EC2 AMIs are publicly accessible
Description
When your AMIs are publicly accessible, they are available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Your AMIs could contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.
We recommend your EC2 AMIs are not publicly accessible, or generally available in the Community AMIs.
Fix - Runtime Remediation
AWS Console
To change the policy using the AWS Console, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon EC2 console.
- Go to the Navigation pane, under IMAGES section, choose AMIs.
- Select the AMI that you want to make private.
- Go to the Permissions tab from the dashboard bottom panel and click Edit to update the selected image launch permissions.
- In the Modify Image Permissions dialog box, select Private then click Save.
CLI Command
Use the modify-image-attribute command
using the image ID as identifier and update the AMI launch permissions and make it private.
aws ec2 modify-image-attribute
--region us-east-1
--image-id ami-3fad5252
--launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"