View Issue Details

IDProjectCategoryView StatusLast Update
0017789Cloud Instance SIG[All Projects] generalpublic2020-10-16 16:03
Reporterdavdunc 
PrioritylowSeverityminorReproducibilityN/A
Status newResolutionopen 
PlatformAmazon EC2OSOS Version
Summary0017789: Add CentOS Version to AWS Marketplace as "Sold by AWS"
DescriptionThe AWS Marketplace team has created an opportunity to deliver the official images to customers via a ''provided by AWS'' account. This would provide full searchability and detail regarding the official CentOS images and all published images could be listed for AWS customer use. This will automatically provide customers the ability to leverage public parameters in SSM to associate "latest" to the most recent fedora release as well as more consistent searchability in the AWS console.

Deploying Images across partitions requires a significant amount of effort, including certifications and permissions for ITAR regions or opt-in only regions where AMI delivery best practices requires a significant number of accounts to separate publications. To bypass these requirements, the CentOS images can be published using the existing scanning and certification systems put in place by the AWS Marketplace team to simplify Amazon Partner Network participants. This makes it possible to clone images built today by the Red Hat CPE as community images, but then have the added benefit of making the images available in regions where the CPE would be required to have signed legal agreements and credentials on file. Moreover, personal liability would be necessary for the project leadership. Other options additionally require intermediate business agreements further derivative from the original project leadership.

There are also Amazon EC2 users who have developed policies requiring all images used to pass through AWS Marketplace Security scanning to avoid concerns related to security issues, such as the one outlined at [https://nvd.nist.gov/vuln/detail/CVE-2018-15869 CVE-2018-15869]. While the CentOS community already does an excellent job of producing a curated list of current AMIs, this allows the images to be integrated more deeply into the AWS ecosystem. Ultimately, this is expected to lead to increased adoption, community participation, and increased visibility for the CentOS cloud images.

This is intended to be consistent with the upstream details for handling this for the Fedora community approved here: https://pagure.io/Fedora-Council/tickets/issue/332
TagsAmazon, AMI

Activities

davdunc

davdunc

2020-10-16 00:03

reporter   ~0037812

The AWS Marketplace team is now publishing base images mirrored from the official AMIs with updates across all regions, including the govcloud regions, in this new profile: https://aws.amazon.com/marketplace/seller-profile?id=045847c6-6990-4bdb-b490-0b159744e3a4 ''Note'': No modification or deviation from the updates provided by the CPE team are made to these images.
angelangeles

angelangeles

2020-10-16 16:01

reporter   ~0037813

David this is awesome! I'm glad to finally see unmodified AMIs properly available for CentOS 8 on the AWS Marketplace. A couple of questions/concerns:

1. Why are these images being loaded against a separate "Amazon Web Services" Marketplace profile instead of the existing "Amazon Web Services" profile that currently hosts all the other official AMIs: https://aws.amazon.com/marketplace/seller-profile?id=e6a5002c-6dd0-4d1e-8196-0a1d1857229b ?

This current implementation makes things confusing when searching for images for instance that a look at this search result:
https://aws.amazon.com/marketplace/search/results?page=1&filters=vendor_id&vendor_id=045847c6-6990-4bdb-b490-0b159744e3a4%2Ce6a5002c-6dd0-4d1e-8196-0a1d1857229b&searchTerms=linux+8

In the above-referenced search result if I'm filtering by "Vendors" I have to select two different "Amazon Web Services" to include all results.

2. Will these mirrored AMIs include the ARM (aarch64) images?

3. The current description of the CentOS 8 listing calls it a "default CentOS-7 image" instead of a "default CentOS 8 image".

4. Similar to other mirrored AMIs listed by the "Amazon Web Services" can we ensure these listing show the proper CentOS Marks/Branding.

Another concern that warrants discussion is all countless CentOS images on the AWS Marketplace that illegitimately utilize the CentOS Marks/Branding and/or with a vendor profile name that purports/suggests it to be an official image when it is not. This search result highlights this issue: https://aws.amazon.com/marketplace/search/results?page=1&filters=VendorId&VendorId=cb14f0b8-1ca0-4485-bc79-a2cb2b9a4feb%2C79e4b2cd-a4a8-47b7-a0f2-db8b7a69f8fb&searchTerms=centos+8

Ultimately I want to avoid scenarios similar to CVE-2018-15869 https://nvd.nist.gov/vuln/detail/CVE-2018-15869 (which David referenced in the upstream Fedora Council ticket), where-in an AWS Marketplace user could believe they are deploying the official unmodifed CentOS AMI but are instead deploying a potentially re-packaged version from a commercial vendor.

Issue History

Date Modified Username Field Change
2020-10-09 17:39 davdunc New Issue
2020-10-09 17:39 davdunc Tag Attached: Amazon
2020-10-09 17:39 davdunc Tag Attached: AMI
2020-10-16 00:03 davdunc Note Added: 0037812
2020-10-16 16:01 angelangeles Note Added: 0037813