www.trendmicro.com Open in urlscan Pro
104.87.131.128  Public Scan

URL: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/publicly-shared-ami.html
Submission: On March 06 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

 * 
   Sign In
 * 
   Buy
 * Free Trial

--------------------------------------------------------------------------------

 * Knowledge Base
   
    * AWS
    * Azure
    * GCP
    * Conformity

 * Products
   
    * Cloud One™ - Conformity
    * All Cloud One™ Services

 * Help
   
 * 


 * Knowledge Base
   
    * AWS
    * Azure
    * GCP
    * Conformity

 * Products
   
    * Cloud One™ - Conformity
    * All Cloud One™ Services

 * Help

 * Sign In
 * Buy
 * Free Trial

 * Knowledge Base
 * Amazon Web Services
 * Amazon EC2
 * Publicly Shared AMI


PUBLICLY SHARED AMI

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides
peace of mind for your cloud infrastructure, delivering over 750 automated best
practice checks.

Start a Free Trial Product Feature
Risk level: Medium (should be achieved)
Rule ID: EC2-019

Ensure that your AWS AMIs are not publicly shared with the other AWS accounts in
order to avoid exposing sensitive data. Cloud Conformity strongly recommends
against sharing your AMIs with all AWS accounts. If required, you can share your
images with specific AWS accounts without making them public.

This rule can help you with the following compliance standards:

 * GDPR
 * APRA
 * MAS
 * NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for
AWS.

Security

When you make your AMIs publicly accessible, these become available in the
Community AMIs where everyone with an AWS account can use them to launch EC2
instances. Most of the time your AMIs will contain snapshots of your
applications (including their data), therefore exposing your snapshots in this
manner is not advised.

--------------------------------------------------------------------------------


AUDIT

To identify any publicly accessible AMIs within your AWS account, perform the
following:

USING AWS CONSOLE

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the image that you want to examine.

05 Select the Permissions tab from the dashboard bottom panel and check the AMI
current launch permissions. If the selected image is publicly accessible, the
EC2 dashboard will display the following status: "This image is currently
Public.".

06 Repeat steps no. 4 and 5 to verify the launch permissions for the rest of the
AMIs available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process
for the other regions.

USING AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with appropriate filtering to
list the IDs of all Amazon Machine Images (AMIs) currently available in the
selected region:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws ec2 describe-images
	--region us-east-1
	--owners self
	--output table
	--query 'Images[*].ImageId'


02 The command output should return the AMI IDs requested:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

------------------
| DescribeImages |
+----------------+
|  ami-3fad5252  |
|  ami-cdab54a0  |
+----------------+


03 Run again describe-images command (OSX/Linux/UNIX) using each image ID
returned at the previous step to expose each AMI configuration metadata:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws ec2 describe-images
	--region us-east-1
	--image-ids ami-3fad5252


04 The command output should return the metadata for the selected AMI:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

{
    "Images": [
        {
            "VirtualizationType": "hvm",
            "Name": "Web App Stack AMI ver. 1.4",
            "Hypervisor": "xen",
            "SriovNetSupport": "simple",
            "ImageId": "ami-3fad5252",
            "State": "available",
            ...
            "RootDeviceType": "ebs",
            "OwnerId": "123456789012",
            "RootDeviceName": "/dev/xvda",
            "CreationDate": "2016-06-03T15:35:51.000Z",
            "Public": true,
            "ImageType": "machine",
            "Description": "Full LAMP Stack + Web App + Local DB"
        }
    ]
}



If the Public parameter value is set to true (as shown in the example above),
the selected AMI is accessible to all AWS accounts and your data is publicly
exposed, otherwise the AMI is private.

04Repeat steps no. 3 and 4 to verify the launch permissions for the rest of the
AMIs available in the current region.

05 Repeat steps no. 1 – 5 to repeat the entire audit process for the other AWS
regions.

Case A: To restrict public access to your AMIs and make them private, perform
the following:

USING AWS CONSOLE

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the AMI that you want to make private.

05 Select the Permissions tab from the dashboard bottom panel and click the Edit
button to update the selected image launch permissions.

