The StigReady minimal base with full CIS Level 1/2 and DISA STIG remediation applied via ansible-lockdown — auditd, AIDE, and the controls auditors actually check.
Remediation is applied, not just aligned — and tuned so the image still boots, accepts your EC2 key pair, and registers with SSM out of the box.
Every StigApplied AMI ships with the benchmark remediation already applied.
Full CIS Level 1/2 or DISA STIG remediation applied with the upstream ansible-lockdown roles — not a checklist, the actual fixes.
auditd running with the benchmark rule set, and AIDE installed for file-integrity monitoring — ready for your SIEM.
Hardening is tuned for EC2: the instance still boots unattended, cloud-init injects your key pair, and SSM (443) keeps working.
Built on the same STIG-aligned partition layout, minimal footprint, and monthly patch cadence as StigReady.
Pick the profile your auditor requires — the remediation is already in the image.
Independently verify with your own SCAP/InSpec scan — StigApplied images are built to pass, not to hide findings.
x86_64 · EBS · HVM · monthly
x86_64 · EBS · HVM · monthly
x86_64 · EBS · HVM · monthly
Rocky Linux 9 and more OS variants coming soon.
Choose CIS L1, CIS L2, or DISA STIG on AWS Marketplace and launch — the remediation is already applied.
cloud-init injects your key pair on first boot. Connect as ec2-user; SSM registers automatically.
Run your SCAP/InSpec scan and hand the report to your auditor. Layer app-specific controls on top.
Pay only the software fee on top of your normal EC2 costs.
$0.08/hr
Software fee · EC2 instance costs billed separately by AWS
Annual contracts and Private Offers available. Contact us for volume pricing.