AMI Shared With Multiple Accounts

• Query id: a19b2942-142e-4e2b-93b7-6cf6a6c8d90f
• Query name: AMI Shared With Multiple Accounts
• Platform: Ansible
• Severity: Medium
• Category: Access Control
• CWE: 284
• URL: Github

Description

Limits access to AWS AMIs by checking if more than one account is using the same image
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: Update AMI Launch Permissions, making it public
  amazon.aws.ec2_ami:
    image_id: "{{ instance.image_id }}"
    state: present
    launch_permissions:
      group_names: ['all']
- name: Allow AMI to be launched by another account
  amazon.aws.ec2_ami:
    image_id: "{{ instance.image_id }}"
    state: present
    launch_permissions:
      user_ids: ['123456789012', '121212']

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: Allow AMI to be launched by another account V2
  amazon.aws.ec2_ami:
    image_id: '{{ instance.image_id }}'
    state: present
    launch_permissions:
      user_ids: ['123456789012']