Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Publicly Shared AMI

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-019

Ensure that your Amazon Machine Images (AMIs) are not publicly shared with the other AWS accounts in order to avoid exposing sensitive data. Trend Cloud One™ – Conformity strongly recommends against sharing your AMIs with all AWS cloud accounts. If required, you can share your images with specific (trusted) AWS accounts without making them public.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you make your AMIs publicly accessible, your images become available within the Community AMIs where everyone with an AWS account can use them to launch Amazon EC2 instances. Most of the time your AMIs will contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.

Audit

To identify any publicly accessible Amazon Machine Images (AMIs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image that you want to examine.

05 Select the Permissions tab from the console bottom panel and check the launch permissions configured for the image. If the selected AMI is publicly shared, the Amazon EC2 console displays the following status: This image is currently Public.

06 Repeat steps no. 4 and 5 for each AMI available within the current AWS region.

07 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon Machine Image (AMI) available in the selected AWS cloud region: 

aws ec2 describe-images
  --region us-east-1
  --owners self
  --output table
  --query 'Images[*].ImageId'

02 The command output should return the requested resource identifiers (IDs): 

---------------------------
|     DescribeImages      |
+-------------------------+
|  ami-0abcd1234abcd1234  |
|  ami-01234abcd1234abcd  |
|  ami-0abcdabcdabcdabcd  |
+-------------------------+

03 Run describe-images command (OSX/Linux/UNIX) using the ID of the AMI that you want to examine as the identifier parameter, to determine whether the selected image has public launch permissions: 

aws ec2 describe-images
  --region us-east-1
  --image-ids ami-0abcd1234abcd1234
  --owners self
  --query 'Images[*].Public'

04 The command output should return the public launch permission status: 

[
	true
]

If the describe-images command output returns true, as shown in the output example above, the selected Amazon Machine Image is publicly shared.

05 Repeat steps no. 3 and 4 for each AMI available in the selected AWS cloud region.

06 Change the AWS region by updating the --regioncommand parameter value and repeat the audit process for other regions.

Case A: To make your publicly shared AMIs private, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image that you want to make private.

05 Select the Permissions tab from the console bottom panel and choose Edit.

06 Inside the Modify Image Permissions configuration box, select Private to change the launch permissions for the selected image to private, then click Saveto apply the changes.

07 Repeat steps no. 4 – 6 to change the launch permissions for other publicly shared AMIs available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the AMI that you want to make private as the identifier parameter, to change the launch permissions for the selected image to private (if successful, the command does not produce an output): 

aws ec2 modify-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"

02 Repeat step no. 1 to change the launch permissions for other publicly shared AMIs available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Case B: To deny public access to your AMIs and share them with specific and trusted AWS accounts only, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the AMI that you want to share only with specific AWS cloud accounts.

05 Select the Permissions tab from the console bottom panel and choose Edit.

06 Inside the Modify Image Permissions configuration box, perform the following actions:

  1. Select Private to make the selected image private.
  2. Enter the ID of the trusted AWS account (e.g. 123456789012) in the AWS Account Number box, then click Add Permission. The selected image will be shared with the AWS account specified at this step.
  3. (Optional) Select the Add "create volume" permissions to the following associated snapshots when creating permissions checkbox to provide the trusted AWS account, specified at the previous step, the capability to create Amazon EBS volumes from the associated snapshots.
  4. Click Save to apply the changes.

07 Repeat steps no. 5 – 7 to change the launch permissions for other publicly shared AMIs available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run reset-image-attribute command (OSX/Linux/UNIX) using the ID of the AMI that you want to share with trusted AWS accounts as the identifier parameter, to reset the resource launch permissions and remove the public access (the command does not produce an output): 

aws ec2 reset-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --attribute launchPermission

02 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the AMI selected at the previous step as the identifier parameter, to update the image launch permissions and make it accessible only to trusted AWS accounts (if successful, the command does not produce an output): 

aws ec2 modify-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --launch-permission "{\"Add\":[{\"UserId\":\"123456789012\"}]}"

03 Repeat steps no. 1 and 2 to reset and change the launch permissions for other publicly shared AMIs available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jun 4, 2016

Related EC2 rules