---
title: AWS AMI Made Public
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > AWS AMI Made Public
---

# AWS AMI Made Public
Classification:attackTactic:[TA0009-collection](https://attack.mitre.org/tactics/TA0009)Technique:[T1530-data-from-cloud-storage](https://attack.mitre.org/techniques/T1530) 
## Goal{% #goal %}

Detect when an AMI is made public.

## Strategy{% #strategy %}

This rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.

- [ModifyImageAttribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples)

This rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.

## Triage and response{% #triage-and-response %}

1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.
1. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.
1. Contact the user to see if they intended to make the image public.
1. If the user did not make the API call:
   - Rotate the credentials.
   - Investigate if the same credentials made other unauthorized API calls.
   - Revert AMI permissions to the original state.
   - Begin your company's IR process and investigate.

## Changelog{% #changelog %}

11 November 2022 - Add steps to Triage and response section.