Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

App-Tier Publicly Shared AMI

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EC2-068

Ensure that none of the Amazon Machine Images (AMIs) created within your app tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary applications, personal data, and configuration information that can be used to exploit or compromise running Amazon EC2 instances available in your app tier. This conformity rule assumes that all the AWS resources within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Before running this rule by the Trend Micro Cloud One™ – Conformity engine, the app-tier tags must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you make your app-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a complete replica of the original Amazon EC2 instance. Usually, your app-tier AMIs will contain snapshots of your applications (including their data), therefore sharing your images in this manner can allow malicious users to identify weaknesses in the configuration of these applications, or even steal your data.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the app tier.

Audit

To identify any publicly shared app-tier AMIs within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Publicly Shared App-Tier AMIs conformity rule settings, and copy the tag set defined for the AWS cloud resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Images, choose AMIs.

05 Choose Owned by me to list only your Amazon Machine Images (AMIs).

06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>), then press Enter. This filtering technique will return only the images tagged for the app tier. If no results are returned, there is no AMI tagged within your app tier and the Audit process ends here. If the Amazon EC2 console returns one or more images, continue the Audit process with the next step.

07 Select the app-tier Amazon Machine Image that you want to examine.

08 Select the Permissions tab from the console bottom panel and check the launch permissions configured for the image. If the selected app-tier AMI is publicly shared, the Amazon EC2 console displays the following status: This image is currently Public.

09 Repeat steps no. 7 and 8 for each app-tier AMI available within the current AWS cloud region.

10 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Publicly Shared App-Tier AMIs conformity rule settings, and identify the tag set defined for the AWS cloud resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-images command (OSX/Linux/UNIX) using the tag set identified at the previous step as the filter parameter, to describe the IDs of the publicly shared app-tier AMIs, available in the selected AWS cloud region: 

aws ec2 describe-images
  --region us-east-1
  --owners self
  --filters Name=tag:<app_tier_tag>,Values=<app_tier_tag_value>
  --query 'Images[*].ImageId'

03 The describe-images command request should return one of the following outputs:

  1. If the command output returns an empty array (i.e. []), as shown in the example below, there are no app-tier AMIs available in the selected region and the Audit process ends here: 
    []
  2. If the command output returns an array with app-tier AMI IDs, as shown in the example below, continue the Audit process with the next step: 
    [
	"ami-0abcd1234abcd1234",
	"ami-01234abcd1234abcd",
]

04 Run describe-images command (OSX/Linux/UNIX) using the ID of the app-tier AMI that you want to examine as the identifier parameter, to determine whether the selected image has public launch permissions: 

aws ec2 describe-images
  --region us-east-1
  --image-ids ami-0abcd1234abcd1234
  --owners self
  --query 'Images[*].Public'

05 The command output should return the public launch permission status: 

[
	true
]

If the describe-images command output returns true, as shown in the output example above, the selected app-tier AMI is publicly shared.

06 Repeat steps no. 4 and 5 for each app-tier AMI available in the selected AWS cloud region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

Case A: To make your publicly shared AMIs private, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Choose Owned by me to list only your Amazon Machine Images (AMIs).

05 Select the app-tier AMI that you want to make private.

06 Select the Permissions tab from the console bottom panel and choose Edit.

07 Inside the Modify Image Permissions configuration box, select Private to change the launch permissions for the selected image to private, then click Saveto apply the changes.

08 Repeat steps no. 5 – 7 to change the launch permissions for other publicly shared app-tier AMIs available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI that you want to make private as the identifier parameter, to change the launch permissions for the selected image to private (if successful, the command does not produce an output): 

aws ec2 modify-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"

02 Repeat step no. 1 to change the launch permissions for other publicly shared app-tier AMIs available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Case B: To deny public access to your app-tier AMIs and share them with specific AWS accounts only, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Choose Owned by me to list only your Amazon Machine Images (AMIs).

05 Select the app-tier AMI that you want to share only with specific AWS cloud accounts.

06 Select the Permissions tab from the console bottom panel and choose Edit.

07 Inside the Modify Image Permissions configuration box, perform the following actions:

  1. Select Private to make the selected app-tier AMI private.
  2. Enter the ID of the trusted AWS account (e.g. 123456789012) in the AWS Account Number box, then click Add Permission. The selected image will be shared with the AWS account specified at this step.
  3. (Optional) Select the Add "create volume" permissions to the following associated snapshots when creating permissions checkbox to provide the trusted AWS account, specified at the previous step, the capability to create Amazon EBS volumes from the associated snapshots.
  4. Click Save to apply the changes.

08 Repeat steps no. 5 – 7 to change the launch permissions for other publicly shared app-tier AMIs available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run reset-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI that you want to share with trusted AWS accounts as the identifier parameter, to reset the resource launch permissions and remove the public access (the command does not produce an output): 

aws ec2 reset-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --attribute launchPermission

02 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI selected at the previous step as the identifier parameter, to update the image launch permissions and make it accessible only to trusted AWS accounts (if successful, the command does not produce an output): 

aws ec2 modify-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --launch-permission "{\"Add\":[{\"UserId\":\"123456789012\"}]}"

03 Repeat steps no. 1 and 2 to reset and change the launch permissions for other publicly shared app-tier AMIs available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Mar 6, 2018

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

App-Tier Publicly Shared AMI

Risk Level: High