Description:
An Amazon Machine Image (AMI) is a template that contains the software configuration ( operating system, application server, and applications) required to launch your instance.
AMI provides the information required to launch an instance. At launching an instance must be specified as an AMI.
Rationale:
A config rule that checks whether the Amazon Machine Images are not publicly accessible. The rule is NON_COMPLIANT if one or more Amazon Machine Images are publicly accessible.
Impact:
Amazon EC2 enables you to share your AMIs with other AWS accounts. You can allow all AWS accounts to launch the AMI (make the AMI public), or only allow a few specific accounts to launch the AMI (see Sharing an AMI with Specific AWS Accounts). You are not billed when your AMI is launched by other AWS accounts; only the accounts launching the AMI are billed.
Default value:
By default, AMIs are private.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Remediation:
Test Plan:
Log in to the AWS Management Console
Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on AMIs in the left navigation pane
Set the filter to Owned by me
You can see the list of AMIs available from there under the Visibility column check is it private or public
If you notice visibility is public it means AMI is publicly visible.
Before following the implementation steps you must take a copy of the AMI in the same region as a backup in case of any disaster
Using the AWS CLI:
- To check whether the image is public or not
aws ec2 describe-images \ --region us-east-1 \ --image-ids ami-1234567890EXAMPLEIf the out put shows like below then it is public
"Public": true,
- To copy the AMI
aws ec2 copy-image \ --region us-east-1 \ --name ami-name \ --source-region us-west-2 \ --source-image-id ami-066877671789bd71b \ --description "This is my copied image."
Implementation Steps:
Log in to the AWS Management Console
Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on AMIs in the left navigation pane
- Set the filter to Owned by me
- Select the image that you want to modify
- Click on Actions and select Modify Image Permissions
- In the Modify Image Permissions page choose private to make image visibility only to you or you can also add another account to whom you want to share the image by entering account number
- Click on save
Using AWS CLI:
- To make an AMI private
aws ec2 modify-image-attribute \ --image-id ami-5731123e \ --launch-permission "Remove=[{Group=all}]"
Backout plan:
If you want to revoke changes that mean you want to set image as public, follow the implementation steps and choose public.
Using AWS CLI:
- To make an AMI public
aws ec2 modify-image-attribute \ --image-id ami-5731123e \ --launch-permission "Add=[{Group=all}]"
Reference:
Amazon Machine Images (AMI) - Amazon Elastic Compute Cloud