AWS AMIs Are Not Publicly Shared
Description:
Amazon Machine Images (AMIs) provide the information required to launch an EC2 instance. An AMI can contain sensitive data, configurations, and software, making it essential to control who can use it. By default, an AMI is private and can only be used by the AWS account that creates it. However, AWS allows users to share AMIs with specific accounts or make them public. Publicly sharing an AMI can expose sensitive data or configurations to unauthorized entities. It is crucial to ensure AMIs are not publicly accessible to safeguard your data and maintain a robust security posture.
Remediation:
1. Ensure AMIs are Private:
AWS Management Console:
- Navigate to the EC2 service in the AWS Console.
- In the EC2 dashboard's left navigation pane, click on AMIs under "Images".
- Use the filter dropdown to select Owned by me.
- Review the list of AMIs. In the Visibility column, ensure none of them are marked as Public.
- If an AMI is public, select it, then from the Actions dropdown menu, click Modify Image Permissions.
- In the Modify Image Permissions window, ensure Public is not selected.
AWS CLI:
To list all the AMIs owned by your account:
aws ec2 describe-images --owners self
To check the permissions of an AMI:
aws ec2 describe-image-attribute --image-id YOUR_AMI_ID --attribute launchPermission
If an AMI is publicly shared, modify its attributes to remove public access:
aws ec2 modify-image-attribute --image-id YOUR_AMI_ID --launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"
Terraform:
If you're using Terraform, ensure that the aws_ami
resource doesn't have public launch permissions:
resource "aws_ami" "example" {
# ... other configurations ...
# Ensure this attribute is either omitted or set to private AWS accounts only:
# launch_permission {
# user_ids = ["123456789012"]
# }
}
Recommendation:
Regularly review and audit your AMI permissions to ensure they aren't inadvertently set to public. If there's a need to share an AMI, do so explicitly with specific AWS account IDs rather than making it publicly accessible. Consider employing AWS Config rules or custom CloudWatch Alarms to monitor and alert on any AMIs that are made public. Keeping your AMIs private is crucial for data protection, preventing unauthorized access, and mitigating potential security vulnerabilities.
Updated 11 months ago