Skip to main content

Bitrise on AWS: OS security patching

Abstract

The responsibilities regarding OS security patching on AWS are shared between Bitrise and the customer. The exact responsibilities differ based on the AWS environment: different policies apply to macOS and Linux environments.

On AWS, security patching and maintenance are governed by the Shared Responsibility Model. For Bitrise, the most important issues are the following:

  • Host AMI updates

  • Bitrise VM image updates (if applicable)

The responsibilities regarding these tasks are shared between Bitrise and the customer. The exact responsibilities differ based on the AWS environment: different policies apply to macOS and Linux environments.

macOS virtualized environment

Bitrise on AWS offers AMIs with VM images of our stable stacks (not edge stacks) for the macOS virtualized environment.

Regular tooling updates

Bitrise performs regular VM updates for tooling changes. When a new VM image is built due to a tooling update, the latest AWS macOS version is used for the host instance (AMI). The OS of the VM image will not change.

Table 19. Host and VM patching in stable stacks

Component

Bitrise Update Frequency

Customer Responsibility

Host OS

Bitrise does not perform general OS updates. OS security patches occur only if required by our internal information security assessment (as defined in our trust center).

It is the customer’s responsibility to use the newest AMIs.

VM OS

Bitrise does not perform general OS updates. OS security patches occur only if required by our internal information security assessment (as defined in our trust center).

It is the customer’s responsibility to use the newest AMIs.

macOS bare metal environment

In the macOS Bare Metal environment, Bitrise on AWS offers AMIs only for stable stacks only (not edge stacks).

Table 20. Host and VM patching in stable stacks

Component

Bitrise Update Frequency

Customer Responsibility

Bitrise AMI

Bitrise uses AWS's latest macOS version as the base when building a new host AMI. We monitor macOS vulnerabilities and rebuild and publish new AMI versions when internal information security assessments dictate.

It is the customer’s responsibility to use the newest AMIs.

Trust Center

Additional information on how Bitrise monitors and assesses vulnerabilities can be found in the Trust Center.

Linux environment

Linux instances on Bitrise on AWS operate on Bare Metal only, with no virtualization or Docker. All required tooling is baked directly into the Amazon Machine Image (AMI).

Table 21. Host and VM patching in stable stacks

Component

Bitrise Update Frequency

Customer Responsibility

Bitrise AMI

Bitrise updates the core Linux AMI for tooling changes (for example, Android tools) only.

The customer is responsible for applying OS security patches.

Patching scenarios

The method for applying security patches differs based on whether or not you are using the Bitrise Controller.

Patching without the controller

If you are using a manual setup, you have more flexibility for applying patches or updates in general to the instance. You can:

  • Create a custom AMI: start a Bitrise AMI, make a change (like an OS patch), take a new AMI snapshot, and then configure your environment to run with the ID of this new, custom AMI.

  • Use a user data script: define your own script to execute commands upon instance startup.

  • Use SSH updates: connect to your instances via SSH to perform updates manually with a guarantee that the updates will persist.

Patching with the controller

You have multiple options to apply patches when using the controller:

  • Host warmup script: this script runs when an instance is started (a one-time operation). To apply updates to the instance, you can modify the host warmup script, drain the instance pool and then bring it back up, which will run the script for a fully updated instance.

    Availability

    Be mindful of Mac EC2 availability when performing this operation.

  • Controller with virtualization: the VM OS on stable stacks does not receive general updates, however, Bitrise monitors for OS vulnerabilities and publishes new AMIs based on internal information security assessments. The VM warmup script runs in the fresh VM for every new build that is started. This may not be a good option for VM OS patches due to the time they consume.

Custom AMIs

You cannot use a custom AMI with the Bitrise Controller, which means you cannot take a snapshot of an updated AMI and use it with the Controller. The Controller only permits specific Bitrise AMIs. If you think this may be a requirement, please contact us to discuss.

Security patching reference

Table 22. Host and VM update responsibility

macOS Virtualized - Controller

macOS Bare Metal - Controller

macOS Virtualized - Manual

macOS Bare Metal - Manual

Linux Bare Metal - Manual

Host OS Update

Can use host warm up script to perform updates.

Can use host warm up script to perform updates.

Can use custom AMI

Can directly modify instance

Can use custom AMI

Can directly modify instance

Can use custom AMI

Can directly modify instance

VM OS Update

Bitrise is responsible for critical security updates.

N/A

Bitrise is responsible for critical security updates.

N/A

N/A

In this section: