Ensure that EC2 AMIs are not publicly accessible

One or more AMI exposed to the public internet. It is recommended to not publicly shared with the other AWS accounts in order to avoid sensitive data exposure. If required, AMI images should only be shared with relevant AWS accounts without making them public.

Risk Level: Critical
Cloud Entity: Amazon Machine Image (AMI)
CloudGuard Rule ID: D9.AWS.NET.29
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

AMI should have isPublic=false

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console and open EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. In the left navigation panel select AMIs under Images.
  3. Select the relevant image, and then choose Actions, Edit AMI permissions.
    If the selected image is public, the following status will be displayed on the EC2 dashboard: 'This image is currently Public.'.
    4.Change it to Private and save changes.
  4. Change the AWS region from the navigation bar and repeat steps 1-4 for the all the regions.

From TF
We cannot change the permission of AMI from public to private using terraform code.
To change the AMI's permission from Public to Private we need to use portal or CLI.

From Command Line
To change the permission of AMI to private, run:

aws ec2 modify-image-attribute --region us-east-1 --image-id AMI-ID --launch-permission "Remove=[{Group=all}]"

References

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
  2. https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html

Amazon Machine Image (AMI)

An Amazon Machine Image (AMI) provides the information required to launch an instance, which is a virtual server in the cloud. You must specify a source AMI when you launch an instance. You can launch multiple instances from a single AMI when you need multiple instances with the same configuration. You can use different AMIs to launch instances when you need instances with different configurations.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset