Ensure that none of the Amazon Machine Images (AMIs) created within your web tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary web applications, personal data and configuration information that can be used to exploit or compromise running EC2 instances available in your web tier. This conformity rule assumes that all AWS resources (including AMIs) within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured within the rule settings, on the Cloud Conformity account dashboard.
When you make your web-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a complete replica of the original EC2 instances. Most of the time your web-tier AMIs will contain snapshots of your web applications (including their data), therefore sharing your images in this manner can allow malicious users to identify weaknesses in the use and configuration of these web applications, or even steal your data. Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To identify any publicly shared web-tier AMIs within your AWS account, perform the following actions:
Case A: To make the publicly shared AMIs, available within your web tier, private, perform the following actions:
Case B: To restrict public access to your web-tier AMIs and share them with specific AWS accounts only, perform the following: