Profile Applicability:
- Level 1
Description:
Amazon EC2 allows you to make an AMI (Amazon Machine Image) public, which would make the image available to all AWS accounts. However, making an AMI public can expose organizational data, configurations, and potential vulnerabilities to unauthorized access.
To maintain security, it is critical to ensure that AMIs are not publicly available unless there is a legitimate need to share them with external parties. Publicly sharing an AMI may expose sensitive data or system configurations to the broader AWS ecosystem, potentially compromising your security posture.
Rationale:
Allowing an AMI to be publicly accessible can result in:
Exposure of sensitive organizational data: Public AMIs may contain configurations or secrets that should not be shared.
Unauthorized access to your base images, which could be modified or misused.
Increased attack surface for adversaries, as malicious actors may gain access to your AMI and attempt exploitation. By ensuring AMIs are kept private, you can control who has access to your base images and reduce the risk of unintended data exposure.
Impact:
Pros:
Improved security by ensuring that AMIs are not publicly available and accessible to unauthorized parties.
Better control over the distribution of your images, ensuring only internal teams or trusted parties can use your AMIs.
Helps prevent the accidental exposure of sensitive data contained in AMIs.
Cons:
May require additional administrative effort to ensure that only the necessary users or accounts have access to AMIs.
If AMIs need to be shared internally, you must explicitly manage permissions for AWS accounts that need access.
Default Value:
By default, AMIs are private when created by an AWS account. However, it is possible for users to accidentally or intentionally make AMIs public, exposing them to all AWS accounts.
Pre-requisites:
AWS IAM permissions to view, modify, and manage AMI permissions:
ec2:DescribeImages, ec2:ModifyImageAttribute, ec2:CopyImage, ec2:CreateImage, ec2:DeregisterImage
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, under Images, click on AMIs.
Ensure that the filter Owned by me is set.
Select an AMI from the list.
Click on the Permissions tab.
Check if the message "This image is currently Public" appears. If it does, this AMI is publicly accessible, and it must be set to private.
Using AWS CLI:
Run the following command to list AMIs with public permissions:
aws ec2 describe-images --region <region> --filter "Name=launch-permission,Values=all"
Review the AMI IDs that are marked as publicly accessible.
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, under Images, click AMIs.
Ensure Owned by me is set.
Select the AMI that is publicly accessible.
Click on the Permissions tab and then Edit.
Select the Private radio button to restrict access.
If you need to share the AMI with specific internal AWS accounts, you can add their AWS Account Number to the Shared Accounts section.
Click Save to apply the changes.
Repeat this process for all AMIs that should not be public.
Using AWS CLI:
1. To make an AMI private, use the following command:
aws ec2 modify-image-attribute --image-id <AMI_ID> --launch-permission "Remove=[all]"
2. If you need to share the AMI with specific accounts, use the following command:
aws ec2 modify-image-attribute --image-id <AMI_ID> --launch-permission "Add=[{UserId=<AWS_ACCOUNT_ID>}]"Backout Plan:
Using AWS Console:
If the changes cause issues and need to be reverted, log in to the EC2 Console.
Go to Images and select the AMI.
In the Permissions tab, select Edit and switch the setting back to Public if needed (though this is generally not recommended).
Using AWS CLI:
To make an AMI public again (if required), use the following command:
aws ec2 modify-image-attribute --image-id <AMI_ID> --launch-permission "Add=[{Group=all}]"
References:
CIS Controls: