Ensure that your Amazon Machine Images (AMIs) are not publicly shared with the other AWS accounts in order to avoid exposing sensitive data. Trend Cloud One™ – Conformity strongly recommends against sharing your AMIs with all AWS cloud accounts. If required, you can share your images with specific (trusted) AWS accounts without making them public.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you make your AMIs publicly accessible, your images become available within the Community AMIs where everyone with an AWS account can use them to launch Amazon EC2 instances. Most of the time your AMIs will contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.
Audit
To identify any publicly accessible Amazon Machine Images (AMIs), perform the following operations:
Case A: To make your publicly shared AMIs private, perform the following operations:
Case B: To deny public access to your AMIs and share them with specific and trusted AWS accounts only, perform the following operations:
References
- AWS Documentation
- Amazon EC2 FAQs
- Guidelines for Shared Linux AMIs
- Making an AMI Public
- Sharing an AMI with Specific AWS Accounts
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-images
- reset-image-attribute
- modify-image-attribute