Unused IAM Access keys

Securing AWS Cloud – Keeping AMI Private

By: Aseem Rastogi | 2 Aug 2018

Public Sharing of AMI

Data-at-rest is one of the core security need and compliance requirement for several industry regulations. Here are some of the applicable regulatory controls.

  • ISO 27001 – A.18.1.3 – Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
  • HIPAA 164.312(e)(1) – Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
  • PCI DSS Requirement 3 – Protect stored cardholder data. This requirement prescribes for security policies and operational procedures for protecting stored cardholder data.

Unintended public sharing of AMI may result in data loss. Any AWS user may be able to transfer public images in their account and get access to data. It is strongly recommended to audit all images periodically and ensure that no image is publicly shared.

How to find publicly shared AMIs

  1. Login to AWS console and navigate to EC2 service and click on AMIs (#1 in screen below) under Images section
  2. Set the filter to “Owned by me” (#2 in screen below)
  3. Select the AMI, which you want to check permission for (#3 in screen below)
  4. Select the “Permission” Tab in the panel below (#4 in screen below)
  5. Check whether image is marked “Private” (#5 in screen below)
AMI Permission
AMI Permission

Remediation

Following steps can be performed to remediate, the security gap –

  1. Follow the steps in verification till step 4 and open the permission tab.
  2. Click the “Edit” button in the tab (#1 in screen below)
AMI Permission Edit
AMI Permission Edit
  1. In the “Modify Image Permission” popup, ensure “Private” is selected.
  2. Hit “Save”
Private AMI Permission
Private AMI Permission

To keep AWS environment secure & in compliance with regulation above steps need to be repeated as often there is a change in AWS infrastructure. Ask us how can we help in keeping a constant watch, or request a free trial.

Share