Public AMI

Ensure that there are none of the AMIs (Amazon Machine Image) are publically shared

Risk Level: High

Description

This plugin checks for publicly shared AMIs (Amazon Machine Image). Accidentally exposing AMIs allows any AWS user to launch an EC2 instance using the image as a base. If there is any sensitive data stored in the image, it can expose the information to the host using the image. It is recommended to keep AMI private in order to avoid unnecessary data exposure.

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. 

While launching an instance, we must specify the AMI. An Amazon Machine Image (AMI) provides the information such as hardware, software, and firmware specifications required to launch an instance. You can read more about AMI here.

Impact

AMI stands for Amazon Machine Image. To launch an instance, one can use the predefined images in AWS or create a custom AMI based on requirements.

AMIs can sometimes contain security and privacy critical information. Opening them to the public can give attackers access to view that sensitive information along with the configurations. It is recommended to have only private access permissions for the AMIs owned by you.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. From the left navigation pane, migrate to the Images section and select AMI.
  4. This will display a list of AMIs owned by you. Select the one you want to investigate by clicking on the checkbox next to it.
  5. Click on the Permissions tab from the menu below.
  6. Examine if the image is Public or Private. Public AMI is considered vulnerable as per security standards.
  7. Repeat steps 4 to 6 for all the AMIs you want to investigate. 

Steps for Remediation

Follow these steps to convert the public AMI into a private image.

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. From the left navigation pane, migrate to the Images section and select AMI.
  4. This will display a list of AMIs owned by you. Select the one you want to investigate by clicking on the checkbox next to it.
  5. Click on the Permissions tab from the menu below and click on the Edit button.
  6. Select the Private radio button to switch permissions back to private. Click on Save to save the changes.
  7. Repeat steps 4 to 6 for all the vulnerable AMIs.