We run hundreds of virtual servers on Amazon Web Services. So when security bugs like the bash vulnerabilities from a couple of weeks ago arise, we’re faced with a sudden, urgent need to perform a lot of updates.
These virtual servers are started from an Amazon Machine Image, or AMI, that has a basic operating system installed and usually not much else. When low-level vulnerabilities come up, Ubuntu is quick to provide a set of new, fixed AMIs, with a great website you can use to manually find what you need.
But how do we find the right updated AMI for the barrage of different ones being used across all our servers? The answer: write a Node.js module to do it for us!
Our open-source update-amis module uses
the AWS EC2 API
to look up information about an Ubuntu AMI and tell you the ID of the most up-to-date
AMI sharing all the same qualities (operating system version, region, virtualization
type, etc). Not only that, but given a file or just any old string of text, update-amis
will hunt for anything that looks like an AMI ID, and find/replace it with the
most up-to-date AMI available.
We document our servers' configurations in AWS Cloudformation templates.
One of these files defines all the AWS resources needed to run and maintain one
of our services. So now, when we need to update the servers backing one of our
services we can just run the template through update-amis and deploy the fixed
template!