About
Amazon Machine Image (AMI) sharing is a feature in AWS. These images are used in a variety of in-account applications as well as shared across accounts. In some scenarios, machine images are made public by prominent open source projects or by people looking to share an application prior to publishing to the AWS Marketplace. Secrets, bash histories, code artifacts, and more are often baked into these machine images using DevOps processes. Accidentally making an image public is a button in the console and a single command on the AWS CLI.
Understanding Impact
Business Impact
Leaking source code, credentials, or other more innocuous artifacts can be potentially damaging to your business. The risk is dictated by the sensitivity of the data each image contains. Take the time to do an assessment of your images and classify the sensitivity.
Technical Impact
AMIs can be private, shared with specific AWS accounts, or shared publicly. Publicly shared AMIs allow anyone to access their content, which often includes source code, configurations, and credentials.
Identify affected resources
Use the following AWS CLI command to identify publicly shared AMIs in your account:
aws ec2 describe-images \
--owners "self" \
--filter "Name=is-public,Values=true"
Example vulnerable AMI:
{
"Images": [
{
"Architecture": "x86_64",
"CreationDate": "2022-10-04T09:38:12.000Z",
"ImageId": "ami-02603c71ad0ca06d3",
"ImageLocation": "0123456789012/my-aws-ami",
"ImageType": "machine",
"Public": true,
"OwnerId": "0123456789012",
"PlatformDetails": "Linux/UNIX",
"UsageOperation": "RunInstances",
"State": "available",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": true,
"SnapshotId": "snap-0e7354ddcf8b525c7",
"VolumeSize": 1,
"VolumeType": "standard",
"Encrypted": false,
},
},
],
"Description": "",
"EnaSupport": false,
"Hypervisor": "xen",
"Name": "my-aws-ami",
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SriovNetSupport": "simple",
"VirtualizationType": "hvm",
"BootMode": "uefi",
"DeprecationTime": "2024-10-04T09:38:12.000Z",
},
],
}
Remediate vulnerable resources
Use the following AWS CLI command to remove the public sharing:
aws ec2 modify-image-attribute \
--image-id your-ami-id
--launch-permission "Remove=[{Group=all}]"
Instead, you can share your AMI with specific AWS accounts or parts of your AWS Organization.
As a proactive measure, you can also block public access to your AMIs, which will prevent you from accidentally making an AMI public in the future. However, it doesn't make private any AMI that was already made public. Note that in October 2023, AWS announced that this setting would be enabled by default for all new AWS accounts, as well as all existing AWS accounts that did not have a public AMI.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "AMI should not be publicly shared".
References
Make an AMI public
aws documentation
Hunting for Sensitive Data in Public Amazon Images (AMIs)
blog.lethalbit.com
Datadog CSM Misconfigurations Rule | AWS AMI Made Public
datadog documentation
Block public access to your AMIs
aws documentation