Description

Amazon EC2 enables you to share your AMIs with other AWS accounts. You can allow all AWS accounts to launch the AMI (make the AMI public), or only allow a few specific accounts to launch the AMI (see Sharing an AMI with Specific AWS Accounts). You are not billed when your AMI is launched by other AWS accounts; only the accounts launching the AMI are billed.


Rationale:  

A config rule that checks whether the Amazon Machine Images are not publicly accessible. The rule is NON_COMPLIANT if one or more Amazon Machine Images are publicly accessible. 


Audit:  

For checking EC2 AMI is public, it is available in Community AMIs when you launch an instance in the same region using the console. It can take a short while for an AMI to be removed from Community AMIs after you make it private.


To share a public AMI using the console

  • Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  • In the navigation pane, choose AMIs.
  • Select your AMI from the list, and then choose Actions, Modify Image Permissions.
  • Choose Private and choose Save.


Remediation: 

Each AMI has a launchPermission property that controls which AWS accounts, besides the owner's, are allowed to use that AMI to launch instances. By modifying the launchPermission property of an AMI, you can make the AMI public (which grants launch permissions to all AWS accounts) or share it with only the AWS accounts that you specify.


  • To make the AMI private, remove the all group from its launch permissions. Note that the owner of the AMI always has launch permissions and is therefore unaffected by this command.
    • aws ec2 modify-image-attribute --image-id ami-0abcdef1234567890 --launch-permission "Remove=[{Group=all}]"

Reference: