Ensure that your Amazon Machine Images (AMIs) can be used only by trusted (friendly) AWS accounts in order to prevent unauthorized users from getting access to sensitive information, as these AMIs can contain proprietary applications, personal data and configuration information that can be used to exploit or compromise EC2 instances launched within your AWS account. Prior to running this rule by the Cloud Conformity engine, the list with the friendly AWS accounts identifiers must be configured within the rule settings, on the Cloud Conformity account dashboard.
Allowing unknown cross-account access to your Amazon Machine Images can authorize untrusted AWS account users to launch EC2 instances using your AMIs.
Audit
To determine if there are any AMIs configured to allow unknown cross-account access available in your AWS account, perform the following:
Remediation / Resolution
To update your AMIs permissions in order authorize only trusted (friendly) AWS account to launch EC2 instances from your images, perform the following actions:
References
- AWS Documentation
- Amazon Machine Images (AMI)
- Shared AMIs
- Sharing an AMI with Specific AWS Accounts
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-image-attribute
- describe-images
- modify-image-attribute
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Check for Untrusted AMI Cross-Account Access
Risk level: High