Testing frameworks for images built via Insights image builder

• Conducting Insights compliance monitoring, policies, and reporting
• Creating custom testing framework using AWS Security Hub

• Cloud service provider account credentials
• Red Hat account

The choice to use the “PCI-DSS” profile was not an arbitrary one. Due to limitations with AWS Security Hub, we were not able to run scans for the “CIS” profile. This is because Amazon only recognizes images built with AWS when attempting to scan and report compliance for “CIS”.

To get started with Insights compliance, we need to make sure we have the correct permissions to access the feature. We need either the Insights compliance viewer role or the administrator role. We can check our access by clicking on the user icon in the top right corner of the screen and then selecting the My User Access option.

You should see the “Compliance administrator” and the “Compliance viewer” roles. If you do not see these options, you should contact your organization administrator to arrange access.

For ease of use, It is  highly recommended that users pre-register the image with insights during the image creation. We can pre-register the image in the “Create Image Wizard” using Activation Keys in Insights image builder. Please see Getting started with activation keys on the Hybrid Cloud Console for further guidance.

Additionally, you will need to ensure that you have Simple Content Access (SCA) enabled on your account. This provides the simplest experience to ensure subscriptions are automatically usable on the system. The default setting is "enabled" for new accounts. For older accounts that may not have this option enabled, you may need to contact your company's org admin for the Red Hat account to enable SCA.

We now need to create and assign a policy and attach it to the instance from Insights compliance in the console. To do this, navigate to SCAP policies.

If available, you can select an existing policy, or create a new policy. Depending on your organization, some profiles may have already been created by the org admin or another user. For the purpose of this demo, we will create a new one.

For the policy, we will select Red Hat Enterprise Linux® 9 for the operating system. Next, we need to provide a description of the policy, the business objective, and compliance threshold. For the business objective, we are trying to ensure that a customer’s base image meets the PCI-DSS compliance standards. As such, we’ll use that as the objective. 

The compliance threshold describes the margin of error with which we are satisfied to consider the system as compliant with the standard. We will choose 95% for this demonstration, since there are still some remediation steps that need to be run manually in order to get a 100% compliant image built with Insights image builder.

We then need to register our system with the policy we are creating in Insights compliance; otherwise, running the compliance report generation will fail. We can select the system from the dropdown. The name of the system should match the IP address of the EC2 instance we have created and launched.

We will leave the default rules for the policy since tailoring profiles in Insights image builder is not yet available at the time of writing, April 2024. Finally, we can review the policy and create it. We should now see the created policy in the list of SCAP policies.

We are now ready to run a scan and generate a report on the instance. To do so, we can run the following command:

```bash
sudo insights-client –compliance 
```

We can now navigate to the reports page under insights compliance:

We can see in the above screenshot that the image is 100% compliant since it met the compliance threshold of 95%. We can click on the report, get additional information, and see which rules are non-compliant in order to perform manual intervention.

• Troubleshoot with Red Hat support
• Troubleshoot with AWS