Ensure EC2 AMIs are not publicly accessible

Error: EC2 AMIs are publicly accessible

Bridgecrew Policy ID: BC_AWS_PUBLIC_8
Severity: HIGH

EC2 AMIs are publicly accessible

Description

When your AMIs are publicly accessible, they are available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Your AMIs could contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.

We recommend your EC2 AMIs are not publicly accessible, or generally available in the Community AMIs.

Fix - Runtime Remediation

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. Go to the Navigation pane, under IMAGES section, choose AMIs.
  4. Select the AMI that you want to make private.
  5. Go to the Permissions tab from the dashboard bottom panel and click Edit to update the selected image launch permissions.
  6. In the Modify Image Permissions dialog box, select Private then click Save.

CLI Command

Use the modify-image-attribute command using the image ID as identifier and update the AMI launch permissions and make it private.

aws ec2 modify-image-attribute
	--region us-east-1
	--image-id ami-3fad5252
	--launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"