Just need the hardened base to apply your own profiles? Try StigReady →
StigApplied

CIS & DISA STIG
Hardened AMIs

The StigReady minimal base with full CIS Level 1/2 and DISA STIG remediation applied via ansible-lockdown — auditd, AIDE, and the controls auditors actually check.

Remediation is applied, not just aligned — and tuned so the image still boots, accepts your EC2 key pair, and registers with SSM out of the box.

What You Get

Every StigApplied AMI ships with the benchmark remediation already applied.

Remediation Applied

Full CIS Level 1/2 or DISA STIG remediation applied with the upstream ansible-lockdown roles — not a checklist, the actual fixes.

Audit & Integrity

auditd running with the benchmark rule set, and AIDE installed for file-integrity monitoring — ready for your SIEM.

Still Cloud-Usable

Hardening is tuned for EC2: the instance still boots unattended, cloud-init injects your key pair, and SSM (443) keeps working.

On the StigReady Base

Built on the same STIG-aligned partition layout, minimal footprint, and monthly patch cadence as StigReady.

Benchmarks Applied

Pick the profile your auditor requires — the remediation is already in the image.

CIS Level 1
Ubuntu 24.04 Server

  • Baseline server hardening
  • Low operational friction
  • UFW, PAM, sysctl controls

CIS Level 2
Ubuntu 24.04 Server

  • Everything in Level 1, plus
  • Defense-in-depth restrictions
  • auditd + AIDE enabled

DISA STIG
Ubuntu 24.04 CAT I/II/III

  • All severities remediated
  • DoD SRG / NIST 800-53 aligned
  • Cloud-safe exceptions documented

Independently verify with your own SCAP/InSpec scan — StigApplied images are built to pass, not to hide findings.

Available Profiles

StigApplied CIS L1 · Ubuntu 24.04

x86_64 · EBS · HVM · monthly

Marketplace

StigApplied CIS L2 · Ubuntu 24.04

x86_64 · EBS · HVM · monthly

Marketplace

StigApplied DISA STIG · Ubuntu 24.04

x86_64 · EBS · HVM · monthly

Marketplace

Rocky Linux 9 and more OS variants coming soon.

How It Works

1

Pick a Profile

Choose CIS L1, CIS L2, or DISA STIG on AWS Marketplace and launch — the remediation is already applied.

2

Launch

cloud-init injects your key pair on first boot. Connect as ec2-user; SSM registers automatically.

3

Prove It

Run your SCAP/InSpec scan and hand the report to your auditor. Layer app-specific controls on top.

Pricing

Pay only the software fee on top of your normal EC2 costs.

$0.08/hr

Software fee · EC2 instance costs billed separately by AWS

Annual contracts and Private Offers available. Contact us for volume pricing.