<  Back to rules search

AMI is not publicly shared

ec2
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Identify publicly accessible Amazon Machine Images (AMIs).

Rationale

When an AMI is shared publicly, anyone outside your organization can see it in the list of public AMIs and create an EC2 instance from it, accessing all the files it contains.

AMIs typically contain source code, configuration files and credentials and should not be shared publicly.

Remediation

Stop sharing the AMI publicly. AMIs should be shared only with specific AWS accounts or your AWS Organization.

From the console

Follow the instructions outlined in the AWS documentation. Untick the public sharing option.

From the command line

Use the following command to stop sharing the AMI:

aws ec2 modify-image-attribute \
--image-id ami-xxxx \
--launch-permission "Remove=[{Group=all}]"