Data-at-rest is one of the core security need and compliance requirement for several industry regulations. Here are some of the applicable regulatory controls.
Public Sharing of AMI
Unintended public sharing of AMI may result in data loss. Any AWS user may be able to transfer public images in their account and get access to data. It is strongly recommended to audit all images periodically and ensure that no image is publicly shared.
How to find publicly shared AMIs
- Login to AWS console and navigate to EC2 service and click on AMIs (#1 in screen below) under Images section
- Set the filter to “Owned by me” (#2 in screen below)
- Select the AMI, which you want to check permission for (#3 in screen below)
- Select the “Permission” Tab in the panel below (#4 in screen below)
- Check whether image is marked “Private” (#5 in screen below)
Following steps can be performed to remediate, the security gap –
- Follow the steps in verification till step 4 and open the permission tab.
- Click the “Edit” button in the tab (#1 in screen below)
- In the “Modify Image Permission” popup, ensure “Private” is selected.
- Hit “Save”