~ 3 min read

How to update AWS AMI permission from Public to Private

A cloud administrator can create an instance with all tools and software installed and then make an image out of this to be reused in the future. This image could contain proprietary data and code etc. that could be abused by an attacker if they gain access to the AMI.

Introduction

Amazon Machine Image (AMI) is an image provided by Amazon typically containing the operating system and other software which is required to launch a virtual machine within the Amazon Elastic Compute Cloud (EC2). It serves as the basic unit of deployment for services delivered using EC2.

On AWS you can create your own AMIs from your EC2 instances. These AMIs can be either public or private images. AWS provides the ability to share these AMIs with other AWS accounts by changing the permissions on the AMI. There is also a provision to make the AMI public for all AWS users.

Public AMIs can be used by malicious AWS users to create their own instances. If these AMIs contain any sensitive information like SSH keys, configuration files, credentials to other resources etc., these would then become available to the malicious users.

In this article, let’s take a look at how to make a public AWS AMI image private.

Making Public AWS AMI image Private

Steps to change the AMI visibility permissions for an image using the AWS Console:

  1. Sign in to the AWS Console and navigate to the EC2 dashboard.

  1. In the left navigation panel, under the IMAGES section, choose AMIs.

  1. Select the AMI that you want to make private.

  1. Select the Permissions tab from the dashboard bottom panel and click the Edit AMI Permissions button to update the selected image launch permissions.

click the Edit AMI Permissions button to update the selected image launch permissions.

  1. In the Modify Image Permissions dialog box, select Private

In the Modify Image Permissions dialog box, select Private

  1. Click on Save changes and the AMI permissions are successfully changed to Private.

Steps to change permissions for an AMI using CLI:

  1. To list the AMI’s, run the following command. This command takes some time to show the output and can be skipped if you already know your AMI ID.

aws ec2 describe-images —region

  1. To get AMI’s configuration metadata to check whether it is public or private, run the following command. It is public if “Public”: true

aws ec2 describe-images —region —image-ids

It is public if "Public": true

  1. To update the AMI launch permissions and make it private run below command

aws ec2 modify-image-attribute —region —image-id —launch-permission ”{“Remove”:[{“Group”:“all”}]}”

  1. To verify if the AMI image has changed to private, run the following command. The value will be “Public”: false in the AMI’s configuration metadata.

aws ec2 describe-images —region —image-ids

The value will be "Public": false in the AMI's configuration metadata.

Conclusion

AWS allows users to create AMIs from their EC2 instances. This is a useful feature when one needs to have a custom base image to launch their instances like an image baked in software or hardened as per one’s requirements.

These AMIs can be made either public or private. For images that may have sensitive data and in cases where one does not intend their AMI to be accessible publicly by any AWS user, these must be made private.

***

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.

;