More Info:

AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data.

Risk Level

High

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Sure, here are the steps to remediate the issue of EC2 AMIs being public in AWS using the AWS console:
  1. Login to your AWS console.
  2. Go to the EC2 dashboard.
  3. Click on the “AMIs” option in the left-hand menu.
  4. Select the AMI that you want to remediate.
  5. Click on the “Modify Image Permissions” button.
  6. In the “Modify Image Permissions” dialog box, select “Private” as the new permission.
  7. Click on the “Save” button to apply the new permission.
  8. Repeat the above steps for all the public AMIs that you want to remediate.
  9. Once you have changed the permissions for all the public AMIs, verify that they are no longer public by checking the “Permissions” column in the AMIs dashboard.
  10. If any AMIs are still public, repeat the above steps for those AMIs.
By following the above steps, you can remediate the issue of EC2 AMIs being public in AWS and ensure that your AMIs are only accessible to authorized users.

To remediate the misconfiguration “EC2 AMIs Should Not Be Public” for AWS using AWS CLI, follow these steps:
  1. Log in to your AWS account and open the AWS CLI.
  2. Run the following command to check if there are any public AMIs in your AWS account: 
    aws ec2 describe-images --owners self --filters "Name=is-public,Values=true"
  3. If there are any public AMIs, you can make them private by running the following command: 
    aws ec2 modify-image-attribute --image-id <image-id> --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"
    Replace <image-id> with the ID of the AMI you want to make private.
  4. After running the command, verify that the AMI is no longer public by running the following command: 
    aws ec2 describe-images --owners self --filters "Name=image-id,Values=<image-id>" "Name=is-public,Values=false"
    Replace <image-id> with the ID of the AMI you just made private.
  5. Repeat steps 3-4 for all public AMIs in your AWS account.
  6. Once you have made all the necessary AMIs private, you can prevent future public AMIs by setting the default AMI permissions to private. Run the following command: 
    aws ec2 modify-image-attribute --attribute launchPermission --value "{\"Add\": [{\"Group\":\"self\"}]}" --image-id ami-00000000000000000
    Replace ami-00000000000000000 with the ID of any private AMI in your account.
  7. After running the command, verify that the default AMI permissions have been set to private by running the following command: 
    aws ec2 describe-image-attribute --attribute launchPermission --image-id ami-00000000000000000
    Replace ami-00000000000000000 with the ID of the AMI you used in step 6.
By following these steps, you can remediate the “EC2 AMIs Should Not Be Public” misconfiguration for AWS using AWS CLI.
To remediate the issue of EC2 AMIs being public in AWS using Python, you can follow the below steps:Step 1: Identify the public EC2 AMIs in your AWS account using boto3 library in Python.
import boto3

ec2 = boto3.client('ec2')

response = ec2.describe_images(
    Filters=[
        {
            'Name': 'is-public',
            'Values': [
                'true',
            ]
        },
    ]
)

for image in response['Images']:
    print('Public AMI ID: ' + image['ImageId'])
Step 2: Deregister the public EC2 AMIs using the deregister_image() method.
import boto3

ec2 = boto3.client('ec2')

response = ec2.describe_images(
    Filters=[
        {
            'Name': 'is-public',
            'Values': [
                'true',
            ]
        },
    ]
)

for image in response['Images']:
    print('Deregistering public AMI ID: ' + image['ImageId'])
    ec2.deregister_image(ImageId=image['ImageId'])
Step 3: Modify the EC2 AMI permissions to make them private using the modify_image_attribute() method.
import boto3

ec2 = boto3.client('ec2')

response = ec2.describe_images(
    Filters=[
        {
            'Name': 'is-public',
            'Values': [
                'true',
            ]
        },
    ]
)

for image in response['Images']:
    print('Making private AMI ID: ' + image['ImageId'])
    ec2.modify_image_attribute(
        ImageId=image['ImageId'],
        LaunchPermission={
            'Remove': [
                {
                    'Group': 'all',
                },
            ],
        },
    )
Note: Before making any changes to your AWS account, it is recommended to test the code in a non-production environment and ensure that it is working as expected.

Additional Reading: