Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

AMI Cross-Account Access

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon Machine Images (AMIs) can be used only by trusted (friendly) AWS accounts in order to prevent unauthorized users from getting access to sensitive information, as these AMIs can contain proprietary applications, personal data, and configuration information that can be used to exploit or compromise EC2 instances launched within your AWS cloud account. Before running this rule by the Trend Cloud One™ – Conformity engine, the list with the trusted AWS account identifiers must be configured in the rule settings, in your Conformity account.

Security

Allowing unknown cross-account access to your Amazon Machine Images (AMIs) can authorize untrusted AWS users to launch EC2 instances using your AMIs.

Audit

To determine if there are AMIs configured to allow unknown cross-account access available within your AWS account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image (AMI) that you want to examine.

05 Select the Permissions tab from the console split panel and identify the AWS account ID(s) configured for cross-account access, listed in the Shared accounts section, under Shared account ID.

06 Sign in to your Trend Cloud One™ – Conformity account, access AMI Cross-Account Access conformity rule settings, and compare the account ID(s) identified in the previous step against each AWS account ID defined in the rule configuration section. If one or more AWS account IDs are not included in the list of trusted account IDs defined in the conformity rule settings, the cross-account access configuration available for the selected Amazon Machine Image (AMI) is not secured.

07 Repeat steps no. 4 - 6 for each AMI available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom output filters to describe the ID of each Amazon Machine Image (AMI) available in the selected AWS cloud region: 

aws ec2 describe-images
	--region us-east-1
	--owners self
	--output table
	--query 'Images[*].ImageId'

02 The command output should return the requested image identifiers (IDs): 

---------------------------
|     DescribeImages      |
+-------------------------+
|  ami-0abcd1234abcd1234  |
|  ami-01234abcd1234abcd  |
|  ami-0abcdabcdabcdabcd  |
+-------------------------+

03 Run describe-image-attribute command (OSX/Linux/UNIX) with the ID of the AMI that you want to examine as the identifier parameter and custom output filters to describe the ID(s) of the AWS account(s) that have permissions to launch Amazon EC2 instances using the selected image: 

aws ec2 describe-image-attribute
	--region us-east-1
	--image-id ami-0abcd1234abcd1234
	--attribute launchPermission
	--query 'LaunchPermissions[*].UserId'

04 The command output should return the requested AWS account identifiers (IDs): 

[
	"123456789012",
	"123456123456"
]

05 Sign in to your Trend Cloud One™ – Conformity account, access AMI Cross-Account Access conformity rule settings, and compare the account ID(s) returned in the previous step against each AWS account ID defined in the rule configuration section. If one or more AWS account IDs are not included in the list of trusted account IDs defined in the conformity rule settings, the cross-account access configuration available for the selected Amazon Machine Image (AMI) is not secured.

06 Repeat steps no. 3 – 5 for each AMI available in the selected AWS cloud region.

07 Change the AWS region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update your Amazon Machine Image (AMI) permissions in order to share your images with trusted AWS accounts only, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access AMI Cross-Account Access conformity rule settings and copy the AWS account ID(s) authorized to access and use your AMIs.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under Images, choose AMIs.

05 Choose Owned by me to list your Amazon Machine Images (AMIs).

06 Select the AMI that you want to share with other trusted AWS accounts.

07 Select the Permissions tab from the console split panel, choose Edit AMI permissions from Shared accounts, and perform the following actions:

  1. For AMI share settings, ensure that AMI availability is set to Private to make sure that the selected image is private.
  2. Select the unknown, untrusted AWS account IDs from the Shared accounts section and choose Remove selected.
  3. For Shared accounts, choose Add account ID, paste the ID of the trusted AWS account copied in step no. 1 in the AWS account ID box, and choose Share AMI to share your AMI with the specified AWS account. Repeat this step for each trusted AWS account that you want to access and use your AMI.
  4. Choose Save changes to apply the changes.

08 Repeat steps no. 6 and 7 to change the launch permissions for other shared AMIs available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access AMI Cross-Account Access conformity rule settings and copy the AWS account ID(s) authorized to access and use your AMIs.

02 Run modify-image-attribute command (OSX/Linux/UNIX) with the ID of the Amazon Machine Image (AMI) that you want to configure as the identifier parameter, to remove the ID(s) of the untrusted AWS account(s) from the selected image permissions (the command does not produce an output): 

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-01234abcd1234abcd
	--launch-permission "{\"Remove\":[{\"UserId\":\"123456789012\"}]}"

03 Run modify-image-attribute command (OSX/Linux/UNIX) to update the launch permissions for the specified AMI and share the image with the trusted AWS account(s) identified in step no. 1. To share you AMI with other AWS accounts, use "{"Add":[{"UserId":"\<aws-account-id\>"}]}" for the --launch-permission parameter, as shown in the example below (the command does not produce an output): 

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-01234abcd1234abcd
	--launch-permission "{\"Add\":[{\"UserId\":\"123123123123\"}]}"

04 Repeat steps no. 1 - 3 to change the launch permissions for other shared AMIs available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 10, 2019

Related EC2 rules