Amazon Machine Image (AMI) is an image provided by Amazon typically containing the operating system and other software which is required to launch a virtual machine within the Amazon Elastic Compute Cloud (EC2). It serves as the basic unit of deployment for services delivered using EC2.
On AWS you can create your own AMIs from your EC2 instances. These AMIs can be either public or private images. AWS provides the ability to share these AMIs with other AWS accounts by changing the permissions on the AMI. There is also a provision to make the AMI public for all AWS users.
Public AMIs can be used by malicious AWS users to create their own instances. If these AMIs contain any sensitive information like SSH keys, configuration files, credentials to other resources etc., these would then become available to the malicious users.
In this article, let’s take a look at how to make a public AWS AMI image private.
Sign in to the AWS Console and navigate to the EC2 dashboard.
In the left navigation panel, under the IMAGES section, choose AMIs.
Select the AMI that you want to make private.
Select the Permissions tab from the dashboard bottom panel and click the Edit AMI Permissions button to update the selected image launch permissions.
In the Modify Image Permissions dialog box, select Private
Click on Save changes and the AMI permissions are successfully changed to Private.
To list the AMI’s, run the following command. This command takes some time to show the output and can be skipped if you already know your AMI ID.
aws ec2 describe-images `--region <region>`To get AMI’s configuration metadata to check whether it is public or private, run the following command. It is public if “Public”: true
aws ec2 describe-images --region <region> --image-ids <AMI ID>
To update the AMI launch permissions and make it private run below command
aws ec2 modify-image-attribute --region <region> --image-id <AMI ID> --launch-permission "{\"Remove\":[{\"Group\":\"all\"}]}"To verify if the AMI image has changed to private, run the following command. The value will be “Public”: false in the AMI’s configuration metadata.
aws ec2 describe-images --region <region> --image-ids <AMI ID>
AWS allows users to create AMIs from their EC2 instances. This is a useful feature when one needs to have a custom base image to launch their instances like an image baked in software or hardened as per one’s requirements.
These AMIs can be made either public or private. For images that may have sensitive data and in cases where one does not intend their AMI to be accessible publicly by any AWS user, these must be made private.