AMI Shared With Multiple Accounts

  • Query id: a19b2942-142e-4e2b-93b7-6cf6a6c8d90f
  • Query name: AMI Shared With Multiple Accounts
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Limits access to AWS AMIs by checking if more than one account is using the same image
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
- name: Update AMI Launch Permissions, making it public
  amazon.aws.ec2_ami:
    image_id: "{{ instance.image_id }}"
    state: present
    launch_permissions:
      group_names: ['all']
- name: Allow AMI to be launched by another account
  amazon.aws.ec2_ami:
    image_id: "{{ instance.image_id }}"
    state: present
    launch_permissions:
      user_ids: ['123456789012', '121212']

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Allow AMI to be launched by another account V2
  amazon.aws.ec2_ami:
    image_id: '{{ instance.image_id }}'
    state: present
    launch_permissions:
      user_ids: ['123456789012']