AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EC2 AMIs Should Not Be Public
More Info:
AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data.
Risk Level
High
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the steps to remediate the issue of EC2 AMIs being public in AWS using the AWS console:
-
Login to your AWS console.
-
Go to the EC2 dashboard.
-
Click on the “AMIs” option in the left-hand menu.
-
Select the AMI that you want to remediate.
-
Click on the “Modify Image Permissions” button.
-
In the “Modify Image Permissions” dialog box, select “Private” as the new permission.
-
Click on the “Save” button to apply the new permission.
-
Repeat the above steps for all the public AMIs that you want to remediate.
-
Once you have changed the permissions for all the public AMIs, verify that they are no longer public by checking the “Permissions” column in the AMIs dashboard.
-
If any AMIs are still public, repeat the above steps for those AMIs.
By following the above steps, you can remediate the issue of EC2 AMIs being public in AWS and ensure that your AMIs are only accessible to authorized users.
To remediate the misconfiguration “EC2 AMIs Should Not Be Public” for AWS using AWS CLI, follow these steps:
-
Log in to your AWS account and open the AWS CLI.
-
Run the following command to check if there are any public AMIs in your AWS account:
aws ec2 describe-images --owners self --filters "Name=is-public,Values=true" -
If there are any public AMIs, you can make them private by running the following command:
aws ec2 modify-image-attribute --image-id <image-id> --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"Replace
<image-id>with the ID of the AMI you want to make private. -
After running the command, verify that the AMI is no longer public by running the following command:
aws ec2 describe-images --owners self --filters "Name=image-id,Values=<image-id>" "Name=is-public,Values=false"Replace
<image-id>with the ID of the AMI you just made private. -
Repeat steps 3-4 for all public AMIs in your AWS account.
-
Once you have made all the necessary AMIs private, you can prevent future public AMIs by setting the default AMI permissions to private. Run the following command:
aws ec2 modify-image-attribute --attribute launchPermission --value "{\"Add\": [{\"Group\":\"self\"}]}" --image-id ami-00000000000000000Replace
ami-00000000000000000with the ID of any private AMI in your account. -
After running the command, verify that the default AMI permissions have been set to private by running the following command:
aws ec2 describe-image-attribute --attribute launchPermission --image-id ami-00000000000000000Replace
ami-00000000000000000with the ID of the AMI you used in step 6.
By following these steps, you can remediate the “EC2 AMIs Should Not Be Public” misconfiguration for AWS using AWS CLI.
To remediate the issue of EC2 AMIs being public in AWS using Python, you can follow the below steps:
Step 1: Identify the public EC2 AMIs in your AWS account using boto3 library in Python.
import boto3
ec2 = boto3.client('ec2')
response = ec2.describe_images(
Filters=[
{
'Name': 'is-public',
'Values': [
'true',
]
},
]
)
for image in response['Images']:
print('Public AMI ID: ' + image['ImageId'])
Step 2: Deregister the public EC2 AMIs using the deregister_image() method.
import boto3
ec2 = boto3.client('ec2')
response = ec2.describe_images(
Filters=[
{
'Name': 'is-public',
'Values': [
'true',
]
},
]
)
for image in response['Images']:
print('Deregistering public AMI ID: ' + image['ImageId'])
ec2.deregister_image(ImageId=image['ImageId'])
Step 3: Modify the EC2 AMI permissions to make them private using the modify_image_attribute() method.
import boto3
ec2 = boto3.client('ec2')
response = ec2.describe_images(
Filters=[
{
'Name': 'is-public',
'Values': [
'true',
]
},
]
)
for image in response['Images']:
print('Making private AMI ID: ' + image['ImageId'])
ec2.modify_image_attribute(
ImageId=image['ImageId'],
LaunchPermission={
'Remove': [
{
'Group': 'all',
},
],
},
)
Note: Before making any changes to your AWS account, it is recommended to test the code in a non-production environment and ensure that it is working as expected.