App-Tier Publicly Shared AMI
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that none of the Amazon Machine Images (AMIs) created within your app tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary applications, personal data and configuration information that can be used to exploit or compromise running EC2 instances available in your app tier. This conformity rule assumes that all AWS resources within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured within the rule settings, on the Cloud Conformity account dashboard.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you make your app-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a replica of the original EC2 instances. Usually your app-tier AMIs will contain snapshots of your applications (including their data), therefore sharing your images in this way can allow malicious users to identify weaknesses in the utilization and configuration of these applications, or even steal your applications data.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To identify app-tier AMIs that are currently accessible to all other AWS accounts, perform the following actions:
01 Sign in to your Cloud Conformity console, access App-Tier Publicly Shared AMI conformity rule settings and copy the tags defined for AWS resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Sign in to the AWS Management Console.
03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
04 In the left navigation panel, under IMAGES, choose AMIs.
05 Select Owned by me option from the dropdown menu next to the filter box.
06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering method will return only the AMIs tagged for the app tier. If no results are returned, there is no AMI tagged within your app tier and the audit process ends here. If the EC2 dashboard lists one or more images, continue with the next step.
07 Select the app-tier AMI that you want to examine.
08 Select the Permissions tab from the dashboard bottom panel and check the launch permissions set for the image. If the selected app-tier Amazon Machine Image (AMI) is publicly shared, the AWS EC2 dashboard will display the following status: "This image is currently Public.".
09 Repeat step no. 7 and 8 to verify other AMIs created for your app tier in the selected AWS region.
10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.
11 Repeat steps no. 1 – 10 to identify publicly shared AMIs created for other app tiers available in your AWS account.
01 Sign in to your Cloud Conformity console, access App-Tier Publicly Shared AMI conformity rule settings and copy the tags defined for AWS resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Run describe-images command (OSX/Linux/UNIX) using the tag name and value copied at the previous step as filter parameters to describe all app-tier AMIs that are publicly shared, available in the selected AWS region:
aws ec2 describe-images
--region us-east-1
--owners self
--filters Name=tag:<app_tier_tag>,Values=<app_tier_tag_value>
--query 'Images[*].{ImageId:ImageId, Public:Public}'
03 The command request should return one of the following outputs:
[]
[
{
"ImageId": "ami-1234abcd",
"Public": true
}
]
04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to perform the audit process for other regions.
05 Repeat steps no. 1 – 4 to identify publicly shared AMIs created for other app tiers available in your AWS account.
Case A: To make the publicly accessible app-tier AMIs private, perform the following actions:
01 Sign in to your Cloud Conformity console, access App-Tier Publicly Shared AMI conformity rule settings and copy the tags defined for your app tier resources (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Sign in to the AWS Management Console.
03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
04 In the left navigation panel, under IMAGES, choose AMIs.
05 Select Owned by me option from the dropdown menu next to the filter box.
06 Select the app-tier AMI that you want to make private (see Audit section part I to identify the right image).
07 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the launch permissions for the selected AMI.
08 In the Modify Image Permissions dialog box, select Private, then click Save.
09 Repeat steps no. 6 – 8 to change the launch permissions for other app-tier AMIs available in the selected AWS region.
10 Change the AWS region from the navigation bar and repeat steps no. 6 – 9 for other regions.
11 Repeat steps no. 1 – 10 to make private the AMIs created for other app tiers available in your AWS account.
01 Sign in to your Cloud Conformity console, access App-Tier Publicly Shared AMI conformity rule settings and copy the tags defined for your app tier resources (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI that you want to make private as identifier (see Audit section part II to identify the right resource) to update the image launch permissions and make it private (the command does not produce an output):
aws ec2 modify-image-attribute
--region us-east-1
--image-id ami-1234abcd
--launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"
03 Repeat step no. 2 to change the launch permissions for other app-tier AMIs available in the selected AWS region.
04 Change the AWS region by updating the --region command parameter value and repeat step no 2 and 3 for other regions.
05 Repeat steps no. 1 – 4 to make private the AMIs created for other app tiers within your AWS account.
Case B: To block public access to your app-tier AMIs and share them only with specific (friendly) AWS accounts, perform the following actions:
01 Sign in to your Cloud Conformity console, access App-Tier Publicly Shared AMI conformity rule settings and copy the tags defined for your app tier resources (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Sign in to the AWS Management Console.
03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
04 In the left navigation panel, under IMAGES, choose AMIs.
05 Select Owned by me option from the dropdown menu next to the filter box.
06 Select the app-tier Amazon Machine Image that you want to share with specific AWS accounts.
07 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the launch permissions for the selected AMI.
08 In the Modify Image Permissions dialog box, perform the following:
09 Repeat steps no. 6 – 8 to change the launch permissions for other app-tier AMIs created in the selected AWS region.
10 Change the AWS region from the navigation bar and repeat steps no. 6 – 9 for other regions.
11 Repeat steps no. 1 – 10 to share the AMIs created for other app tiers, with specific AWS accounts.
01 Sign in to your Cloud Conformity console, access App-Tier Publicly Shared AMI conformity rule settings and copy the tags defined for your app tier resources (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Run reset-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI that you want to share with specific AWS accounts as identifier (see Audit section part II to identify the right image) to reset the resource launch permissions and remove its public access (the command does not return an output):
aws ec2 reset-image-attribute --region us-east-1 --image-id ami-1234abcd --attribute launchPermission
03 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI specified at the previous step as identifier to update the image launch permissions and make it accessible only to a specific AWS account, identified by the ID "123456789012" (the command does not produce an output):
aws ec2 modify-image-attribute
--region us-east-1
--image-id ami-1234abcd
--launch-permission "{\"Add\":[{\"UserId\":\"123456789012\"}]}"
04 Repeat steps no. 2 and 3 to reset and change the launch permissions for other app-tier AMIs available in the selected AWS region.
05 Change the AWS region by updating the --region command parameter value and repeat steps no 2 – 4 for other regions.
06 Repeat steps no. 1 – 5 to share the AMIs created for other app tiers, with specific AWS accounts.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat