Ensure that none of the Amazon Machine Images (AMIs) created within your app tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary applications, personal data, and configuration information that can be used to exploit or compromise running Amazon EC2 instances available in your app tier. This conformity rule assumes that all the AWS resources within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>
, where <app_tier_tag>
represents the tag name and <app_tier_tag_value>
represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the app-tier tags must be configured in the rule settings, on your Conformity account console.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you make your app-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a complete replica of the original Amazon EC2 instance. Usually, your app-tier AMIs will contain snapshots of your applications (including their data), therefore sharing your images in this manner can allow malicious users to identify weaknesses in the configuration of these applications, or even steal your data.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value>
tag placeholders outlined in the conformity rule content with your own tag set created for the app tier.
Audit
To identify any publicly shared app-tier AMIs within your AWS cloud account, perform the following operations:
Remediation / Resolution
Case A: To make your publicly shared AMIs private, perform the following operations:
Case B: To deny public access to your app-tier AMIs and share them with specific AWS accounts only, perform the following operations:
References
- AWS Documentation
- Guidelines for Shared Linux AMIs
- Making an AMI Public
- Sharing an AMI with Specific AWS Accounts
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-images
- reset-image-attribute
- modify-image-attribute