Enable AWS Config Across the Organization:
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. It can be used to assess, audit, and evaluate the configurations of your resources.
Enabling AWS Config across the organization ensures that all accounts are monitored for compliance.
Create a Conformance Pack Using the approved-amis-by-id AWS Config Managed Rule:
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed across an organization.
The approved-amis-by-id managed rule checks whether running instances are using approved AMIs.
Deploy the Conformance Pack Across the Organization:
Deploying the conformance pack across the organization ensures that all accounts adhere to the policy of using only approved AMIs.
The conformance pack can be deployed via the AWS Management Console, CLI, or SDKs.
Configure the Rule to Run the AWS-StopEC2Instance AWS Systems Manager Automation Runbook for Non-Compliant EC2 Instances:
The AWS-StopEC2Instance runbook can be configured to automatically stop any EC2 instances that are found to be non-compliant (i.e., not using approved AMIs).
This remediation action ensures that any unauthorized instances are promptly stopped, enforcing the policy without manual intervention.
By following these steps, the solution ensures that all EC2 instances across the organization use approved AMIs, and any non-compliant instances are remediated automatically.
[References:, AWS Config Conformance Packs, AWS Config Managed Rules, AWS Systems Manager Automation Runbooks, , , , ]
