EC2 setting 'Allowed AMIs' should be enabled and enforced by declarative policy

ec2

Description

Enabling the EC2 setting ‘Allowed AMIs’ ensures that only approved and trusted Amazon Machine Images are used to launch instances within your environment. By restricting the available AMIs, you can prevent the use of unvetted or potentially compromised images that could introduce security vulnerabilities or malware. Note: Previously launched instances are unaffected by this setting. The state of the setting must be enabled for this rule to pass.

Enforcing this EC2 setting using AWS Organizations declarative policies provides an additional layer of protection, as the setting must be configured centrally from the organization management account or a delegated administator account.

Remediation

For guidance on enabling this EC2 setting, refer to the Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs section of the Amazon Elastic Compute Cloud User Guide. For guidance on managing declarative policies, refer to the Declarative policies section of the AWS Organizations User Guide.