Publicly shared AMI







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




Amazon Machine Image (AMI) sharing is a feature in AWS. These images are used in a variety of in-account applications as well as shared across accounts. In some scenarios, machine images are made public by prominent open source projects or by people looking to share an application prior to publishing to the AWS Marketplace. Secrets, bash histories, code artifacts, and more are often baked into these machine images using DevOps processes. Accidentally making an image public is a button in the console and a single command on the AWS CLI.

Understanding Impact

Business Impact

Leaking source code, credentials, or other more innocuous artifacts can be potentially damaging to your business. The risk is dictated by the sensitivity of the data each image contains. Take the time to do an assessment of your images and classify the sensitivity.

Technical Impact

AMIs can be private, shared with specific AWS accounts, or shared publicly. Publicly shared AMIs allow anyone to access their content, which often includes source code, configurations, and credentials.

Identify affected resources

Use the following AWS CLI command to identify publicly shared AMIs in your account:

aws ec2 describe-images \
  --owners "self" \
  --filter "Name=is-public,Values=true"

Example vulnerable AMI:

  "Images": [
      "Architecture": "x86_64",
      "CreationDate": "2022-10-04T09:38:12.000Z",
      "ImageId": "ami-02603c71ad0ca06d3",
      "ImageLocation": "0123456789012/my-aws-ami",
      "ImageType": "machine",
      "Public": true,
      "OwnerId": "0123456789012",
      "PlatformDetails": "Linux/UNIX",
      "UsageOperation": "RunInstances",
      "State": "available",
      "BlockDeviceMappings": [
          "DeviceName": "/dev/xvda",
          "Ebs": {
            "DeleteOnTermination": true,
            "SnapshotId": "snap-0e7354ddcf8b525c7",
            "VolumeSize": 1,
            "VolumeType": "standard",
            "Encrypted": false,
      "Description": "",
      "EnaSupport": false,
      "Hypervisor": "xen",
      "Name": "my-aws-ami",
      "RootDeviceName": "/dev/xvda",
      "RootDeviceType": "ebs",
      "SriovNetSupport": "simple",
      "VirtualizationType": "hvm",
      "BootMode": "uefi",
      "DeprecationTime": "2024-10-04T09:38:12.000Z",

Remediate vulnerable resources

Use the following AWS CLI command to remove the public sharing:

aws ec2 modify-image-attribute \
  --image-id your-ami-id
  --launch-permission "Remove=[{Group=all}]"

Instead, you can share your AMI with specific AWS accounts or parts of your AWS Organization.

As a proactive measure, you can also block public access to your AMIs, which will prevent you from accidentally making an AMI public in the future. However, it doesn't make private any AMI that was already made public. Note that in October 2023, AWS announced that this setting would be enabled by default for all new AWS accounts, as well as all existing AWS accounts that did not have a public AMI.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "AMI should not be publicly shared".


Make an AMI public

aws documentation

Hunting for Sensitive Data in Public Amazon Images (AMIs)

Datadog CSM Misconfigurations Rule | AWS AMI Made Public

datadog documentation

Block public access to your AMIs

aws documentation

Did you find this article helpful?

Related Vulnerabilities and Threats