Getting Started with Amazon Linux 2023 on AWS

This guide walks you through launching your first Kryden CIS Level 2 + STIG-hardened Amazon Linux 2023 AMI instance on AWS.

Finding the AMI

Via AWS Marketplace

1. Navigate to AWS Marketplace
2. Search for "Kryden Amazon Linux 2023"
3. Click "Continue to Subscribe"
4. Accept the terms and click "Continue to Configuration"

Via AWS Console

1. Go to EC2 → AMIs → Public Images
2. Search for the AMI ID from the Release Notes:
   • Amazon Linux 2023 Releases
3. Select the AMI and click "Launch instance from AMI"

Launching an Instance

Supported Instance Types

Nitro-Based Instances Required

These AMIs require AWS Nitro-based instance types. They will not boot on older Xen-based instances (t2, m4, c4, etc.).

Kryden AL2023 AMIs are built using NVMe storage drivers on AWS Nitro infrastructure. Nitro instances use /dev/nvme* device paths, while older Xen instances use /dev/xvd* paths. Launching on a Xen-based instance will result in a boot failure because the expected NVMe devices don't exist.

Graviton (ARM) Supported

Unlike the RHEL AMIs, the Amazon Linux 2023 AMI supports both x86_64 and arm64 (Graviton) architectures. Select the appropriate AMI for your target architecture.

Recommended Instance Types (x86_64)

Use Case	Instance Type	vCPUs	Memory	Notes
Development/Testing	t3.micro	2	1 GB	Burstable, lowest cost
Development/Testing	t3.small	2	2 GB	Burstable, good for light workloads
Development/Testing	t3.medium	2	4 GB	Burstable, recommended minimum
Production (small)	m5.large	2	8 GB	General purpose
Production (medium)	m5.xlarge	4	16 GB	General purpose
Compute-optimized	c5.large	2	4 GB	CPU-intensive workloads
Memory-optimized	r5.large	2	16 GB	Memory-intensive workloads

Recommended Instance Types (arm64 / Graviton)

Use Case	Instance Type	vCPUs	Memory	Notes
Development/Testing	t4g.micro	2	1 GB	Burstable, lowest cost
Development/Testing	t4g.small	2	2 GB	Burstable
Development/Testing	t4g.medium	2	4 GB	Burstable, recommended minimum
Production (small)	m6g.large	2	8 GB	General purpose Graviton
Production (medium)	m6g.xlarge	4	16 GB	General purpose Graviton
Compute-optimized	c6g.large	2	4 GB	CPU-intensive
Memory-optimized	r6g.large	2	16 GB	Memory-intensive

Unsupported Instance Types

Do Not Use These Instance Types

The following Xen-based instance families are not supported:

• T2 (t2.micro, t2.small, t2.medium, etc.)
• M4 (m4.large, m4.xlarge, etc.)
• C4 (c4.large, c4.xlarge, etc.)
• R4 (r4.large, r4.xlarge, etc.)

Launching on these instances will cause a boot failure with the system waiting indefinitely for NVMe devices.

Security Group Configuration

The hardened AMI runs firewalld in drop zone, blocking all inbound traffic except SSH by default. Your security group should reflect the same minimum access:

Port	Protocol	Purpose
22	TCP	SSH access

Application Ports

The firewalld default zone is set to drop. All ports other than SSH are blocked at the OS level until you explicitly open them. After launch, add rules for any ports your application requires:

sudo firewall-cmd --permanent --zone=drop --add-port=8080/tcp
sudo firewall-cmd --reload

Connecting to Your Instance

ssh -i /path/to/your-key.pem ec2-user@<instance-public-ip>

Default User

The default user is ec2-user. Root login is disabled per STIG/CIS requirements.

Session Idle Timeout

The AMI enforces a 10-minute idle timeout (TMOUT=600). Inactive SSH sessions are automatically terminated. Use tools like tmux or screen for long-running tasks.

Verifying Your Instance

After connecting, verify the hardening is applied correctly:

Check SELinux Status

sestatus

Expected output should show SELinux status: enabled and Current mode: enforcing.

Check for Failed Services

sudo systemctl --failed

A healthy instance should report 0 loaded units listed.

Verify Firewall Status

sudo firewall-cmd --get-default-zone
sudo firewall-cmd --list-all --zone=drop

Expected: default zone is drop, SSH service is listed.

Verify IMDSv2 Enforcement

The AMI enforces IMDSv2 (Instance Metadata Service v2) for protection against SSRF attacks:

# This should return 401 (unauthorized)
curl -s -o /dev/null -w "%{http_code}" http://169.254.169.254/latest/meta-data/

# Use token-based access instead
TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/instance-id

Post-Launch Checklist

• [ ] Verify instance is running and passed status checks
• [ ] Confirm SSH connectivity with key-based authentication
• [ ] Verify SELinux is enforcing (sestatus)
• [ ] Check no services have failed (systemctl --failed)
• [ ] Review /var/log/cloud-init-output.log for any errors
• [ ] Verify firewall default zone is drop (firewall-cmd --get-default-zone)
• [ ] Open any required application ports in firewalld
• [ ] Run a compliance scan using OpenSCAP or your preferred tool

Important Notes

Authentication

• SSH keys only: Password authentication is disabled per STIG/CIS requirements
• Root login disabled: Use ec2-user and sudo for privileged operations
• Account lockout: After 3 failed login attempts, accounts are locked for 15 minutes

Session Policy

• Idle timeout: Sessions automatically disconnect after 10 minutes of inactivity (TMOUT=600)
• For long-running tasks, use a terminal multiplexer: sudo dnf install -y tmux && tmux

File Permissions

• umask 027: Files created by users have permissions 640 (owner read/write, group read, no world access). This is more restrictive than the typical 022 default. Ensure application-created files are accessible to the correct groups.

Firewall

• Default zone: drop: All inbound traffic is dropped unless explicitly allowed
• SSH is pre-configured in the drop zone
• Add ports for your application after launch using firewall-cmd

Storage

• Root volume uses gp3 volume type for consistent performance

Networking

• IMDSv2 is enforced (token-based metadata access required)
• IPv4 and IPv6 forwarding are enabled for container workloads

FIPS Mode

• FIPS packages (dracut-fips, openssl-fips-provider) are installed but not enabled
• FIPS mode requires a reboot after activation; it is not active by default on this AMI
• To enable post-deployment: sudo fips-mode-setup --enable && sudo reboot

AIDE (File Integrity Monitoring)

• AIDE is installed but the database is not initialized
• Initialize post-deployment after your configuration is finalized: sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Container Workloads

• IP forwarding, unprivileged user namespaces, and BPF are enabled for container compatibility (Podman, Kubernetes, etc.)
• The squashfs kernel module is available (not blacklisted) to support container image storage

Next Steps

• Troubleshooting - Common issues and solutions