AMI Cross-Account Access

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Choose Owned by me to list only your images.

05 Select the Amazon Machine Image (AMI) that you want to examine.

06 Select the Permissions tab from the console bottom panel and identify the AWS account ID(s) configured for cross-account access, listed in the AWS Account Number section.

07 Sign in to your Trend Cloud One™ – Conformity account, access AMI Cross-Account Access conformity rule settings, and compare the account ID(s) identified at the previous step against each AWS account ID defined in the rule configuration section. If one or more AWS account IDs are not included in the list of trusted account IDs defined in the conformity rule settings, the cross-account access configuration available for the selected Amazon Machine Image (AMI) is not secured.

08 Repeat steps no. 5 – 7 for each AMI available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

01 Run describe-images command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon Machine Image (AMI) available in the selected AWS cloud region:

aws ec2 describe-images
  --region us-east-1
  --owners self
  --output table
  --query 'Images[*].ImageId'

02 The command output should return the requested resource identifiers (IDs):

---------------------------
|     DescribeImages      |
+-------------------------+
|  ami-01234abcd1234abcd  |
|  ami-0abcd1234abcd1234  |
+-------------------------+

03 Run describe-image-attribute command (OSX/Linux/UNIX) using the ID of the image that you want to examine as the identifier parameter and custom query filters to describe the ID(s) of the AWS account(s) that have permissions to launch Amazon EC2 instances using the selected AMI:

aws ec2 describe-image-attribute
  --region us-east-1
  --image-id ami-01234abcd1234abcd
  --attribute launchPermission
  --query 'LaunchPermissions[*].UserId'

04 The command output should return the requested AWS account identifiers (IDs):

[
	"123456789012",
	"123456123456"
]

05 Sign in to your Trend Cloud One™ – Conformity account, access AMI Cross-Account Access conformity rule settings, and compare the account ID(s) returned at the previous step against each AWS account ID defined in the rule**configuration section. If one or more AWS account IDs are not included in the list of trusted account IDs defined in the conformity rule settings, the cross-account access configuration available for the selected Amazon Machine Image (AMI) is not secured.

06 Repeat steps no. 3 – 5 for each AMI available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

01 Sign in to your Trend Cloud One™ – Conformity account, access AMI Cross-Account Accessconformity rule settings and copy the AWS account ID(s) authorized to access and use your AMIs.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Images, choose AMIs.

05 Choose Owned by me to list only your Amazon Machine Images (AMIs).

06 Select the image that you want to share with trusted AWS accounts.

07 Select the Permissions tab from the console bottom panel and choose Edit.

08 Inside the Modify Image Permissions configuration box, perform the following actions:

1. Make sure that the selected image is set to Private.
2. Click on the x (delete) button to remove each untrusted account ID listed in the AWS Account Number.
3. Paste the ID of the trusted AWS account copied at step no. 1 in the AWS Account Number configuration box, then choose Add Permission. Repeat this step for each trusted AWS account that you want to access and use your image.
4. (Optional) Select the Add "create volume" permissions to the following associated snapshots when creating permissions checkbox to provide the trusted AWS account(s) the capability to create Amazon EBS volumes from the associated snapshots.
5. Click Save to apply the changes.

09 Repeat steps no. 6 – 8 to change the launch permissions for other shared AMIs available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

01 Sign in to your Trend Cloud One™ – Conformity account, access AMI Cross-Account Access conformity rule settings and identify the AWS account ID(s) authorized to access and use your AMIs.

02 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the Amazon Machine Image (AMI) that you want to reconfigure as the identifier parameter, to remove the ID(s) of the untrusted AWS account(s) from the selected image permissions (the command does not produce an output):

aws ec2 modify-image-attribute
  --region us-east-1
  --image-id ami-01234abcd1234abcd
  --launch-permission "Remove=[{UserId=123456789012}]"

03 Run modify-image-attribute command (OSX/Linux/UNIX) to update the launch permissions for the specified AMI and share the image with the trusted AWS account(s) identified at step no. 1 (the command does not produce an output):

aws ec2 modify-image-attribute
  --region us-east-1
  --image-id ami-01234abcd1234abcd
  --launch-permission "Add=[{UserId=123123123123}]"

04 Repeat steps no. 2 and 3 to change the launch permissions for other shared AMIs available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.