Open siuolkl opened 3 months ago
If you spin up an amazon al2023 image and look at the public key, it comes back as
gpg-pubkey-d832c631-6515c85e
On line 20 in vars/main.yml the key key is defined as:
gpg-pubkey-d832c631-63977702
The definition last segment is different than what AWS AL2023 presents. We are starting with the minimal image and running hardening against it.
hi @eflowkram and @siuolkl
Can you just let me know which image you are using? This maybe we are using an older image and the keys get updated. I will try and get this tested as soon as possible.
many thanks
uk-bolly
ok noted @eflowkram @uk-bolly
image : ami-0ac9397cab55f5044
@siuolkl : ami-id is regional resource only.
@uk-bolly
We always pull the latest which would be release 2023.4.20240528 as of today. We also always start with the minimal image. It's weird because the first part of the key hash matches what is in your code, but the second part doesn't. Copy paste error? Here's the info, we start with the public image from amazon, apply cis, and our needed tweaks for our org and then snapshot it as our own "golden ami" for the org to base stuff off of.
Ok, fired up an image. Parent image is
al2023-ami-minimal-2023.4.20240528-kernel-6.1-x86_64
Owner is account 137112412989 (amazon).
package that the key belongs to is:
system-release-2023.4.20240528-0.amzn2023.noarch
I did not check the "non minimal" image. But they should be the same as it is their package signing key.
hi @eflowkram @siuolkl
Thank you for the feedback we are indeed using a much older version of the ami. I have updated the one we test with and works as expected with updates. I have added this to a new branch june24_updates I will look to PR and merge to devel next week.
thanks
uk-bolly
@uk-bolly I tried with multiple images (older and new both) of Amazon Linux 2023, but still getting the same error, please confirm which image we use so we will not get the GPG keys issue.
Hey everyone,
I'm running into an issue while using Ansible Lockdown to harden my AWS AL2023 instance according to the CIS benchmark. During the playbook execution, I encountered the following error
the playbook stops at this section any idea how to resolve it, i am trying to harden 100 instances
TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] **** fatal: [...]: FAILED! => {"changed": false, "msg": "Installed GPG Keys do not meet expected values or expected keys are not installed"}