About
Amazon Machine Image (AMI) sharing is a feature in AWS. These images are used in a variety of in-account applications as well as shared across accounts. In some scenarios, machine images are made public by prominent open source projects or by people looking to share an application prior to publishing to the AWS Marketplace. Secrets, bash histories, code artifacts, and more are often baked into these machine images using DevOps processes. Accidentally making an image public is a button in the console and a single command on the AWS CLI.
Understanding Impact
Business Impact
Leaking source code, credentials, or other more innocuous artifacts can be potentially damaging to your business. The risk is dictated by the sensitivity of the data each image contains. Take the time to do an assessment of your images and classify the sensitivity.
Technical Impact
AMIs can be private, shared with specific AWS accounts, or shared publicly. Publicly shared AMIs allow anyone to access their content, which often includes source code, configurations, and credentials.
Identify affected resources
Use the following AWS CLI command to identify publicly shared AMIs in your account:
aws ec2 describe-images \
--owners "self" \
--filter "Name=is-public,Values=true"
Example vulnerable AMI:
{
"Images": [
{
"Architecture": "x86_64",
"CreationDate": "2022-10-04T09:38:12.000Z",
"ImageId": "ami-02603c71ad0ca06d3",
"ImageLocation": "0123456789012/my-aws-ami",
"ImageType": "machine",
"Public": true,
"OwnerId": "0123456789012",
"PlatformDetails": "Linux/UNIX",
"UsageOperation": "RunInstances",
"State": "available",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": true,
"SnapshotId": "snap-0e7354ddcf8b525c7",
"VolumeSize": 1,
"VolumeType": "standard",
"Encrypted": false,
},
},
],
"Description": "",
"EnaSupport": false,
"Hypervisor": "xen",
"Name": "my-aws-ami",
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SriovNetSupport": "simple",
"VirtualizationType": "hvm",
"BootMode": "uefi",
"DeprecationTime": "2024-10-04T09:38:12.000Z",
},
],
}
Remediate vulnerable resources
Use the following AWS CLI command to remove the public sharing:
aws ec2 modify-image-attribute \
--image-id your-ami-id
--launch-permission "Remove=[{Group=all}]"
Instead, you can share your AMI with specific AWS accounts or parts of your AWS Organization.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "AMI is not publicly shared".
References
Make an AMI public
aws documentation
Hunting for Sensitive Data in Public Amazon Images (AMIs)
blog.lethalbit.com
Datadog CSPM Rule | AWS AMI Made Public
datadog documentation