Detections
Analytics

Ensure Amazon Machine Image (AMI) is not shared among multiple accounts

MEDIUM

Description

Amazon recommends caution when using shared AMI as they cannot vouch for the integrity of the data provided by other account holders. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharing-amis.html

Remediation

Sharing of AMI allows other AWS accounts to access the AMI without any restrictions. Sharing of only allowed if the AMI is not encrypted. This can be updated in the console, CLI, or Terraform.

In AWS Console -

  1. Open the Amazon EC2 console.
  2. In the navigation pane, choose AMIs.
  3. Select your AMI in the list, and then choose Actions, Modify Image Permissions.
  4. Check if the AMI is linked with multiple AWS accounts.

In Terraform -

  1. For each aws_ami_launch_permission resource, remove any additional account_id fields for specific images. This will disable access outside of the main account.

References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission

Policy Details

Rule Reference ID: AC_AWS_0006
CSP: AWS
Remediation Available: No
Domain: Infrastructure Security
Resource: aws_ami_launch_permission
Resource Category: Compute
Resource Type: Elastic Cloud Compute (EC2)

Frameworks