Ensure that none of the Amazon Machine Images (AMIs) created within your app tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary applications, personal data and configuration information that can be used to exploit or compromise running EC2 instances available in your app tier. This conformity rule assumes that all AWS resources within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured within the rule settings, on the Cloud Conformity account dashboard.
When you make your app-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a replica of the original EC2 instances. Usually your app-tier AMIs will contain snapshots of your applications (including their data), therefore sharing your images in this way can allow malicious users to identify weaknesses in the utilization and configuration of these applications, or even steal your applications data. Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To identify app-tier AMIs that are currently accessible to all other AWS accounts, perform the following actions:
Case A: To make the publicly accessible app-tier AMIs private, perform the following actions:
Case B: To block public access to your app-tier AMIs and share them only with specific (friendly) AWS accounts, perform the following actions: