Amazon Machine Image (AMI) should only be available to trusted accounts

ec2

Description

Identify publicly accessible Amazon Machine Images (AMIs).

Rationale

When an AMI is shared publicly, anyone outside your organization can see it in the list of public AMIs and create an EC2 instance from it, accessing all the files it contains.

AMIs typically contain source code, configuration files and credentials and should not be shared publicly. AMIs should only be shared with specific AWS accounts or your AWS Organization.

Remediation

From the console

Follow the instructions outlined in the AWS documentation.

From the command line

Use the following command to stop sharing the AMI:

aws ec2 modify-image-attribute \
--image-id ami-xxxx \
--launch-permission "Remove=[{Group=all}]"

.