Amazon Machine Image (AMI) should not be shared with external accounts or organizations
Description
This rule evaluates whether Amazon Machine Images (AMIs) are shared with external AWS accounts or organizations that are not onboarded to Datadog. AMIs contain complete system images including operating systems, applications, and potentially sensitive data. Sharing AMIs with unauthorized external accounts or organizations can lead to data exposure and security risks.
The data contained in the launch_permissions field is enumerated and the following types of principals are assessed:
user_id - designates an AWS accountorganization_arn - designates an organization from AWS Organizationsorganizational_unit_arn - designates an organizational unit (OU) from AWS Organizations
The control fails if any AWS account, organization, or OU present in launch_permissions is not onboarded to Datadog.
Note: If the AMI is shared with a trusted third-party AWS account or organization that you cannot onboard to Datadog, mute the finding and leave a comment documenting the justification.
To remove external account or organization sharing permissions from Amazon Machine Images, follow the steps outlined in the Sharing an AMI section of the Amazon EC2 User Guide. For guidance regarding onboarding AWS accounts to Datadog, follow the Datadog AWS integration documentation to onboard the account. Ensure that resource collection and Cloud Security are correctly configured.
