Ensure that none of the Amazon Machine Images (AMIs) created within your web tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary web applications, personal data and configuration information that can be used to exploit or compromise running EC2 instances available in your web tier. This conformity rule assumes that all the AWS resources available within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>
, where <web_tier_tag>
represents the tag name and <web_tier_tag_value>
represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the web-tier tags must be configured in the rule settings, on your Conformity account console.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you make your web-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a complete replica of the original EC2 instance. Most of the time your web-tier AMIs will contain snapshots of your web applications (including their data), therefore sharing your images in this manner can allow malicious users to identify weaknesses in the use and configuration of your web applications, or even steal your data.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value>
tag placeholders outlined in the conformity rule content with your own tag set created for the web tier.
Audit
To identify any publicly shared web-tier AMIs within your AWS cloud account, perform the following operations:
Remediation / Resolution
Case A: To make your publicly shared AMIs private, perform the following operations:
Case B: To deny public access to your web-tier AMIs and share them with specific AWS accounts only, perform the following operations:
References
- AWS Documentation
- Guidelines for Shared Linux AMIs
- Making an AMI Public
- Sharing an AMI with Specific AWS Accounts
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-images
- reset-image-attribute
- modify-image-attribute