For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/ami_shared_with_multiple_accounts.md. A documentation index is available at /llms.txt.

AMI shared with multiple accounts

This product is not supported for your selected Datadog site. ().

Metadata

Id: a19b2942-142e-4e2b-93b7-6cf6a6c8d90f

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Access Control

Learn More

Description

AMIs must not be broadly shared. Granting multiple AWS accounts or group-based access increases the attack surface and can expose embedded credentials, custom configurations, or vulnerable images to unintended parties.

For Ansible tasks using the amazon.aws.ec2_ami or ec2_ami modules, launch_permissions should be restricted to at most one explicit AWS account and must not include group_names. This rule flags tasks where launch_permissions.group_names is present or where launch_permissions.user_ids contains more than one entry.

Secure example with a single allowed account:

- name: Register AMI with restricted launch permissions
  amazon.aws.ec2_ami:
    name: my-ami
    image_id: ami-0123456789abcdef0
    launch_permissions:
      user_ids:
        - "123456789012"

Compliant Code Examples

- name: Allow AMI to be launched by another account V2
  amazon.aws.ec2_ami:
    image_id: '{{ instance.image_id }}'
    state: present
    launch_permissions:
      user_ids: ['123456789012']

Non-Compliant Code Examples

- name: Update AMI Launch Permissions, making it public
  amazon.aws.ec2_ami:
    image_id: "{{ instance.image_id }}"
    state: present
    launch_permissions:
      group_names: ['all']
- name: Allow AMI to be launched by another account
  amazon.aws.ec2_ami:
    image_id: "{{ instance.image_id }}"
    state: present
    launch_permissions:
      user_ids: ['123456789012', '121212']