Ensure that EC2 instance's custom AMI is not publicly shared
Avoid publicly sharing AMIs to reduce the risk of exposing sensitive information.
Risk Level: Critical
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.IAM.106
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
Instance where imageDetails.imageLocation regexMatch /^(?!amazon|aws-marketplace\/).+/ should not have imageDetails.isPublic
REMEDIATION
Note: The following instructions refer to the native 'Public' case, provided within the portal under 'AMI availability'. For further cases and instructions, please follow AWS documentation.
From Portal
- Go to 'EC2 Dashboard'
- In the left menu, under 'Images', select 'AMIs'
- Select the publicly shared AMI
- Under 'Actions', select 'Edit AMI permissions'
- Change 'AMI availability' to 'Private'
- Save
From TF
To remove the publicly shared AMI permissions, remove the relevant 'aws_ami_launch_permission' block:
resource "aws_ami_launch_permission" "ami_launch_permission_example" {
..
image_id = AMI-ID
group = "all"
..
}
From Command Line
To remove the publicly shared AMI permissions, run:
aws ec2 modify-image-attribute --image-id AMI-ID --launch-permission "Remove=[{Group=all}]"
References
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharing-amis.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-image-attribute.html
Amazon EC2 Instance
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated about 1 year ago