Open menu
-->

Publicly Shared Web-Tier AMIs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that none of the Amazon Machine Images (AMIs) created within your web tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary web applications, personal data and configuration information that can be used to exploit or compromise running EC2 instances available in your web tier. This conformity rule assumes that all AWS resources (including AMIs) within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured within the rule settings, on the Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Base Auditing Package

When you make your web-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a complete replica of the original EC2 instances. Most of the time your web-tier AMIs will contain snapshots of your web applications (including their data), therefore sharing your images in this manner can allow malicious users to identify weaknesses in the use and configuration of these web applications, or even steal your data. Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.

Audit

To identify any publicly shared web-tier AMIs within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for Publicly Shared Web-Tier AMIs conformity rule settings and copy the tag set defined for AWS resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under IMAGES, choose AMIs.

05 Select Owned by me option from the dropdown menu next to the filter box.

06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering method will return only the AMIs tagged for the web tier. If no results are returned, there is no AMI tagged within your web tier and the audit process concludes here. If the EC2 dashboard lists one or more images, continue the audit process with the next step.

07 Select the web-tier AMI that you want to examine.

08 Select the Permissions tab from the dashboard bottom panel and check the launch permissions set for the image. If the selected web-tier Amazon Machine Image (AMI) is publicly shared, the AWS EC2 dashboard will display the following status: "This image is currently Public.".

09 Repeat step no. 7 and 8 to verify other AMIs created for your web tier in the selected AWS region.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

11 Repeat steps no. 1 – 10 to identify publicly shared AMIs created for other web tiers available in your AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check for Publicly Shared Web-Tier AMIs conformity rule settings and copy the tag set defined for AWS resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-images command (OSX/Linux/UNIX) using the tag name and value copied at the previous step as filter parameters to describe all web-tier AMIs that are publicly shared, available in the selected AWS region:

aws ec2 describe-images
	--region us-east-1
	--owners self
	--filters Name=tag:<web_tier_tag>,Values=<web_tier_tag_value>
	--query 'Images[*].{ImageId:ImageId, Public:Public}'

03 The command request should return one of the following outputs:

  1. If the describe-images command output returns an empty array (i.e. []), as shown in the example below, there are no AWS AMIs available within your web tier and the audit process concludes here:
    []
    
  2. If the command output returns an array that contains the ID(s) of the web-tier AMI(s) and the information that indicates whether the image is public or private, as shown in the example below, check the "Public" attribute value. If the specified attribute value for the AMI resource that you want to examine is set to true, the selected web-tier Amazon Machine Image (AMI) is publicly shared with other AWS accounts:
    [
        {
            "ImageId": "ami-abcd1234",
            "Public": true
        }
    ]
    

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to perform the audit process for other regions.

05 Repeat steps no. 1 – 4 to identify publicly shared AMIs created for other web tiers available in your AWS account.

Remediation / Resolution

Case A: To make the publicly shared AMIs, available within your web tier, private, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for Publicly Shared Web-Tier AMIs conformity rule settings and copy the tag set defined for your web tier resources (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under IMAGES, choose AMIs.

05 Select Owned by me option from the dropdown menu next to the filter box.

06 Select the web-tier AMI that you want to make private (see Audit section part I to identify the right resource).

07 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the launch permissions for the selected image.

08 In the Modify Image Permissions dialog box, select Private, then click Save.

09 Repeat steps no. 6 – 8 to change the launch permissions to private for other web-tier AMIs available in the selected AWS region.

10 Change the AWS region from the navigation bar and repeat steps no. 6 – 9 for other regions.

11 Repeat steps no. 1 – 10 to make private the AMIs created for other web tiers available in your AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check for Publicly Shared Web-Tier AMIs conformity rule settings and copy the tag set defined for your web tier resources (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the web-tier AMI that you want to make private as identifier (see Audit section part II to identify the right AMI) to update the image launch permissions and make it private (the command does not produce an output):

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-abcd1234
	--launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"

03 Repeat step no. 2 to change the launch permissions for other web-tier AMIs available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no 2 and 3 for other regions.

05 Repeat steps no. 1 – 4 to make private the AMIs created for other web tiers within your AWS account.

Case B: To restrict public access to your web-tier AMIs and share them with specific AWS accounts only, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for Publicly Shared Web-Tier AMIs conformity rule settings and copy the tags defined for your web tier resources (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under IMAGES, choose AMIs.

05 Select Owned by me option from the dropdown menu next to the filter box.

06 Select the web-tier Amazon Machine Image that you want to share only with specific AWS accounts.

07 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the launch permissions for the selected image.

08 In the Modify Image Permissions dialog box, perform the following actions:

  1. Select Private to make the image private.
  2. In the AWS Account Number box, enter the ID number (e.g. 123456789012) of the AWS account with whom you want to share the selected image, then click Add Permission.
  3. (Optional) Select Add "create volume" permissions to the following associated snapshots when creating permissions to provide the specified AWS account the capability to create EBS volumes from the associated snapshots.
  4. Click Save to apply the changes.

09 Repeat steps no. 6 – 8 to change the launch permissions for other web-tier AMIs created in the selected AWS region.

10 Change the AWS region from the navigation bar and repeat steps no. 6 – 9 for other regions.

11 Repeat steps no. 1 – 10 to share the AMIs created for other web tiers, with specific AWS accounts.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check for Publicly Shared Web-Tier AMIs conformity rule settings and copy the tags defined for your web tier resources (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run reset-image-attribute command (OSX/Linux/UNIX) using the ID of the web-tier AMI that you want to share with specific AWS accounts as identifier (see Audit section part II to identify the right image) to reset the resource launch permissions and remove its public access (the command does not return an output):

aws ec2 reset-image-attribute
	--region us-east-1
	--image-id ami-abcd1234
	--attribute launchPermission

03 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the web-tier AMI specified at the previous step as identifier to update the image launch permissions and make it accessible only to a specific (friendly) AWS account, identified by the ID "123456789012" (the command does not produce an output):

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-abcd1234
	--launch-permission "{\"Add\":[{\"UserId\":\"123456789012\"}]}"

04 Repeat steps no. 2 and 3 to reset and change the launch permissions for other web-tier AMIs available in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no 2 – 4 for other regions.

06 Repeat steps no. 1 – 5 to share the AMIs created for other web tiers, with specific AWS accounts.

References

Publication date Mar 5, 2018