aws vulnerabilities ec2 Publicly shared AMI

Publicly shared AMI

PLATFORM

SERVICE

ec2

DATA BREACHES

unknown

LAST UPDATED

March 16, 2023

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

medium

About

Amazon Machine Image (AMI) sharing is a feature in AWS. These images are used in a variety of in-account applications as well as shared across accounts. In some scenarios, machine images are made public by prominent open source projects or by people looking to share an application prior to publishing to the AWS Marketplace. Secrets, bash histories, code artifacts, and more are often baked into these machine images using DevOps processes. Accidentally making an image public is a button in the console and a single command on the AWS CLI.

Understanding Impact

Business Impact

Leaking source code, credentials, or other more innocuous artifacts can be potentially damaging to your business. The risk is dictated by the sensitivity of the data each image contains. Take the time to do an assessment of your images and classify the sensitivity.

Technical Impact

AMIs can be private, shared with specific AWS accounts, or shared publicly. Publicly shared AMIs allow anyone to access their content, which often includes source code, configurations, and credentials.

Identify affected resources

Use the following AWS CLI command to identify publicly shared AMIs in your account:

aws ec2 describe-images \
  --owners "self" \
  --filter "Name=is-public,Values=true"

Example vulnerable AMI:

{
  "Images": [
    {
      "Architecture": "x86_64",
      "CreationDate": "2022-10-04T09:38:12.000Z",
      "ImageId": "ami-02603c71ad0ca06d3",
      "ImageLocation": "0123456789012/my-aws-ami",
      "ImageType": "machine",
      "Public": true,
      "OwnerId": "0123456789012",
      "PlatformDetails": "Linux/UNIX",
      "UsageOperation": "RunInstances",
      "State": "available",
      "BlockDeviceMappings": [
        {
          "DeviceName": "/dev/xvda",
          "Ebs": {
            "DeleteOnTermination": true,
            "SnapshotId": "snap-0e7354ddcf8b525c7",
            "VolumeSize": 1,
            "VolumeType": "standard",
            "Encrypted": false,
          },
        },
      ],
      "Description": "",
      "EnaSupport": false,
      "Hypervisor": "xen",
      "Name": "my-aws-ami",
      "RootDeviceName": "/dev/xvda",
      "RootDeviceType": "ebs",
      "SriovNetSupport": "simple",
      "VirtualizationType": "hvm",
      "BootMode": "uefi",
      "DeprecationTime": "2024-10-04T09:38:12.000Z",
    },
  ],
}

Remediate vulnerable resources

Use the following AWS CLI command to remove the public sharing:

aws ec2 modify-image-attribute \
  --image-id your-ami-id
  --launch-permission "Remove=[{Group=all}]"

Instead, you can share your AMI with specific AWS accounts or parts of your AWS Organization.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "AMI is not publicly shared".

References

Make an AMI public

aws documentation

Hunting for Sensitive Data in Public Amazon Images (AMIs)

blog.lethalbit.com

Datadog CSPM Rule | AWS AMI Made Public

datadog documentation

Related Vulnerabilities and Threats

vulnerabilities Feb'23

Publicly shared EBS snapshot

vulnerabilities Feb'23

Publicly shared RDS snapshot

work with us

We're always looking for talented people to collaborate with

featured positions

We have 14 positions