Open menu
-->

Publicly Shared AWS AMIs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your AWS AMIs are not publicly shared with the other AWS accounts in order to avoid exposing sensitive data. Cloud Conformity strongly recommends against sharing your AMIs with all AWS accounts. If required, you can share your images with specific AWS accounts without making them public.

This rule resolution is part of the Cloud Conformity Security Package

When you make your AMIs publicly accessible, these become available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Most of the time your AMIs will contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.

Audit

To identify any publicly accessible AMIs within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the image that you want to examine.

05 Select the Permissions tab from the dashboard bottom panel and check the AMI current launch permissions. If the selected image is publicly accessible, the EC2 dashboard will display the following status: "This image is currently Public.".

06 Repeat steps no. 4 and 5 to verify the launch permissions for the rest of the AMIs available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with appropriate filtering to list the IDs of all Amazon Machine Images (AMIs) currently available in the selected region:

aws ec2 describe-images
	--region us-east-1
	--owners self
	--output table
	--query 'Images[*].ImageId'

02 The command output should return the AMI IDs requested:

------------------
| DescribeImages |
+----------------+
|  ami-3fad5252  |
|  ami-cdab54a0  |
+----------------+

03 Run again describe-images command (OSX/Linux/UNIX) using each image ID returned at the previous step to expose each AMI configuration metadata:

aws ec2 describe-images
	--region us-east-1
	--image-ids ami-3fad5252

04 The command output should return the metadata for the selected AMI:

{
    "Images": [
        {
            "VirtualizationType": "hvm",
            "Name": "Web App Stack AMI ver. 1.4",
            "Hypervisor": "xen",
            "SriovNetSupport": "simple",
            "ImageId": "ami-3fad5252",
            "State": "available",
            ...
            "RootDeviceType": "ebs",
            "OwnerId": "123456789012",
            "RootDeviceName": "/dev/xvda",
            "CreationDate": "2016-06-03T15:35:51.000Z",
            "Public": true,
            "ImageType": "machine",
            "Description": "Full LAMP Stack + Web App + Local DB"
        }
    ]
}

If the Public parameter value is set to true (as shown in the example above), the selected AMI is accessible to all AWS accounts and your data is publicly exposed, otherwise the AMI is private.

04Repeat steps no. 3 and 4 to verify the launch permissions for the rest of the AMIs available in the current region.

05 Repeat steps no. 1 – 5 to repeat the entire audit process for the other AWS regions.

Case A: To restrict public access to your AMIs and make them private, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the AMI that you want to make private.

05 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the selected image launch permissions.

06 In the Modify Image Permissions dialog box, select Private then click Save.

07 Repeat steps no. 4 – 6 to restrict public access to the rest of the AMIs available in the current region.

08 Change the AWS region to repeat the entire process for the other regions.

Case B: To restrict public access to your AMIs and share them with specific AWS accounts, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the AMI that you want to share with specific AWS accounts.

05 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the selected image launch permissions.

06 In the Modify Image Permissions dialog box, perform the following actions:

  1. Select Private to make the AMI private.
  2. In the AWS Account Number box, enter the ID number (e.g. 355366855517) of the AWS account with whom you want to share the selected AMI, then click Add Permission.
  3. (Optional) Select Add "create volume" permissions to the following associated snapshots when creating permissions to provide the specified AWS account the capability to create volumes from the associated snapshots.
  4. Click Save to apply the changes.

07 Repeat steps no. 4 – 6 to update the launch permissions for the rest of the AMIs available in the current region.

08 Change the AWS region to repeat the entire process for the other regions.

Case A: To restrict public access to your AMIs and make them private using the AWS CLI, perform the following:

Using AWS CLI

01 Run modify-image-attribute command (OSX/Linux/UNIX) using the image ID as identifier (see the Audit section for how to get your AMI IDs) to update the AMI launch permissions and make it private (the command does not produce an output):

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-3fad5252
	--launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"

02 Repeat step no. 1 to restrict public access to the rest of the AMIs available in the current region.

03 Change the AWS region to repeat the entire process for the other regions.

Case B: To restrict public access to your AMIs and share them with specific AWS accounts using the AWS CLI, perform the following:

Using AWS CLI

01 Run reset-image-attribute command (OSX/Linux/UNIX) using the image ID as identifier to reset the AMI launch permissions and remove its public access (the command does not return an output):

aws ec2 reset-image-attribute
	--region us-east-1
	--image-id ami-3fad5252
	--attribute launchPermission

02 Now run modify-image-attribute command (OSX/Linux/UNIX) to update the AMI launch permissions and share the image with a specific AWS account (the command does not return an output):

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-3fad5252
	--launch-permission "{\"Add\":[{\"UserId\":\"355366855517\"}]}"

03 Repeat steps no. 1 – 2 to update the launch permissions for the rest of the AMIs available in the current region.

04 Change the AWS region to repeat the entire process for the other regions.

References

Publication date Jun 4, 2016