www.trendmicro.com
Open in
urlscan Pro
104.87.131.128
Public Scan
URL:
https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/publicly-shared-ami.html
Submission: On March 06 via api from US — Scanned from DE
Submission: On March 06 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
* Sign In * Buy * Free Trial -------------------------------------------------------------------------------- * Knowledge Base * AWS * Azure * GCP * Conformity * Products * Cloud One™ - Conformity * All Cloud One™ Services * Help * * Knowledge Base * AWS * Azure * GCP * Conformity * Products * Cloud One™ - Conformity * All Cloud One™ Services * Help * Sign In * Buy * Free Trial * Knowledge Base * Amazon Web Services * Amazon EC2 * Publicly Shared AMI PUBLICLY SHARED AMI Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks. Start a Free Trial Product Feature Risk level: Medium (should be achieved) Rule ID: EC2-019 Ensure that your AWS AMIs are not publicly shared with the other AWS accounts in order to avoid exposing sensitive data. Cloud Conformity strongly recommends against sharing your AMIs with all AWS accounts. If required, you can share your images with specific AWS accounts without making them public. This rule can help you with the following compliance standards: * GDPR * APRA * MAS * NIST4 For further details on compliance standards supported by Conformity, see here. This rule can help you work with the AWS Well-Architected Framework. This rule resolution is part of the Conformity Security & Compliance tool for AWS. Security When you make your AMIs publicly accessible, these become available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Most of the time your AMIs will contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised. -------------------------------------------------------------------------------- AUDIT To identify any publicly accessible AMIs within your AWS account, perform the following: USING AWS CONSOLE 01 Sign in to the AWS Management Console. 02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/. 03 In the left navigation panel, under IMAGES section, choose AMIs. 04 Select the image that you want to examine. 05 Select the Permissions tab from the dashboard bottom panel and check the AMI current launch permissions. If the selected image is publicly accessible, the EC2 dashboard will display the following status: "This image is currently Public.". 06 Repeat steps no. 4 and 5 to verify the launch permissions for the rest of the AMIs available in the current region. 07 Change the AWS region from the navigation bar and repeat the audit process for the other regions. USING AWS CLI 01 Run describe-images command (OSX/Linux/UNIX) with appropriate filtering to list the IDs of all Amazon Machine Images (AMIs) currently available in the selected region: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 aws ec2 describe-images --region us-east-1 --owners self --output table --query 'Images[*].ImageId' 02 The command output should return the AMI IDs requested: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 ------------------ | DescribeImages | +----------------+ | ami-3fad5252 | | ami-cdab54a0 | +----------------+ 03 Run again describe-images command (OSX/Linux/UNIX) using each image ID returned at the previous step to expose each AMI configuration metadata: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 aws ec2 describe-images --region us-east-1 --image-ids ami-3fad5252 04 The command output should return the metadata for the selected AMI: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 { "Images": [ { "VirtualizationType": "hvm", "Name": "Web App Stack AMI ver. 1.4", "Hypervisor": "xen", "SriovNetSupport": "simple", "ImageId": "ami-3fad5252", "State": "available", ... "RootDeviceType": "ebs", "OwnerId": "123456789012", "RootDeviceName": "/dev/xvda", "CreationDate": "2016-06-03T15:35:51.000Z", "Public": true, "ImageType": "machine", "Description": "Full LAMP Stack + Web App + Local DB" } ] } If the Public parameter value is set to true (as shown in the example above), the selected AMI is accessible to all AWS accounts and your data is publicly exposed, otherwise the AMI is private. 04Repeat steps no. 3 and 4 to verify the launch permissions for the rest of the AMIs available in the current region. 05 Repeat steps no. 1 – 5 to repeat the entire audit process for the other AWS regions. Case A: To restrict public access to your AMIs and make them private, perform the following: USING AWS CONSOLE 01 Sign in to the AWS Management Console. 02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/. 03 In the left navigation panel, under IMAGES section, choose AMIs. 04 Select the AMI that you want to make private. 05 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the selected image launch permissions. 06 In the Modify Image Permissions dialog box, select Private then click Save. 07 Repeat steps no. 4 – 6 to restrict public access to the rest of the AMIs available in the current region. 