Detection: EC2 AMI Shared Publicly
Overview
Detect when the launch permission of an Amazon Machine Image (AMI) was modified in your AWS environment. Changes to launch permissions, particularly sharing AMIs with external accounts, can expose sensitive configurations or proprietary software to unauthorized use. Monitoring these changes helps prevent unauthorized access and ensures secure AMI management.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.ec2_ami_shared_publiclySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.ec2_ami_shared_publicly --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'imageId' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'ec2.amazonaws.com' and event_name = 'ModifyImageAttribute' and (request_parameters ->> 'attributeType') = 'launchPermission' and json_contains( (request_parameters -> 'launchPermission' -> 'add' -> 'items'), '{"group": "all"}' ) and error_code is null
order by event_time desc;