The Centers for Medicare & Medicaid Services (CMS) Hybrid Cloud Team announces the following CMS Gold Image (GI) updates for July 2025:
July 2025 GI Updates
The Final CMS Amazon Linux 2 (AL2) GI Was Released on June 13, 2025
- Based on guidance from AWS Professional Services and the CMS Hybrid Cloud Team, all AL2 customers without a previously approved exception should have transitioned to Amazon Linux 2023 (AL2023) by July 1, 2025.
- On Friday April 18, 2025, CMS customers who had active AL2 instances received dedicated support tickets to ensure all AL2 instances get closed. Please provide your final update on your team's transition to AL2023 in the dedicated support tickets by Wednesday, July 23, 2025.
- Review the following AL2023 cms.cloud.gov (CCG) pages if you have any remaining questions:
-
Gold Image: Amazon Linux 2023: As an added security measure, the /tmp directory is mounted with the NOEXEC option, which will not allow the execution of binaries within /tmp. This change may impact third-party tools that execute scripts out of the /tmp directory, like Packer, which allows you to specify a different directory to execute scripts from. Please review the documentation for more details.
-
Gold Image: Amazon Linux 2023 with Elastic Kubernetes Service (EKS) Optimization: The existing launch template configurations are based on the EKS-optimized AL2 GI and will not work for AL2023 because of a change to the node initialization process. Note that in the April AL2023 with EKS Optimization CMS GI, the firewall configuration was updated to ensure outbound traffic from containers. For more information, please review the Amazon-published documentation that highlights the changes and the Changes from AL2 to AL2023 CCG page.
Hardened Container Images Now Available in the CMS Artifactory Repository
-
The CMS Hybrid Cloud Team strongly recommends only using a hardened Iron Bank image as the base image for container builds to help:
-
Access Iron Bank images in the CMS JFrog Platform under the gi-gantuar-ironbank Artifactory repository.
-
The CMS Artifactory repository is a pull-through cache that allows you to access Iron Bank container images without registering for a separate Iron Bank account. It also helps you avoid any potential rate limits from the Iron Bank registry.
-
Please register for CMS Artifactory repository access to use the pre-cached Iron Bank container images already used in our CMS environment (such as Alpine Linux, RedHat UBI, UBI with NodeJS, Alpine, and UBI with Python).
CMS Marketplace Customers: Only Use "Bring Your Own License" (BYOL) Red Hat GIs
- CMS Marketplace Customers: Marketplace Information Technology Group (MITG) has a dedicated license for Red Hat Enterprise Linux (RHEL) that includes premium support. This means that if you use a regular GI instead of a BYOL RHEL GI, you will be charged unnecessary costs.
- Please Note: All BYOL GIs have "byol" in the GI name.
Gold Image Accessibility
CMS GI availability is based on each team's Customer Automation and Management Platform (CAMP) details. If your team wants to request a new CMS GI, please open a Hybrid Cloud Support Ticket and contact your assigned Hosting Coordinator.
For more information about CMS GIs, please review the available Gold Image documentation.
Questions or Concerns
For questions or concerns, please contact your assigned Hosting Coordinator/Technical Advisor or submit a Hybrid Cloud support ticket.
|
