App-Tier Publicly Shared AMI

Risk level: Medium (not acceptable risk)

Rule ID: EC2-068

Ensure that none of the Amazon Machine Images (AMIs) created within your app tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary applications, personal data and configuration information that can be used to exploit or compromise running EC2 instances available in your app tier. This conformity rule assumes that all AWS resources within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured within the rule settings, on the Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

General Data Protection Regulation (GDPR)
APRA
MAS

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When you make your app-tier AMIs accessible to all other AWS accounts, you allow anyone with AWS access to create a replica of the original EC2 instances. Usually your app-tier AMIs will contain snapshots of your applications (including their data), therefore sharing your images in this way can allow malicious users to identify weaknesses in the utilization and configuration of these applications, or even steal your applications data.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To identify app-tier AMIs that are currently accessible to all other AWS accounts, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier Publicly Shared AMI conformity rule settings and copy the tags defined for AWS resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under IMAGES, choose AMIs.

05 Select Owned by me option from the dropdown menu next to the filter box.

06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering method will return only the AMIs tagged for the app tier. If no results are returned, there is no AMI tagged within your app tier and the audit process ends here. If the EC2 dashboard lists one or more images, continue with the next step.

07 Select the app-tier AMI that you want to examine.

08 Select the Permissions tab from the dashboard bottom panel and check the launch permissions set for the image. If the selected app-tier Amazon Machine Image (AMI) is publicly shared, the AWS EC2 dashboard will display the following status: "This image is currently Public.".

09 Repeat step no. 7 and 8 to verify other AMIs created for your app tier in the selected AWS region.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

11 Repeat steps no. 1 – 10 to identify publicly shared AMIs created for other app tiers available in your AWS account.

Using AWS CLI

02 Run describe-images command (OSX/Linux/UNIX) using the tag name and value copied at the previous step as filter parameters to describe all app-tier AMIs that are publicly shared, available in the selected AWS region:

aws ec2 describe-images
	--region us-east-1
	--owners self
	--filters Name=tag:<app_tier_tag>,Values=<app_tier_tag_value>
	--query 'Images[*].{ImageId:ImageId, Public:Public}'

03 The command request should return one of the following outputs:

If the describe-images command output returns an empty array (i.e. []), as shown in the example below, there are no AWS AMIs available within your app tier and the audit process ends here:
```
[]
```
If the command output returns an array that contains the ID(s) of the app-tier AMI(s) and the information that indicates whether the image is public or private, as shown in the example below, check the "Public" attribute value. If the "Public" attribute value for the AMI resource that you want to examine is set to true, the selected app-tier Amazon Machine Image (AMI) is publicly shared with other AWS accounts:
```
[
    {
        "ImageId": "ami-1234abcd",
        "Public": true
    }
]
```

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to perform the audit process for other regions.

05 Repeat steps no. 1 – 4 to identify publicly shared AMIs created for other app tiers available in your AWS account.

Remediation / Resolution

Case A: To make the publicly accessible app-tier AMIs private, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier Publicly Shared AMI conformity rule settings and copy the tags defined for your app tier resources (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under IMAGES, choose AMIs.

05 Select Owned by me option from the dropdown menu next to the filter box.

06 Select the app-tier AMI that you want to make private (see Audit section part I to identify the right image).

07 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the launch permissions for the selected AMI.

08 In the Modify Image Permissions dialog box, select Private, then click Save.

09 Repeat steps no. 6 – 8 to change the launch permissions for other app-tier AMIs available in the selected AWS region.

10 Change the AWS region from the navigation bar and repeat steps no. 6 – 9 for other regions.

11 Repeat steps no. 1 – 10 to make private the AMIs created for other app tiers available in your AWS account.

Using AWS CLI

02 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI that you want to make private as identifier (see Audit section part II to identify the right resource) to update the image launch permissions and make it private (the command does not produce an output):

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-1234abcd
	--launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"

03 Repeat step no. 2 to change the launch permissions for other app-tier AMIs available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no 2 and 3 for other regions.

05 Repeat steps no. 1 – 4 to make private the AMIs created for other app tiers within your AWS account.

Case B: To block public access to your app-tier AMIs and share them only with specific (friendly) AWS accounts, perform the following actions:

Using AWS Console

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under IMAGES, choose AMIs.

05 Select Owned by me option from the dropdown menu next to the filter box.

06 Select the app-tier Amazon Machine Image that you want to share with specific AWS accounts.

07 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the launch permissions for the selected AMI.

08 In the Modify Image Permissions dialog box, perform the following:

Select Private to make the image private.
In the AWS Account Number box, enter the ID number (e.g. 123456789012) of the AWS account with whom you want to share the selected app-tier image, then click Add Permission.
(Optional) Select Add "create volume" permissions to the following associated snapshots when creating permissions to provide the specified AWS account the capability to create EBS volumes from the associated snapshots.
Click Save to apply the changes.

09 Repeat steps no. 6 – 8 to change the launch permissions for other app-tier AMIs created in the selected AWS region.

10 Change the AWS region from the navigation bar and repeat steps no. 6 – 9 for other regions.

11 Repeat steps no. 1 – 10 to share the AMIs created for other app tiers, with specific AWS accounts.

Using AWS CLI

02 Run reset-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI that you want to share with specific AWS accounts as identifier (see Audit section part II to identify the right image) to reset the resource launch permissions and remove its public access (the command does not return an output):

aws ec2 reset-image-attribute
	--region us-east-1
	--image-id ami-1234abcd
	--attribute launchPermission

03 Run modify-image-attribute command (OSX/Linux/UNIX) using the ID of the app-tier AMI specified at the previous step as identifier to update the image launch permissions and make it accessible only to a specific AWS account, identified by the ID "123456789012" (the command does not produce an output):

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-1234abcd
	--launch-permission "{\"Add\":[{\"UserId\":\"123456789012\"}]}"

04 Repeat steps no. 2 and 3 to reset and change the launch permissions for other app-tier AMIs available in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no 2 – 4 for other regions.

06 Repeat steps no. 1 – 5 to share the AMIs created for other app tiers, with specific AWS accounts.

References

AWS Documentation
Guidelines for Shared Linux AMIs
Making an AMI Public
Sharing an AMI with Specific AWS Accounts
CIS Amazon Web Services Foundations

AWS Command Line Interface (CLI) Documentation
ec2
describe-images
reset-image-attribute
modify-image-attribute

Publication date Mar 6, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

App-Tier Publicly Shared AMI

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

References

Related EC2 rules