Open menu

Check for Untrusted AMI Cross-Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that your Amazon Machine Images (AMIs) can be used only by trusted (friendly) AWS accounts in order to prevent unauthorized users from getting access to sensitive information, as these AMIs can contain proprietary applications, personal data and configuration information that can be used to exploit or compromise EC2 instances launched within your AWS account. Prior to running this rule by the Cloud Conformity engine, the list with the friendly AWS accounts identifiers must be configured within the rule settings, on the Cloud Conformity account dashboard.

Allowing unknown cross-account access to your Amazon Machine Images can authorize untrusted AWS account users to launch EC2 instances using your AMIs.

Audit

To determine if there are any AMIs configured to allow unknown cross-account access available in your AWS account, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES, choose AMIs.

04 Select Owned by me option from the dropdown menu next to the filter box.

05 Select the image that you want to examine.

06 Select the Permissions tab from the dashboard bottom panel and note the AWS account ID(s) configured for cross-account access, available in the AWS Account Number list.

07 Sign in to your Cloud Conformity account, access Check for Unknown AMI Cross-Account Access conformity rule settings and compare the ID(s) found at the previous step against each account ID listed in the rule configuration section. If the AWS account ID does not match any of the trusted account identifiers listed on your Cloud Conformity console, the cross-account access is not secured, therefore the associated AWS account is not trusted and should not be authorized to access the selected AWS AMI.

08 Repeat steps no. 5 – 8 to determine if other Amazon AMIs, available in the current region, are exposed to unknown cross-account access.

09 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom filtering to list the IDs of all your Amazon Machine Images (AMIs) currently available in the selected AWS region:

aws ec2 describe-images
	--region us-east-1
	--owners self
	--output table
	--query 'Images[*].ImageId'

02 The command output should return a table with the requested API IDs:

---------------------------
|     DescribeImages      |
+-------------------------+
|  ami-0aaaabbbbccccdddd  |
|  ami-01234abcd1234abcd  |
+-------------------------+

03 Run describe-image-attribute command (OSX/Linux/UNIX) using the image ID returned at the previous step as identifier and custom query filters to return the IDs of the AWS accounts that have permissions to launch EC2 instances for the selected AMI:

aws ec2 describe-image-attribute
	--region us-east-1
	--image-id ami-0aaaabbbbccccdddd
	--attribute launchPermission
	--query 'LaunchPermissions[*].UserId'

04 The command output should return the AWS account identifiers requested:

[
    "123456789012",
    "123456123456"
]

Note the AWS account ID(s) configured for cross-account access, returned by describe-image-attribute command output.

05 Sign in to your Cloud Conformity account, access Check for Unknown AMI Cross-Account Access conformity rule settings and compare each ID returned at the previous step against each account ID listed in the rule configuration section. If the AWS account IDs does not match any of the trusted account identifiers listed on your Cloud Conformity console, the cross-account access is not secured, therefore the associated AWS accounts are not trusted and should not be authorized to access the selected Amazon Machine Image (AMI).

06 Repeat steps no. 3 – 5 to determine if other Amazon AMIs, available in the selected region, are exposed to unknown cross-account access.

07 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To update your AMIs permissions in order authorize only trusted (friendly) AWS account to launch EC2 instances from your images, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity account, access Check for Unknown AMI Cross-Account Access conformity rule settings and copy the AWS account ID(s) authorized to access and use your AMIs.

02 Sign in to AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under IMAGES, choose AMIs.

05 Select Owned by me option from the dropdown menu next to the filter box.

06 Select the AMI that you want to reconfigure (see Audit section part I to identify the right image).

07 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the launch permissions for the selected image.

08 In the Modify Image Permissions dialog box, perform the following:

  1. Remove the untrusted account ID(s) listed below AWS Account Number using the x (delete) button.
  2. Paste the account ID(s) copied at step no. 1 in the AWS Account Number box, then click Add Permission to grant access to the trusted account(s).
  3. (Optional) Select Add "create volume" permissions to the following associated snapshots when creating permissions checkbox to allow trusted entities to create volume permissions for snapshots.
  4. Click Save to apply the changes.

09 Repeat steps no. 6 – 8 to update the launch permissions for other AWS AMIs available in the current region.

10 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity account, access Check for Unknown AMI Cross-Account Access conformity rule settings and copy the AWS account ID(s) authorized to access and use your AMIs.

02 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the AMI that you want to reconfigure as identifier (see Audit section part II to identify the right image) to remove the ID(s) of the untrusted AWS account(s) from the image launch permissions (the command does not produce an output):

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-0aaaabbbbccccdddd
	--launch-permission "Remove=[{UserId=123456789012}]"

03 Execute modify-image-attribute command (OSX/Linux/UNIX) using the ID of the AMI that you want to reconfigure as identifier parameter to update the image launch permissions and make it accessible only for trusted AWS accounts, identified by the account ID(s) copied at step no. 1 (the command does not return an output):

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-0aaaabbbbccccdddd
	--launch-permission "Add=[{UserId=123123123123}]"

04 Repeat step no. 2 and 3 to update the launch permissions for other AWS AMIs available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Apr 10, 2019