Description: 

An Amazon Machine Image (AMI) is a template that contains the software configuration ( operating system, application server, and applications) required to launch your instance.

AMI provides the information required to launch an instance. At launching an instance must be specified as an AMI.


Rationale:  

A config rule that checks whether the Amazon Machine Images are not publicly accessible. The rule is NON_COMPLIANT if one or more Amazon Machine Images are publicly accessible.

 

Impact:

Amazon EC2 enables you to share your AMIs with other AWS accounts. You can allow all AWS accounts to launch the AMI (make the AMI public), or only allow a few specific accounts to launch the AMI (see Sharing an AMI with Specific AWS Accounts). You are not billed when your AMI is launched by other AWS accounts; only the accounts launching the AMI are billed.


Default value:

By default, AMIs are private.

 

Audit:  

  • Log in to the AWS Management Console

  • Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/

  • Click on AMIs in the left navigation pane 

  • Set the filter to Owned by me

  • You can see the list of AMIs available from there under the Visibility column check is it private or public

    If you notice visibility is public it means AMI is publicly visible.



Remediation:

Pre-requisites:

  1. Sign in as admin or IAM user with required permissions

  2. Before following the implementation steps you must take a copy of the AMI in the same region as a backup in case of any disaster


Implementation Steps:

  • Log in to the AWS Management Console

  • Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/

  • Click on AMIs in the left navigation pane

  • Set the filter to Owned by me
  • Select the image that you want to modify
  • Click on Actions and select Modify Image Permissions
  • In the Modify Image Permissions page choose private to make image visibility only to you or you can also add another account to whom you want to share the image by entering account number
  • Click on save


Backout plan:

If you want to revoke changes that mean you want to set image as public, follow the implementation steps and choose public.


Reference:

Amazon Machine Images (AMI) - Amazon Elastic Compute Cloud