Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure EC2 AMIs are not publicly accessible Rule

This rule ensures EC2 AMIs are not accessible to the public.

RuleEnsure EC2 AMIs are not publicly accessible
FrameworkCloudDefense.AI Security
Severity
High

Rule Description

The rule ensures that Amazon Machine Images (AMIs) in your AWS EC2 environment are not publicly accessible. Publicly accessible AMIs can pose a security risk as they may contain sensitive information or configurations that should not be exposed to the internet. By enforcing the rule, you can prevent accidental exposure of AMIs and protect the integrity of your infrastructure.

Troubleshooting Steps

  2. 1.
    Identify publicly accessible AMIs:
    • Go to the EC2 console in the AWS Management Console.
    • Select "Images" from the left-hand navigation menu.
    • Click on the "AMIs" tab.
    • Look for any AMIs marked as "Public".

Remediation Steps

To remediate the issue and ensure that AMIs are not publicly accessible, follow these steps:

  2. 1.

    Remove public access to existing AMIs:

    • Go to the EC2 console in the AWS Management Console.
    • Select "Images" from the left-hand navigation menu.
    • Click on the "AMIs" tab.
    • Select the AMI marked as "Public".
    • Click on the "Actions" button.
    • Choose "Modify Image Permissions" from the dropdown menu.
    • Uncheck the "Public" checkbox.
    • Click "Save" to close the dialog box.
  4. 2.

    Prevent future AMIs from being publicly accessible:

    • Go to the EC2 console in the AWS Management Console.
    • Select "LaunchTemplates" or "LaunchConfigurations" from the left-hand navigation menu, depending on your setup.
    • Select the appropriate launch template or configuration.
    • Click on the "Actions" button.
    • Choose "Edit" from the dropdown menu.
    • In the "Images" section, ensure that the "Public" checkbox is unchecked.
    • Click "Save" to save the changes.
  6. 3.

    Ensure proper permissions for AMIs:

    • Go to the EC2 console in the AWS Management Console.
    • Select "Images" from the left-hand navigation menu.
    • Click on the "AMIs" tab.
    • Select the AMI that needs to have restricted access.
    • Click on the "Actions" button.
    • Choose "Modify Image Permissions" from the dropdown menu.
    • Add only the necessary AWS accounts or organizations that require access to the AMI.
    • Remove any unnecessary accounts or organizations.
    • Click "Save" to save the changes.

Command Line Interface (CLI) Commands

To remove public access from an AMI using AWS CLI, you can use the following command:

aws ec2 modify-image-attribute --image-id <AMI_ID> --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"

Remember to replace 

<AMI_ID>
with the actual ID of the AMI that needs modification.

To modify the image permissions and restrict access to specific AWS accounts, you can use the following command:

aws ec2 modify-image-attribute --image-id <AMI_ID> --launch-permission "{\"Add\": [{\"UserId\":\"<AWS_ACCOUNT_ID>\"}]}"

Replace 

<AMI_ID>
with the actual ID of the AMI, and 
<AWS_ACCOUNT_ID>
with the AWS account ID that requires access.

Please note that these commands should be executed in the AWS CLI environment with appropriate permissions.

Conclusion

By ensuring that your EC2 AMIs are not publicly accessible, you can enhance the security of your AWS environment and avoid the possibility of unauthorized access or accidental exposure of sensitive information. Regularly review the AMIs in your account and adjust their permissions as needed to maintain a secure infrastructure.

Is your System Free of Underlying Vulnerabilities?
Find Out Now