Unused AMIs Should Be Removed

More Info:

Unused AMIs should be removed to follow best practices.

Risk Level

Informational

Address

Cost Optimisation

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of unused AMIs in AWS using AWS CLI, follow the below steps:

Open the AWS CLI in your terminal or command prompt.
List all the AMIs that are not in use by running the following command:

aws ec2 describe-images --owners self --filters "Name=state,Values=available" "Name=tag-key,Values=Name" --query 'Images[*].{ID:ImageId,Name:Tags[0].Value}'

This command will list all the AMIs that are not in use and have a Name tag.

Identify the AMIs that are not required anymore and make a note of their IDs.
Deregister the unused AMIs by running the following command:

aws ec2 deregister-image --image-id <AMI-ID>

Replace <AMI-ID> with the actual ID of the unused AMI.

Verify that the AMI has been deregistered by running the following command:

aws ec2 describe-images --image-ids <AMI-ID>

Replace <AMI-ID> with the actual ID of the unused AMI. If the command returns an error stating that the AMI does not exist, then it has been successfully deregistered.By following the above steps, you can remediate the misconfiguration of unused AMIs in AWS using AWS CLI.

Using Python

To remediate the unused AMIs misconfiguration in AWS using Python, you can follow these steps:

Install the Boto3 library for Python using pip: pip install boto3
Create an AWS session using the boto3.Session() method.
Use the ec2 resource in Boto3 to get a list of all the AMIs currently available in your AWS account. You can use the filter() method to filter out only the unused AMIs by checking their state attribute. For example:

import boto3

session = boto3.Session()

ec2 = session.resource('ec2')
unused_amis = []

for ami in ec2.images.filter(Owners=['self']):
    if ami.state == 'available' and len(ami.block_device_mappings) == 0:
        unused_amis.append(ami.id)

Once you have the list of unused AMIs, you can use the deregister_image() method to remove them from your AWS account. For example:

for ami_id in unused_amis:
    ami = ec2.Image(ami_id)
    ami.deregister()

This will deregister all the unused AMIs in your AWS account. Make sure to test this code in a non-production environment before running it in a production environment.

Additional Reading:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/deregister-ami.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unused AMIs Should Be Removed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: