System and Image Hardening and Management

Helvetia Insurance Switzerland
Security Platform Engineering Insurance

As part of the "System and Image Hardening and Management" project, b-nova supported Helvetia Insurance Switzerland in the hardening, standardization, and automated management of system and container images. The focus was on building hardened golden images using AWS EC2 Image Builder, securing container base images according to CIS benchmarks, and automating build, patch, and distribution processes with Ansible and CI/CD pipelines. The goal was to establish a consistently secure, reproducible, and maintainable foundation for all runtime environments across the platform landscape.

Biggest challenge

Establishing consistently hardened and standardized runtime environments across a growing platform landscape with automated compliance assurance

What we did

Building automated image hardening pipelines with AWS EC2 Image Builder and Ansible as well as standardization and lifecycle management of all system and container images

Main tools we used

AWS EC2 Image Builder, OpenShift, Docker, Podman, Ansible, Linux, GitHub Actions, ArgoCD

Tasks

Analysis of security requirements and coordination with security, platform, and operations teams to define the hardening strategy
Definition of technical security baselines and hardening guidelines based on CIS benchmarks and internal company policies
Setup and configuration of AWS EC2 Image Builder pipelines for automated creation of hardened AMIs (golden images)
Creation and maintenance of Ansible playbooks for reproducible system configuration and hardening measures
Hardening and standardization of container base images (Docker/Podman) for deployment on OpenShift
Integration of automated vulnerability scans into image build pipelines for early detection of security issues
Establishment of a structured patch management process for regular and traceable updates of all images
Management and versioning of base images through a central registry with controlled release process
Implementation of compliance checks and policy enforcement for continuous monitoring of hardening conformity
Systematic testing of hardened images including functional and security tests prior to production rollout
Containerization and deployment of management services on OpenShift with Kustomize for environment-specific configuration
Setup and maintenance of CI/CD pipelines with GitHub Actions and GitOps-based deployment via ArgoCD
Implementation of monitoring and alerting to track image lifecycles and security posture
Iterative improvement of hardening processes based on audit results and operational experience
Comprehensive documentation of hardening standards, operational processes, and knowledge transfer to internal teams

Technologies

AWS EC2 Image Builder OpenShift Docker / Podman Linux Ansible GitHub Actions ArgoCD Kustomize Security Hardening / CIS Monitoring