Getting Started with RHEL on AWS¶
This guide walks you through launching your first Kryden STIG-aligned RHEL AMI instance on AWS.
Finding the AMI¶
Via AWS Marketplace¶
- Navigate to AWS Marketplace
- Search for "Kryden RHEL STIG"
- Select the AMI for your desired RHEL version (8 or 9)
- Click "Continue to Subscribe"
- Accept the terms and click "Continue to Configuration"
Via AWS Console¶
- Go to EC2 → AMIs → Public Images
- Search for the AMI ID from the Release Notes:
- Select the AMI and click "Launch instance from AMI"
Launching an Instance¶
Supported Instance Types¶
Nitro-Based Instances Required
These AMIs require AWS Nitro-based instance types. They will not boot on older Xen-based instances (t2, m4, c4, etc.).
Kryden RHEL AMIs are built using NVMe storage drivers on AWS Nitro infrastructure. Nitro instances use /dev/nvme* device paths, while older Xen instances use /dev/xvd* paths. Launching on a Xen-based instance will result in a boot failure because the expected NVMe devices don't exist.
Recommended Instance Types¶
| Use Case | Instance Type | vCPUs | Memory | Notes |
|---|---|---|---|---|
| Development/Testing | t3.micro | 2 | 1 GB | Burstable, lowest cost |
| Development/Testing | t3.small | 2 | 2 GB | Burstable, good for light workloads |
| Development/Testing | t3.medium | 2 | 4 GB | Burstable, recommended minimum |
| Production (small) | m5.large | 2 | 8 GB | General purpose |
| Production (medium) | m5.xlarge | 4 | 16 GB | General purpose |
| Compute-optimized | c5.large | 2 | 4 GB | CPU-intensive workloads |
| Memory-optimized | r5.large | 2 | 16 GB | Memory-intensive workloads |
Supported Instance Families¶
The following Nitro-based instance families are supported:
| Family | Use Case | Examples |
|---|---|---|
| T3/T3a | Burstable general purpose | t3.micro, t3.small, t3.medium, t3.large |
| M5/M5a/M5n | General purpose | m5.large, m5.xlarge, m5.2xlarge |
| C5/C5a/C5n | Compute optimized | c5.large, c5.xlarge, c5.2xlarge |
| R5/R5a/R5n | Memory optimized | r5.large, r5.xlarge, r5.2xlarge |
| M6i/C6i/R6i | Latest generation | m6i.large, c6i.xlarge, r6i.large |
| Graviton (M6g/C6g/R6g) | ARM-based | Not supported (x86_64 AMI) |
Unsupported Instance Types¶
Do Not Use These Instance Types
The following Xen-based instance families are not supported:
- T2 (t2.micro, t2.small, t2.medium, etc.)
- M4 (m4.large, m4.xlarge, etc.)
- C4 (c4.large, c4.xlarge, etc.)
- R4 (r4.large, r4.xlarge, etc.)
Launching on these instances will cause a boot failure with the system waiting indefinitely for NVMe devices.
Security Group Configuration¶
The STIG-aligned AMI requires specific ports for operation:
| Port | Protocol | Purpose |
|---|---|---|
| 22 | TCP | SSH access |
SSH Access
Limit SSH access to known IP ranges. The STIG baseline enforces key-based authentication only.
Connecting to Your Instance¶
Default User
The default user is ec2-user. Root login is disabled per STIG requirements.
Verifying Your Instance¶
After connecting, verify the STIG hardening is applied correctly:
Check SELinux Status¶
Expected output should show SELinux status: enabled and Current mode: enforcing.
Check for Failed Services¶
A healthy instance should report 0 loaded units listed.
Verify FIPS Mode¶
FIPS mode is enabled per STIG requirements.
Verify IMDSv2 Enforcement¶
The AMI enforces IMDSv2 (Instance Metadata Service v2) for protection against SSRF attacks:
# This should return 401 (unauthorized)
curl -s -o /dev/null -w "%{http_code}" http://169.254.169.254/latest/meta-data/
# Use token-based access instead
TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/instance-id
Post-Launch Checklist¶
- [ ] Verify instance is running and passed status checks
- [ ] Confirm SSH connectivity with key-based authentication
- [ ] Verify SELinux is enforcing (
sestatus) - [ ] Check no services have failed (
systemctl --failed) - [ ] Review
/var/log/cloud-init-output.logfor any errors - [ ] Confirm FIPS mode is enabled (
fips-mode-setup --check) - [ ] Run a compliance scan using OpenSCAP or your preferred tool
Important Notes¶
Authentication¶
- SSH keys only: Password authentication is disabled per STIG requirements
- Root login disabled: Use
ec2-userandsudofor privileged operations - Account lockout: After 3 failed login attempts, accounts are locked for 15 minutes
Storage¶
- Root volume is encrypted by default
- Uses gp3 volume type for consistent performance
Networking¶
- IMDSv2 is enforced (token-based metadata access required)
- IPv4 and IPv6 forwarding are enabled for container workloads
Next Steps¶
- Troubleshooting - Common issues and solutions