Description: 

Amazon EC2 enables you to share your AMIs with other AWS accounts. You can allow all AWS accounts to launch the AMI (make the AMI public), or only allow a few specific accounts to launch the AMI (see Sharing an AMI with Specific AWS Accounts). You are not billed when your AMI is launched by other AWS accounts; only the accounts launching the AMI are billed. 


Rationale:  

It’s important to have Amazon Machine Images(AMIs) not older than 6 months as it makes sure the images are not vulnerable to external attacks.  


Default value:

Each AMI has a launch permission property that controls which AWS accounts, besides the owners, are allowed to use that AMI to launch instances. By modifying the launch permission property of an AMI, you can make the AMI public (which grants launch permissions to all AWS accounts) or share it with only the AWS accounts that you specify.

 

Pre-Requisite:

  1. Make sure  you are accessing the root account .
  2. After you create an AMI, you can keep it private so that only you can use it, or you can share it with a specified list of AWS accounts.

Remediation: 

TEST PLAN

  • Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  • In the navigation pane, choose Instances

  • Select the EC2 instance that you want to examine. The Instance State for the selected EC2 instance must be 'running'.

  • Select the Details tab from the dashboard bottom panel.

  • In the right column, check the Launch time parameter value:
  • To determine the instance active age. If the selected EC2 instance’s active age is greater than 6 months, the instance is considered old and requires a restart.
  • Repeat steps no. 4 – 6 to verify the launch date for other instances available in the current region.
  • Change the AWS region from the navigation bar and repeat the audit process for the other regions.

CLI COMMANDS

This command is used to find the launch time

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-0c41af2ddee0308d6
  --query 'Reservations[*].Instances[*].LaunchTime'

Implementation steps:

To share a public AMI using the console

  • Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  • In the navigation pane, choose Instances.

  •  Scroll bar,  you will see the Launch Time their you can find the which date you created that instance.
  • Click on that Instance

  • Click on the Instance state dropdown button from the dashboard top menu, click Stop instance.

  • For confirmation, it will ask you again to click.
  • Again start the EC2 instance which we have stopped in the previous step to change the launch time.
  • Make sure the data should be the same.

 Note: You can add or remove account IDs from the list of accounts that have launch permissions for an AMI. To make the AMI public, specify all groups. You can specify both public and explicit launch permission

 

 CLI COMMANDS

To stop the instances

aws ec2 stop-instances
  --region us-east-1
  --instance-ids i-0c41af2ddee0308d6

To start the instances 

aws ec2 start-instances --instance-ids i-1234567890abcdef0

BACKOUT PLAN

  • When we start and stop the instance the virtual machine provisioned for you we will change to another virtual machine and IP address will be changed. 

REFERENCES:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html