More Info:

Unused AMIs should be removed to follow best practices.

Risk Level

Informational

Address

Cost Optimisation

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Sure, here are the step by step instructions to remediate the unused AMIs issue in AWS using AWS console:
  1. Login to your AWS console.
  2. Go to the EC2 dashboard.
  3. Click on the “AMIs” option from the left-hand menu.
  4. Sort the AMIs by the “Creation Date” column to identify the oldest and unused AMIs.
  5. Select the unused AMIs that you want to remove.
  6. Click on the “Actions” button and select “Deregister” from the dropdown menu.
  7. Confirm the deregistration by clicking on the “Deregister” button in the confirmation window.
  8. Once the AMI is deregistered, you can delete the associated EBS snapshots by selecting the AMI and clicking on the “Snapshots” tab.
  9. Select the associated EBS snapshot(s) and click on the “Actions” button.
  10. From the dropdown menu, select “Delete” and confirm the deletion.
By following these steps, you can remediate the unused AMIs issue in AWS and ensure that your cloud resources are optimized for cost and efficiency.

To remediate the misconfiguration of unused AMIs in AWS using AWS CLI, follow the below steps:
  1. Open the AWS CLI in your terminal or command prompt.
  2. List all the AMIs that are not in use by running the following command: 
aws ec2 describe-images --owners self --filters "Name=state,Values=available" "Name=tag-key,Values=Name" --query 'Images[*].{ID:ImageId,Name:Tags[0].Value}'
This command will list all the AMIs that are not in use and have a Name tag.
  1. Identify the AMIs that are not required anymore and make a note of their IDs.
  2. Deregister the unused AMIs by running the following command: 
aws ec2 deregister-image --image-id <AMI-ID>
Replace <AMI-ID> with the actual ID of the unused AMI.
  1. Verify that the AMI has been deregistered by running the following command:
aws ec2 describe-images --image-ids <AMI-ID>
Replace <AMI-ID> with the actual ID of the unused AMI. If the command returns an error stating that the AMI does not exist, then it has been successfully deregistered.By following the above steps, you can remediate the misconfiguration of unused AMIs in AWS using AWS CLI.
To remediate the unused AMIs misconfiguration in AWS using Python, you can follow these steps:
  1. Install the Boto3 library for Python using pip: pip install boto3
  2. Create an AWS session using the boto3.Session() method.
  3. Use the ec2 resource in Boto3 to get a list of all the AMIs currently available in your AWS account. You can use the filter() method to filter out only the unused AMIs by checking their state attribute. For example: 
import boto3

session = boto3.Session()

ec2 = session.resource('ec2')
unused_amis = []

for ami in ec2.images.filter(Owners=['self']):
    if ami.state == 'available' and len(ami.block_device_mappings) == 0:
        unused_amis.append(ami.id)
  1. Once you have the list of unused AMIs, you can use the deregister_image() method to remove them from your AWS account. For example:
for ami_id in unused_amis:
    ami = ec2.Image(ami_id)
    ami.deregister()
This will deregister all the unused AMIs in your AWS account. Make sure to test this code in a non-production environment before running it in a production environment.

Additional Reading: