Public AMIs

AWS-EC2-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for AMIs owned by your account that are publicly shared to all AWS accounts.

Why it matters

Public AMIs expose your custom machine images to all 300+ million AWS accounts worldwide. These images often contain hardcoded credentials, SSH keys, internal configuration files, proprietary software, and database connection strings baked in during the build process. In 2021, researchers from Bishop Fox found that 30% of sampled public AMIs contained exploitable secrets including AWS access keys, database passwords, and private SSH keys. An attacker can launch an instance from your public AMI, mount the root volume, and extract every file. Even deleted files may be recoverable from the EBS snapshot. Always use private AMIs and share explicitly with trusted account IDs when cross-account access is needed.

Common causes

AMIs become public when engineers share them across accounts using the console and accidentally select "Public" instead of specifying account IDs. Automated AMI build pipelines using Packer or EC2 Image Builder may include a sharing step that defaults to public if misconfigured. Some teams make AMIs public intentionally for community sharing but forget to create a separate, stripped-down version without internal credentials.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws ec2 modify-image-attribute --image-id AMI_ID --launch-permission '{"Remove":[{"Group":"all"}]}' --region REGION

Remediation: Terraform

resource "aws_ami_launch_permission" "restrict" {
  image_id   = "ami-xxx"
  account_id = "TRUSTED_ACCOUNT_ID"
}