Skip to content

Instantly share code, notes, and snippets.

@knqyf263

knqyf263/ami-snapshot.sh

Last active November 25, 2022 18:38
Show Gist options
  • Save knqyf263/560020453511fe8107e2e9796fffbbd6 to your computer and use it in GitHub Desktop.
Save knqyf263/560020453511fe8107e2e9796fffbbd6 to your computer and use it in GitHub Desktop.
Download ZIP
AMI scanning with Trivy
Raw
ami-snapshot.sh
#!/bin/bash
AMI_ID=$1
KEY_NAME=xxxxxxx
SECURITY_GROUP_ID=sg-xxxxxxxxxxx
SUBNET_ID=subnet-xxxxxxxxxxxxxxx
INSTANCE_TYPE=t2.micro
echo $AMI_ID
################
# AMI scanning #
################
# Create an instance
INSTANCE_ID=$(aws ec2 run-instances --image-id $AMI_ID --instance-type $INSTANCE_TYPE --key-name $KEY_NAME --security-group-ids $SECURITY_GROUP_ID --subnet-id $SUBNET_ID --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=trivy-test}]' 'ResourceType=volume,Tags=[{Key=Name,Value=trivy-test}]' --query "Instances[0].InstanceId" --output text)
echo $INSTANCE_ID
# Wait for the instance to launch
aws ec2 wait instance-status-ok --instance-ids $INSTANCE_ID
# Create AMI from the instance
AMI_ID=$(aws ec2 create-image --instance-id $INSTANCE_ID --name trivy-test --query "ImageId" --output text)
echo $AMI_ID
# Wait for the AMI creation to complete
aws ec2 wait image-available --image-ids $AMI_ID
# Run Trivy
trivy vm --security-checks vuln -f json -o result.json --list-all-pkgs ami:${AMI_ID}
############
# Clean up #
############
# Delete the instance
aws ec2 terminate-instances --instance-ids $INSTANCE_ID
SNAPSHOT_ID=$(aws ec2 describe-images --image-ids $AMI_ID --query "Images[0].BlockDeviceMappings[0].Ebs.SnapshotId" --output text)
# Deregister the AMI
aws ec2 deregister-image --image-id $AMI_ID
# Delete the snapshot
aws ec2 delete-snapshot --snapshot-id $SNAPSHOT_ID
Raw
ami.sh
#!/bin/bash
AMI_ID=$1
KEY_NAME=xxxxxxx
SECURITY_GROUP_ID=sg-xxxxxxxxxxx
SUBNET_ID=subnet-xxxxxxxxxxxxxxx
INSTANCE_TYPE=t2.micro
S3_BUCKET=xxxxxxxxxxx
echo $AMI_ID
################
# AMI scanning #
################
# Create an instance
INSTANCE_ID=$(aws ec2 run-instances --image-id $AMI_ID --instance-type $INSTANCE_TYPE --key-name $KEY_NAME --security-group-ids $SECURITY_GROUP_ID --subnet-id $SUBNET_ID --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=trivy-test}]' 'ResourceType=volume,Tags=[{Key=Name,Value=trivy-test}]' --query "Instances[0].InstanceId" --output text)
echo $INSTANCE_ID
# Wait for the instance to launch
aws ec2 wait instance-status-ok --instance-ids $INSTANCE_ID
# Create AMI from the instance
AMI_ID=$(aws ec2 create-image --instance-id $INSTANCE_ID --name trivy-test --query "ImageId" --output text)
echo $AMI_ID
# Wait for the AMI creation to complete
aws ec2 wait image-available --image-ids $AMI_ID
# Export the AMI to the S3 bucket
TASK_ID=$(aws ec2 export-image --image-id $AMI_ID --disk-image-format VMDK --s3-export-location S3Bucket=${S3_BUCKET},S3Prefix=exports/ --query "ExportImageTaskId" --output text)
echo $TASK_ID
# Wait for the AMI exporting to complete
while :
do
STATUS=$(aws ec2 describe-export-image-tasks --export-image-task-ids $TASK_ID --query "ExportImageTasks[0].Status" --output text)
echo $STATUS
if [ "$STATUS" = "completed" ]; then
break
fi
sleep 10
done
# Download the exported VMDK file
aws s3 cp s3://${S3_BUCKET}/exports/${TASK_ID}.vmdk ./exported-ami.vmdk
# Run Trivy
trivy vm --security-checks vuln -f json -o result.json file:./exported-ami.vmdk
############
# Clean up #
############
# Delete the instance
aws ec2 terminate-instances --instance-ids $INSTANCE_ID
SNAPSHOT_ID=$(aws ec2 describe-images --image-ids $AMI_ID --query "Images[0].BlockDeviceMappings[0].Ebs.SnapshotId" --output text)
# Deregister the AMI
aws ec2 deregister-image --image-id $AMI_ID
# Delete the snapshot
aws ec2 delete-snapshot --snapshot-id $SNAPSHOT_ID
# Clean the S3 bucket
aws s3 rm --recursive s3://${S3_BUCKET}/exports
# Delete the downloaded VMDK file
rm ./exported-ami.vmdk
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment