Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Web-Tier Publicly Shared AMI

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-067

Ensure that none of the Amazon Machine Images (AMIs) created within your web tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary web applications, personal data and configuration information that can be used to exploit or compromise running EC2 instances available in your web tier. This conformity rule assumes that all the AWS resources available within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the web-tier tags must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you make your web-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a complete replica of the original EC2 instance. Most of the time your web-tier AMIs will contain snapshots of your web applications (including their data), therefore sharing your images in this manner can allow malicious users to identify weaknesses in the use and configuration of your web applications, or even steal your data.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the web tier.


Audit

To identify any publicly shared web-tier AMIs within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Publicly Shared Web-Tier AMIs conformity rule settings, and copy the tag set defined for the AWS cloud resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Images, choose AMIs.

05 Choose Owned by me to list only your Amazon Machine Images (AMIs).

06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>), then press Enter. This filtering technique will return only the images tagged for the web tier. If no results are returned, there is no AMI tagged within your web tier and the Audit process ends here. If the Amazon EC2 console returns one or more images, continue the Audit process with the next step.

07 Select the web-tier Amazon Machine Image that you want to examine.

08 Select the Permissions tab from the console bottom panel and check the launch permissions configured for the image. If the selected web-tier AMI is publicly shared, the Amazon EC2 console displays the following status: This image is currently Public.

09 Repeat steps no. 7 and 8 for each web-tier AMI available within the current AWS cloud region.

10 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Publicly Shared Web-Tier AMIs conformity rule settings, and identify the tag set defined for the AWS cloud resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-images command (OSX/Linux/UNIX) using the tag set identified at the previous step as the filter parameter, to describe the IDs of the publicly shared web-tier AMIs, available in the selected AWS cloud region:

aws ec2 describe-images
  --region us-east-1
  --owners self
  --filters Name=tag:<web_tier_tag>,Values=<web_tier_tag_value>
  --query 'Images[*].ImageId'

03 The describe-images command request should return one of the following outputs:

  1. If the command output returns an empty array (i.e. []), as shown in the example below, there are no web-tier AMIs available in the selected region and the Audit process ends here:
    []
    
  2. If the command output returns an array with web-tier AMI IDs, as shown in the example below, continue the Audit process with the next step:
    [
    	"ami-0abcd1234abcd1234",
    	"ami-01234abcd1234abcd",
    ]
    

04 Run describe-images command (OSX/Linux/UNIX) using the ID of the web-tier AMI that you want to examine as the identifier parameter, to determine whether the selected image has public launch permissions:

aws ec2 describe-images
  --region us-east-1
  --image-ids ami-0abcd1234abcd1234
  --owners self
  --query 'Images[*].Public'

05 The command output should return the public launch permission status:

[
	true
]

If the describe-images command output returns true, as shown in the output example above, the selected web-tier AMI is publicly shared.

06 Repeat steps no. 4 and 5 for each web-tier AMI available in the selected AWS cloud region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

Case A: To make your publicly shared AMIs private, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Choose Owned by me to list only your Amazon Machine Images (AMIs).

05 Select the web-tier AMI that you want to make private.

06 Select the Permissions tab from the console bottom panel and choose Edit.

07 Inside the Modify Image Permissions configuration box, select Private to change the launch permissions for the selected image to private, then click Save to apply the changes.

08 Repeat steps no. 5 – 7 to change the launch permissions for other publicly shared web-tier AMIs available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the web-tier AMI that you want to make private as the identifier parameter, to change the launch permissions for the selected image to private (if successful, the command does not produce an output):

aws ec2 modify-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"

02 Repeat step no. 1 to change the launch permissions for other publicly shared web-tier AMIs available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Case B: To deny public access to your web-tier AMIs and share them with specific AWS accounts only, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Choose Owned by me to list only your Amazon Machine Images (AMIs).

05 Select the web-tier AMI that you want to share only with specific AWS cloud accounts.

06 Select the Permissions tab from the console bottom panel and choose Edit.

07 Inside the Modify Image Permissions configuration box, perform the following actions:

  1. Select Private to make the selected web-tier AMI private.
  2. Enter the ID of the trusted AWS account (e.g. 123456789012) in the AWS Account Number box, then click Add Permission. The selected image will be shared with the AWS account specified at this step.
  3. (Optional) Select the Add "create volume" permissions to the following associated snapshots when creating permissions checkbox to provide the trusted AWS account, specified at the previous step, the capability to create Amazon EBS volumes from the associated snapshots.
  4. Click Save to apply the changes.

08 Repeat steps no. 5 – 7 to change the launch permissions for other publicly shared web-tier AMIs available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run reset-image-attribute command (OSX/Linux/UNIX) using the ID of the web-tier AMI that you want to share with trusted AWS accounts as the identifier parameter, to reset the resource launch permissions and remove the public access (the command does not produce an output):

aws ec2 reset-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --attribute launchPermission

02 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the web-tier AMI selected at the previous step as the identifier parameter, to update the image launch permissions and make it accessible only to trusted AWS accounts (if successful, the command does not produce an output):

aws ec2 modify-image-attribute
  --region us-east-1
  --image-id ami-0abcd1234abcd1234
  --launch-permission "{\"Add\":[{\"UserId\":\"123456789012\"}]}"

03 Repeat steps no. 1 and 2 to reset and change the launch permissions for other publicly shared web-tier AMIs available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Mar 5, 2018