal of files with system-wide locale settings
        "/etc/locale.conf"

        # Secure removal of cached GPG signatures of yum repositories
        "/var/cache/yum/x86_64/2/.gpgkeyschecked.yum"

        # Secure removal of audit framework logs
        "/var/log/audit/audit.log"

        # Secure removal of boot logs
        "/var/log/boot.log"

        # Secure removal of kernel message logs
        "/var/log/dmesg"

        # Secure removal of cloud-init logs
        "/var/log/cloud-init.log"

        # Secure removal of cloud-init's output logs
        "/var/log/cloud-init-output.log"

        # Secure removal of cron logs
        "/var/log/cron"

        # Secure removal of aliases file for the Postfix mail transfer agent
        "/var/lib/misc/postfix.aliasesdb-stamp"

        # Secure removal of master lock for the Postfix mail transfer agent
        "/var/lib/postfix/master.lock"

        # Secure removal of spool data for the Postfix mail transfer agent
        "/var/spool/postfix/pid/master.pid"

        # Secure removal of history of Bash commands
        "/home/ec2-user/.bash_history"

)

for FILE in "${FILES[@]}"; do
      if [[ -f $FILE ]]; then
              echo "Deleting $FILE"
              sudo shred -zuf $FILE
      fi
      if [[ -f $FILE ]]; then
              echo "Failed to delete '$FILE'. Failing."
              exit 1
      fi
done

# Secure removal of TOE's log directories
if [[ $( sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then
      echo "Deleting files within {{workingDirectory}}/TOE_*"
      sudo find {{workingDirectory}}/TOE_* -type f -exec shred -zuf {} \;
fi
if [[ $( sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then
      echo "Failed to delete {{workingDirectory}}/TOE_*"
      exit 1
fi
if [[ $( sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then
      echo "Deleting {{workingDirectory}}/TOE_*"
      sudo rm -rf {{workingDirectory}}/TOE_*
fi
if [[ $( sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then
      echo "Failed to delete {{workingDirectory}}/TOE_*"
      exit 1
fi

# Secure removal of system activity reports/logs
if [[ $( sudo find /var/log/sa/sa* -type f | sudo wc -l ) -gt 0 ]]; then
      echo "Deleting /var/log/sa/sa*"
      sudo shred -zuf /var/log/sa/sa*
fi
if [[ $( sudo find /var/log/sa/sa* -type f | sudo wc -l ) -gt 0 ]]; then
      echo "Failed to delete /var/log/sa/sa*"
      exit 1
fi

# Secure removal of SSM logs
if [[ $( sudo find /var/log/amazon/ssm -type f | sudo wc -l) -gt 0 ]]; then
      echo "Deleting files within /var/log/amazon/ssm/*"
      sudo find /var/log/amazon/ssm -type f -exec shred -zuf {} \;
fi
if [[ $( sudo find /var/log/amazon/ssm -type f | sudo wc -l) -gt 0 ]]; then
      echo "Failed to delete /var/log/amazon/ssm"
      exit 1
fi
if [[ -d "/var/log/amazon/ssm" ]]; then
      echo "Deleting /var/log/amazon/ssm/*"
      sudo rm -rf /var/log/amazon/ssm
fi
if [[ -d "/var/log/amazon/ssm" ]]; then
      echo "Failed to delete /var/log/amazon/ssm"
      exit 1
fi

# Secure removal of DHCP client leases that have been acquired
if [[ $( sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l ) -gt 0 ]]; then
      echo "Deleting /var/lib/dhclient/dhclient*.lease"
      sudo shred -zuf /var/lib/dhclient/dhclient*.lease
fi
if [[ $( sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l ) -gt 0 ]]; then
      echo "Failed to delete /var/lib/dhclient/dhclient*.lease"
      exit 1
fi

# Secure removal of cloud-init files
if [[ $( sudo find /var/lib/cloud -type f | sudo wc -l ) -gt 0 ]]; then
      echo "Deleting files within /var/lib/cloud/*"
      sudo find /var/lib/cloud -type f -exec shred -zuf {} \;
fi
if [[ $( sudo find /var/lib/cloud -type f | sudo wc -l ) -gt 0 ]]; then
      echo "Failed to delete /var/lib/cloud"
      exit 1
fi
if [[ $( sudo ls /var/lib/cloud | sudo wc -l ) -gt 0 ]]; then
      echo "Deleting /var/lib/cloud/*"
      sudo rm -rf /var/lib/cloud/*
fi
if [[ $( sudo ls /var/lib/cloud | sudo wc -l ) -gt 0 ]]; then
      echo "Failed to delete /var/lib/cloud/*"
      exit 1
fi

# Secure removal of temporary files
if [[ $( sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then
      echo "Deleting files within /var/tmp/*"
      sudo find /var/tmp -type f -exec shred -zuf {} \;
fi
if [[ $( sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then
      echo "Failed to delete /var/tmp"
      exit 1
fi
if [[ $( sudo ls /var/tmp | sudo wc -l ) -gt 0 ]]; then
      echo "Deleting /var/tmp/*"
      sudo rm -rf /var/tmp/*
fi

# Shredding is not guaranteed to work well on rolling logs

# Removal of system logs
if [[ -f "/var/lib/rsyslog/imjournal.state" ]]; then
      echo "Deleting /var/lib/rsyslog/imjournal.state"
      sudo shred -zuf /var/lib/rsyslog/imjournal.state
      sudo rm -f /var/lib/rsyslog/imjournal.state
fi
if [[ -f "/var/lib/rsyslog/imjournal.state" ]]; then
      echo "Failed to delete /var/lib/rsyslog/imjournal.state"
      exit 1
fi

# Removal of journal logs
if [[ $( sudo ls /var/log/journal/ | sudo wc -l ) -gt 0 ]]; then
      echo "Deleting /var/log/journal/*"
      sudo find /var/log/journal/ -type f -exec shred -zuf {} \;
      sudo rm -rf /var/log/journal/*
fi

ワークアラウンド

上記、スクリプトが必須で実行されてしまいますので、AMI起動時に独自の設定を実行したい場合は 削除されない場所にスクリプトを置いて、独自にユニットファイルを作成して対応するしかなさそうです。

独自ユニットファイルを作成して起動時に一度だけスクリプトを実行する方法を以下エントリーでご紹介していますので 参考になれば幸いです。

EC2 Image Builder を使用して 作成した AMI で 起動時に一度だけプログラムを実行するにはどうしたらいいですか?

参考資料

テクニカルサポートノートとは?

クラスメソッドのカルチャー(CLP) の「情報発信を通じて、全ての人々の創造活動に貢献し続ける」という考えから、クラスメソッド メンバーズをご利用のお客様よりいただいたお問い合わせより、他の AWS ユーザーにとっても 有益な情報を一般的な TIPS としてご紹介しています。