EC2 AMIs Should Not Be Public

More Info:

AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data.

Risk Level

High

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “EC2 AMIs Should Not Be Public” for AWS using AWS CLI, follow these steps:

Log in to your AWS account and open the AWS CLI.
Run the following command to check if there are any public AMIs in your AWS account:
```
aws ec2 describe-images --owners self --filters "Name=is-public,Values=true"
```
If there are any public AMIs, you can make them private by running the following command:
```
aws ec2 modify-image-attribute --image-id <image-id> --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"
```
Replace <image-id> with the ID of the AMI you want to make private.
After running the command, verify that the AMI is no longer public by running the following command:
```
aws ec2 describe-images --owners self --filters "Name=image-id,Values=<image-id>" "Name=is-public,Values=false"
```
Replace <image-id> with the ID of the AMI you just made private.
Repeat steps 3-4 for all public AMIs in your AWS account.
Once you have made all the necessary AMIs private, you can prevent future public AMIs by setting the default AMI permissions to private. Run the following command:
```
aws ec2 modify-image-attribute --attribute launchPermission --value "{\"Add\": [{\"Group\":\"self\"}]}" --image-id ami-00000000000000000
```
Replace ami-00000000000000000 with the ID of any private AMI in your account.
After running the command, verify that the default AMI permissions have been set to private by running the following command:
```
aws ec2 describe-image-attribute --attribute launchPermission --image-id ami-00000000000000000
```
Replace ami-00000000000000000 with the ID of the AMI you used in step 6.

By following these steps, you can remediate the “EC2 AMIs Should Not Be Public” misconfiguration for AWS using AWS CLI.

Using Python

To remediate the issue of EC2 AMIs being public in AWS using Python, you can follow the below steps:Step 1: Identify the public EC2 AMIs in your AWS account using boto3 library in Python.

import boto3

ec2 = boto3.client('ec2')

response = ec2.describe_images(
    Filters=[
        {
            'Name': 'is-public',
            'Values': [
                'true',
            ]
        },
    ]
)

for image in response['Images']:
    print('Public AMI ID: ' + image['ImageId'])

Step 2: Deregister the public EC2 AMIs using the deregister_image() method.

import boto3

ec2 = boto3.client('ec2')

response = ec2.describe_images(
    Filters=[
        {
            'Name': 'is-public',
            'Values': [
                'true',
            ]
        },
    ]
)

for image in response['Images']:
    print('Deregistering public AMI ID: ' + image['ImageId'])
    ec2.deregister_image(ImageId=image['ImageId'])

Step 3: Modify the EC2 AMI permissions to make them private using the modify_image_attribute() method.

import boto3

ec2 = boto3.client('ec2')

response = ec2.describe_images(
    Filters=[
        {
            'Name': 'is-public',
            'Values': [
                'true',
            ]
        },
    ]
)

for image in response['Images']:
    print('Making private AMI ID: ' + image['ImageId'])
    ec2.modify_image_attribute(
        ImageId=image['ImageId'],
        LaunchPermission={
            'Remove': [
                {
                    'Group': 'all',
                },
            ],
        },
    )

Note: Before making any changes to your AWS account, it is recommended to test the code in a non-production environment and ensure that it is working as expected.

Additional Reading:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

EC2 AMIs Should Not Be Public

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: