> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# EC2 AMIs Should Not Be Public

### More Info:

AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data.

### Risk Level

High

### Address

Security

### Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the steps to remediate the issue of EC2 AMIs being public in AWS using the AWS console:

        1. Login to your AWS console.

        2. Go to the EC2 dashboard.

        3. Click on the "AMIs" option in the left-hand menu.

        4. Select the AMI that you want to remediate.

        5. Click on the "Modify Image Permissions" button.

        6. In the "Modify Image Permissions" dialog box, select "Private" as the new permission.

        7. Click on the "Save" button to apply the new permission.

        8. Repeat the above steps for all the public AMIs that you want to remediate.

        9. Once you have changed the permissions for all the public AMIs, verify that they are no longer public by checking the "Permissions" column in the AMIs dashboard.

        10. If any AMIs are still public, repeat the above steps for those AMIs.

        By following the above steps, you can remediate the issue of EC2 AMIs being public in AWS and ensure that your AMIs are only accessible to authorized users.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "EC2 AMIs Should Not Be Public" for AWS using AWS CLI, follow these steps:

        1. Log in to your AWS account and open the AWS CLI.

        2. Run the following command to check if there are any public AMIs in your AWS account:

           ```
           aws ec2 describe-images --owners self --filters "Name=is-public,Values=true"
           ```

        3. If there are any public AMIs, you can make them private by running the following command:

           ```
           aws ec2 modify-image-attribute --image-id <image-id> --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"
           ```

           Replace `<image-id>` with the ID of the AMI you want to make private.

        4. After running the command, verify that the AMI is no longer public by running the following command:

           ```
           aws ec2 describe-images --owners self --filters "Name=image-id,Values=<image-id>" "Name=is-public,Values=false"
           ```

           Replace `<image-id>` with the ID of the AMI you just made private.

        5. Repeat steps 3-4 for all public AMIs in your AWS account.

        6. Once you have made all the necessary AMIs private, you can prevent future public AMIs by setting the default AMI permissions to private. Run the following command:

           ```
           aws ec2 modify-image-attribute --attribute launchPermission --value "{\"Add\": [{\"Group\":\"self\"}]}" --image-id ami-00000000000000000
           ```

           Replace `ami-00000000000000000` with the ID of any private AMI in your account.

        7. After running the command, verify that the default AMI permissions have been set to private by running the following command:

           ```
           aws ec2 describe-image-attribute --attribute launchPermission --image-id ami-00000000000000000
           ```

           Replace `ami-00000000000000000` with the ID of the AMI you used in step 6.

        By following these steps, you can remediate the "EC2 AMIs Should Not Be Public" misconfiguration for AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the issue of EC2 AMIs being public in AWS using Python, you can follow the below steps:

        Step 1: Identify the public EC2 AMIs in your AWS account using boto3 library in Python.

        ```python theme={null}
        import boto3

        ec2 = boto3.client('ec2')

        response = ec2.describe_images(
            Filters=[
                {
                    'Name': 'is-public',
                    'Values': [
                        'true',
                    ]
                },
            ]
        )

        for image in response['Images']:
            print('Public AMI ID: ' + image['ImageId'])
        ```

        Step 2: Deregister the public EC2 AMIs using the `deregister_image()` method.

        ```python theme={null}
        import boto3

        ec2 = boto3.client('ec2')

        response = ec2.describe_images(
            Filters=[
                {
                    'Name': 'is-public',
                    'Values': [
                        'true',
                    ]
                },
            ]
        )

        for image in response['Images']:
            print('Deregistering public AMI ID: ' + image['ImageId'])
            ec2.deregister_image(ImageId=image['ImageId'])
        ```

        Step 3: Modify the EC2 AMI permissions to make them private using the `modify_image_attribute()` method.

        ```python theme={null}
        import boto3

        ec2 = boto3.client('ec2')

        response = ec2.describe_images(
            Filters=[
                {
                    'Name': 'is-public',
                    'Values': [
                        'true',
                    ]
                },
            ]
        )

        for image in response['Images']:
            print('Making private AMI ID: ' + image['ImageId'])
            ec2.modify_image_attribute(
                ImageId=image['ImageId'],
                LaunchPermission={
                    'Remove': [
                        {
                            'Group': 'all',
                        },
                    ],
                },
            )
        ```

        Note: Before making any changes to your AWS account, it is recommended to test the code in a non-production environment and ensure that it is working as expected.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html)
