AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Blacklisted AMIs Should Not Be Used
More Info:
Blacklist all those AMI to prevent certain security issues to attack your application. Your EC2 Instances should not use any of the blacklisted AMIs.
Risk Level
Low
Address
Security, Operational Maturity
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the issue of blacklisted AMIs in AWS using AWS console, follow the steps below:
- Log in to your AWS console.
- Go to the EC2 dashboard.
- Click on the “AMIs” option on the left-hand menu.
- Identify the blacklisted AMIs from the list of available AMIs.
- Select the blacklisted AMI that you want to remove.
- Click on the “Actions” button and select “Deregister” from the drop-down menu.
- Confirm the action by clicking on the “Deregister” button.
- Once the AMI is deregistered, it will no longer be available for use.
- Ensure that any instances using the blacklisted AMI are terminated and replaced with instances using approved AMIs.
- Implement a process to regularly check and update the list of approved AMIs to prevent the use of blacklisted AMIs in the future.
By following the above steps, you can remediate the issue of blacklisted AMIs in AWS using AWS console.
To remediate the issue of using blacklisted AMIs in AWS, you can follow the below steps using AWS CLI:
-
Identify the blacklisted AMIs in your AWS account. You can check the list of blacklisted AMIs on the AWS website.
-
Find all the instances that are using the blacklisted AMIs. You can use the following AWS CLI command to get the list of instances:
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,ImageId]' --output text
This command will return a list of all the instances in your AWS account along with their AMI IDs.
- Stop the instances that are using the blacklisted AMIs. You can use the following AWS CLI command to stop the instances:
aws ec2 stop-instances --instance-ids <instance-id-1> <instance-id-2> ... <instance-id-n>
Replace <instance-id-1>
, <instance-id-2>
, and so on with the instance IDs of the instances that are using the blacklisted AMIs.
- Create a new instance using a non-blacklisted AMI. You can use the following AWS CLI command to launch a new instance:
aws ec2 run-instances --image-id <non-blacklisted-ami-id> --count 1 --instance-type <instance-type> --key-name <key-name> --security-group-ids <security-group-id> --subnet-id <subnet-id>
Replace <non-blacklisted-ami-id>
with the ID of a non-blacklisted AMI, <instance-type>
with the type of instance you want to launch, <key-name>
with the name of the key pair you want to use to connect to the instance, <security-group-id>
with the ID of the security group you want to use, and <subnet-id>
with the ID of the subnet you want to launch the instance in.
-
Once the new instance is launched, you can transfer any data or configuration from the old instance to the new instance.
-
Finally, terminate the instances that were using the blacklisted AMIs. You can use the following AWS CLI command to terminate the instances:
aws ec2 terminate-instances --instance-ids <instance-id-1> <instance-id-2> ... <instance-id-n>
Replace <instance-id-1>
, <instance-id-2>
, and so on with the instance IDs of the instances that were using the blacklisted AMIs.
To remediate the issue of using blacklisted AMIs in AWS using Python, follow these steps:
- Define a list of blacklisted AMIs that you want to avoid using. You can get this list from multiple sources, such as AWS documentation or a security team.
blacklisted_amis = ['ami-0123456789abcdef0', 'ami-0123456789abcdef1', 'ami-0123456789abcdef2']
- Use the AWS SDK for Python (Boto3) to get a list of all the AMIs available in your AWS account.
import boto3
ec2 = boto3.client('ec2')
all_amis = ec2.describe_images(Owners=['self'])['Images']
- Loop through each AMI and check if it is blacklisted. If it is, deregister the AMI and delete its associated snapshots.
for ami in all_amis:
if ami['ImageId'] in blacklisted_amis:
ec2.deregister_image(ImageId=ami['ImageId'])
for block_device_mapping in ami['BlockDeviceMappings']:
if 'Ebs' in block_device_mapping:
snapshot_id = block_device_mapping['Ebs']['SnapshotId']
ec2.delete_snapshot(SnapshotId=snapshot_id)
- Optionally, you can also notify the appropriate team or individual about the remediation action.
import boto3
sns = boto3.client('sns')
topic_arn = 'arn:aws:sns:us-east-1:123456789012:Blacklisted_AMIs'
message = 'The following blacklisted AMIs have been deregistered and their associated snapshots have been deleted: {}'.format(blacklisted_amis)
sns.publish(TopicArn=topic_arn, Message=message)
Note: Make sure you have appropriate permissions to perform these actions in your AWS account.