Guidelines for All OMIs
- Disable services and protocols that authenticate users in clear text.
- Do not start unnecessary network services at launch. Only administrative services (SSH/RDP) and the services required for your application should be started.
- Securely delete all OUTSCALE credentials from disk and configuration files.
- Securely delete any third-party credentials from disk and configuration files.
- Securely delete any additional certificates or key material from the system.
- Ensure that any software you installed do not have default internal accounts and passwords.
Guidelines for Linux OMIs
Configure sshd to allow only public key authentication. This can be done by setting the following in
Generate a unique SSH host key on instance creation. If you are using cloud-init in your OMI, it can handle this for you automatically (the get-ssh-key script inside the OMI should be able to handle that too).
- Remove and disable passwords for all user accounts so that passwords cannot be used to log in and user accounts do not have a default password. This can be done by running for each account.
- Securely delete all user SSH public and private keypairs.
- Securely delete the shell history and system log files that contain sensitive data.
Remove SSH Host Key Pairs
If you plan to share an OMI derived from a public OMI, remove the existing SSH host key pairs located in
/etc/ssh. This forces SSH to generate new unique SSH keypair when someone launches an instance using your OMI, improving security and reducing the likelihood of "man-in-the-middle" attacks.
Remove all of the following key files that are present on your system:
You can securely remove all of these files with the following command:
Install Public Key Credentials
After configuring the OMI to prevent logging in using a password, you must make sure users can log in using another mechanism.
3DS OUTSCALE allows users to specify a public-private keypair name when launching an instance. When a valid keypair name is provided to the
RunInstances API call (or through the command line API tools), the public key (the portion of the keypair that 3DS OUTSCALE retains on the server after a call to
ImportKeyPair) is made available to the instance through an HTTP query against the instance metadata. For more information, see Accessing the Metadata and User Data of an Instance.
To log in through SSH, your OMI must retrieve the key value at boot and append it to
/root/.ssh/authorized_keys (or the equivalent for any other user account on the OMI).
Many OUTSCALE OMIs, use the
cloud-init package to inject public key credentials for a configured user. If your distribution does not support
cloud-init, you can add the following code to a system start-up script (such as
/etc/rc.local) to pull in the public key you specified at launch for the
This can be applied to any user account; you do not need to restrict it to
Guidelines for Windows OMIs
- Ensure that all enabled user accounts have new randomly generated passwords on instance creation.
- Ensure that the guest account is disabled.
- Clear the Windows event log.
- Do not join the instance to a Windows domain.
- Do not enable any file share points that are accessible by unauthenticated users. It is recommended to completely disable file shares.
- Develop a repeatable process for building, updating, and republishing OMIs.
- Build OMIs using the most up-to-date operating systems, packages, and software.
- Verify that no guest accounts or Remote Desktop user accounts are present.
- Disable or remove unnecessary services and programs to reduce the attack surface of your OMI.
- Remove instance credentials, such as your key pair, from the OMI (if you saved them on the OMI). Store the credentials in a safe location.
- Ensure that the administrator password and passwords on any other accounts are set to an appropriate value for sharing. These passwords are available for anyone who launches your shared OMI.
- Test your OMI before you share it.
Sharing Publicly Your OMI
At the moment, we do not know easily who provided a shared OMI, because each OMI is represented by an account ID. We recommend that you post a detailed description of your OMI.
Security Concerns with a Public OMI
If you should discover a public OMI that you feel presents a security risk to any member of the OUTSCALE user community, for whatever reason, please e-mail 3DS OUTSCALE Security directly at firstname.lastname@example.org. We take security very seriously, and investigate all reported issues.