08 Change the AWS region to repeat the entire process for the other regions. Case B: To restrict public access to your AMIs and share them with specific AWS accounts, perform the following: USING AWS CONSOLE 01 Sign in to the AWS Management Console. 02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/. 03 In the left navigation panel, under IMAGES section, choose AMIs. 04 Select the AMI that you want to share with specific AWS accounts. 05 Select the Permissions tab from the dashboard bottom panel and click the Edit button to update the selected image launch permissions. 06 In the Modify Image Permissions dialog box, perform the following actions: a. Select Private to make the AMI private. b. In the AWS Account Number box, enter the ID number (e.g. 355366855517) of the AWS account with whom you want to share the selected AMI, then click Add Permission. c. (Optional) Select Add "create volume" permissions to the following associated snapshots when creating permissions to provide the specified AWS account the capability to create volumes from the associated snapshots. d. Click Save to apply the changes. 07 Repeat steps no. 4 – 6 to update the launch permissions for the rest of the AMIs available in the current region. 08 Change the AWS region to repeat the entire process for the other regions. Case A: To restrict public access to your AMIs and make them private using the AWS CLI, perform the following: USING AWS CLI 01 Run modify-image-attribute command (OSX/Linux/UNIX) using the image ID as identifier (see the Audit section for how to get your AMI IDs) to update the AMI launch permissions and make it private (the command does not produce an output): 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 aws ec2 modify-image-attribute --region us-east-1 --image-id ami-3fad5252 --launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}" 02 Repeat step no. 1 to restrict public access to the rest of the AMIs available in the current region. 03 Change the AWS region to repeat the entire process for the other regions. Case B: To restrict public access to your AMIs and share them with specific AWS accounts using the AWS CLI, perform the following: USING AWS CLI 01 Run reset-image-attribute command (OSX/Linux/UNIX) using the image ID as identifier to reset the AMI launch permissions and remove its public access (the command does not return an output): 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 aws ec2 reset-image-attribute --region us-east-1 --image-id ami-3fad5252 --attribute launchPermission 02 Now run modify-image-attribute command (OSX/Linux/UNIX) to update the AMI launch permissions and share the image with a specific AWS account (the command does not return an output): 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 aws ec2 modify-image-attribute --region us-east-1 --image-id ami-3fad5252 --launch-permission "{\"Add\":[{\"UserId\":\"355366855517\"}]}" 03 Repeat steps no. 1 – 2 to update the launch permissions for the rest of the AMIs available in the current region. 04 Change the AWS region to repeat the entire process for the other regions. REFERENCES * AWS Documentation * Amazon EC2 FAQs * Guidelines for Shared Linux AMIs * Making an AMI Public * Sharing an AMI with Specific AWS Accounts * AWS Command Line Interface (CLI) Documentation * ec2 * describe-images * reset-image-attribute * modify-image-attribute Publication date Jun 4, 2016 RELATED EC2 RULES * Check for Unrestricted Memcached Access (Security) * Unrestricted RDP Access (Security) * EC2 Instance Naming Conventions (Security) * Check for Unrestricted Redis Access (Security) Unlock the Remediation Steps -------------------------------------------------------------------------------- Free 30-day Trial Automatically audit your configurations with Conformity and gain access to our cloud security platform. Get started No thanks, back to article You are auditing: Publicly Shared AMI Risk level: Medium -------------------------------------------------------------------------------- Whether your cloud exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Conformity offers full visibility into your overall security and governance posture across various standards and frameworks. CONTINUOUS SECURITY & COMPLIANCE FOR CLOUD ENVIRONMENTS. GROW AND SCALE YOUR BUSINESS WITH CONFIDENCE Try it for free Get pricing Products * Conformity * Workload Security * Container Security * File Storage Security * Application Security * Network Security Solutions For * Cloud Migration * Cloud Operational Excellence * Cloud Native App Development * Data Center Security Help * Help by Topic * API Documentation * Contact Us Company * About Us * Careers * Newsroom Privacy and Protection * Terms and Conditions * Privacy Policy * Report a Security Vulnerability Copyright © 2023 Trend Micro Incorporated. All rights reserved. Version v1.188.9-7-gd216cf03