06 In the Modify Image Permissions dialog box, select Private then click Save.

07 Repeat steps no. 4 – 6 to restrict public access to the rest of the AMIs
available in the current region.

08 Change the AWS region to repeat the entire process for the other regions.

Case B: To restrict public access to your AMIs and share them with specific AWS
accounts, perform the following:

USING AWS CONSOLE

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the AMI that you want to share with specific AWS accounts.

05 Select the Permissions tab from the dashboard bottom panel and click the Edit
button to update the selected image launch permissions.

06 In the Modify Image Permissions dialog box, perform the following actions:

 a. Select Private to make the AMI private.
 b. In the AWS Account Number box, enter the ID number (e.g. 355366855517) of
    the AWS account with whom you want to share the selected AMI, then click Add
    Permission.
 c. (Optional) Select Add "create volume" permissions to the following
    associated snapshots when creating permissions to provide the specified AWS
    account the capability to create volumes from the associated snapshots.
 d. Click Save to apply the changes.

07 Repeat steps no. 4 – 6 to update the launch permissions for the rest of the
AMIs available in the current region.

08 Change the AWS region to repeat the entire process for the other regions.

Case A: To restrict public access to your AMIs and make them private using the
AWS CLI, perform the following:

USING AWS CLI

01 Run modify-image-attribute command (OSX/Linux/UNIX) using the image ID as
identifier (see the Audit section for how to get your AMI IDs) to update the AMI
launch permissions and make it private (the command does not produce an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-3fad5252
	--launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"


02 Repeat step no. 1 to restrict public access to the rest of the AMIs available
in the current region.

03 Change the AWS region to repeat the entire process for the other regions.

Case B: To restrict public access to your AMIs and share them with specific AWS
accounts using the AWS CLI, perform the following:

USING AWS CLI

01 Run reset-image-attribute command (OSX/Linux/UNIX) using the image ID as
identifier to reset the AMI launch permissions and remove its public access (the
command does not return an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws ec2 reset-image-attribute
	--region us-east-1
	--image-id ami-3fad5252
	--attribute launchPermission


02 Now run modify-image-attribute command (OSX/Linux/UNIX) to update the AMI
launch permissions and share the image with a specific AWS account (the command
does not return an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-3fad5252
	--launch-permission "{\"Add\":[{\"UserId\":\"355366855517\"}]}"


03 Repeat steps no. 1 – 2 to update the launch permissions for the rest of the
AMIs available in the current region.

04 Change the AWS region to repeat the entire process for the other regions.


REFERENCES

 * AWS Documentation
 * Amazon EC2 FAQs
 * Guidelines for Shared Linux AMIs
 * Making an AMI Public
 * Sharing an AMI with Specific AWS Accounts

 * AWS Command Line Interface (CLI) Documentation
 * ec2
 * describe-images
 * reset-image-attribute
 * modify-image-attribute

Publication date Jun 4, 2016


RELATED EC2 RULES

 * Check for Unrestricted Memcached Access (Security)
 * Unrestricted RDP Access (Security)
 * EC2 Instance Naming Conventions (Security)
 * Check for Unrestricted Redis Access (Security)

Unlock the Remediation Steps

--------------------------------------------------------------------------------

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Get started

No thanks, back to article

You are auditing:

Publicly Shared AMI

Risk level: Medium

--------------------------------------------------------------------------------

Whether your cloud exploration is just starting to take shape, you’re mid-way
through a migration or you’re already running complex workloads in the cloud,
Conformity offers full visibility into your overall security and governance
posture across various standards and frameworks.


CONTINUOUS SECURITY & COMPLIANCE FOR CLOUD ENVIRONMENTS. GROW AND SCALE YOUR
BUSINESS WITH CONFIDENCE

Try it for free Get pricing
Products
 * Conformity
 * Workload Security
 * Container Security
 * File Storage Security
 * Application Security
 * Network Security

Solutions For
 * Cloud Migration
 * Cloud Operational Excellence
 * Cloud Native App Development
 * Data Center Security

Help
 * Help by Topic
 * API Documentation
 * Contact Us

Company
 * About Us
 * Careers
 * Newsroom

Privacy and Protection
 * Terms and Conditions
 * Privacy Policy
 * Report a Security Vulnerability

Copyright © 2023 Trend Micro Incorporated. All rights reserved. Version
v1.188.9-7-gd216cf03