AWS AMI Security Research

I was shocked to see how many public AMI were to be found containing private data. Amazon Machine Images are basically a VM skeleton containing a root volume, access information and block device mapping. Having an AMI makes deploying custom instances really easy and also enables other services such as Auto scaling possible.

What is problem?

By default when you create a AMI they are set to private meaning that only you can access these, this is good! However, if the AMI is set to public it means that anyone can deploy a EC2 instance based on your custom AMI which will include the root volume you attached to it.

Amazon allow you to search for AMI’s that have been made public either via the AWS CLI tool or via the AWS console. Doing a search for AMIs for keywords like internal, data or customer returns a surprising amount of results. You can also dump all the public AMI data via the AWS CLI and parse/search it as you like.

screenshot

Below is a screenshot of a AMI tagged as internal deployed on a t2.micro. It shows the bash history of everything that was done. This was just one of many images that I found like this so if you have any AMI’s on AWS then please double check and make sure they are set to private else you may be exposing some critical data!

screenshot

When I was looking into this I found loads of data such as:

  • API tokens
  • Bash history
  • MySQL username & passwords
  • Username & passwords
  • Source code for applications
  • SSH Private keys (.ppk)

What can I do?

Amazon provide a best practice guide on how to share AMI’s so have I a look at this if you are actually wanting to share a AMI. AMIs are region specific and this means that other AWS regions may have other AMIs so its worth checking them all. To make this easier for you I have created a python script which will search all AWS regions and list any that are public. You can download the script directly from here - AMI public search script.