Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon Machine Images (AMIs) in your AWS account are not publicly shared. A public AMI can be copied, launched, and used by anyone with AWS access, potentially exposing sensitive system configurations, credentials, or proprietary software. Ensuring that AMIs are private maintains control over your compute resources and prevents data or configuration leaks.


Rationale:

Publicly available AMIs can unintentionally expose sensitive information, such as hardcoded credentials, software license keys, or internal configurations. Restricting AMI visibility ensures that only authorized accounts or users can access and use them. This aligns with the principle of least privilege and compliance standards such as CIS, SOC 2, and ISO 27001, which require strict control over system images and resources.


Impact:

  • Positive Impact: Improves security by preventing unauthorized access or replication of internal AMIs and maintaining compliance with organizational and regulatory standards.

  • Negative Impact: Legitimate external sharing of AMIs for partners or customers must be explicitly configured and monitored.


Default Value:

By default, newly created AMIs are private and accessible only to the account that created them unless permissions are manually modified.


Pre-Requisite:

  • IAM permissions required: ec2:DescribeImagesec2:ModifyImageAttribute, and ec2:DescribeImageAttribute.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → AMIs (Owned by me).

  3. Select each AMI and view the Permissions tab.

  4. Check if Public is listed under “Launch Permissions.”

    • If an AMI has Public access enabled, it is non-compliant.

  5. Ensure that only authorized AWS account IDs (if any) have access under “Shared with accounts.”

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → AMIs (Owned by me).

  2. Select the AMI marked as Public.

  3. Click the Actions → Modify Image Permissions option.

  4. Under Launch permissions, choose Private.

  5. Click Save changes.

  6. Verify that the AMI is no longer listed as publicly available.

Backout Plan:

Using AWS Console:

  1. If an AMI was previously shared for a valid use case, re-share it only with specific trusted AWS account IDs under “Shared with accounts.”

  2. Maintain a record of shared AMIs and their intended recipients for audit and compliance tracking.

References:

  • Amazon EC2 AMI Permissions Documentation

  • AWS Security Best Practices Whitepaper

  • AWS EC2 AMI Management Guide