v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2.1.5 Ensure Images are not Publicly Available

Description

EC2 allows you to make an AMI public, sharing it with all AWS accounts.

Publicly sharing an AMI with all AWS accounts could expose organizational data and configuration information.

Remediation

Perform the steps below to set an AMIs to Private.

From Console:

  1. Login to the EC2 console at https://console.aws.amazon.com/ec2/.
  2. In the left pane, under Images, click AMIs.
  3. Confirm the Owned by me is set.
  4. Select the AMI from the list.
  5. Click on the Permissions Tab.
  6. Click on Edit.
  7. Click on the radio button Private.

Add AWS Account Number if you have a need to share with other Internal AWS accounts that your Organization owns.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_2_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_1_5 --share

SQL

This control uses a named query:

ec2_ami_restrict_public_access

Tags

category = Compliance
cis = true
cis_item_id = 2.1.5
cis_level = 1
cis_section_id = 2.1
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/EC2