Malicious Amazon Machine Images (AMIs)
Introduction
As organizations move their infrastructure, data and workload to the cloud, it is important to ensure that the Amazon Machine Images (AMI) from the AWS Marketplace used in creating the EC2 instance are safe.
This article will explain AMIs in detail and will explore what it is, how it works, malicious AMIs and how they can be prevented.
Learn Cloud Security
What are AMIs?
An AMI is used to create virtual servers on an AWS environment. An AMI provides the information required to launch an Amazon Elastic Compute Cloud (EC2) instance. A single AMI can be used to launch multiple instances with the same configuration.
An AMI includes the following:
- A template for the root volume of the instance (typically an operating system, e.g., Amazon Linux, Ubuntu etc., an application server and applications).
- Launch permissions that control which AWS accounts can use the AMI to launch instances. AMI owners determine the availability of an AMI via launch permissions. A block device mapping that specifies the volumes to attach to the instance when it's launched.
There are three (3) types of AMIs:
- Public AMIs: These are AMIs made available for free by the developer.
- Private AMIs: These are private AMIs that can only be used by EC2 users granted access to them by the developer.
- Paid AMIs: These are private AMIs available for purchase from the developer in the AWS Marketplace.
Note: Amazon can’t vouch for the integrity or security of AMIs shared by other Amazon EC2 users.
What are malicious AMIs?
Malicious AMIs are community AMIs embedded with malicious codes, e.g., crypto miners, ransomware and so on. They are distributed via the AWS Marketplace to unsuspecting users who are running EC2 instances based on the community AMI.
In 2020, researchers at Mitiga found an active crypto miner on an EC2 instance during the assessment of an organization’s AWS environment. A review of the AMI revealed that the crypto miner was embedded in the AMI used by the organization.
The developer who published the malicious AMI on the AWS marketplace designed the crypto miner to carry out a form of financial fraud.
Malicious AMIs are not a new phenomenon. In 2018, Summit Route investigated an instance where an Ubuntu AMI had a Monero miner malware embedded in the AMI. The malicious code attempted to exploit vulnerabilities associated with Hadoop, Redis and ActiveMQ on the server. Subsequent to this, a CVE for malicious AMIs was created in 2018. This is CVE-2018-15869 which specifies that when an –owners flag is not specified when describing AMI images via the AWS Command Line Interface (CLI), one can end with a potentially malicious AMI.
Learn Cloud Security
How to mitigate the risks of malicious AMIs
There are a number of moves users can make to lower the risk of malicious AMIs.
- Ensure that images are gotten from trusted and verified sources or vendors, e.g., Amazon.
- Review EC2 instances running on your environment to ensure you can verify the type of AMI (i.e., private or public).
- Review the AMIs to ensure that they do not come with pre-installed credentials such as public SSH keys or default usernames and passwords, which could allow unwanted third-party access to your running EC2 instances or preconfigured remote logging hosts.
- Identify and disable unauthorized/unrecognized public SSH keys from your instances.
- Create an image from your existing IT infrastructure or a base operating system you trust and use that as your own AMI.
Sources
Amazon Machine Images (AMIs), AWS
CVE-2018-15869, National Vulnerability Database
CVE-2018-15869, Common Vulnerabilities and Exposure
How We Build Code at Netflix, Netflix
Security Advisory, Mitiga
Learn Cloud Security
Build your cloud security skills and get hands-on experience in Infosec Skills. What you'll learn:- Cloud architecture
- Cloud management
- Cloud pentesting
- CSP security features
- And more
In this Series
- Malicious Amazon Machine Images (AMIs)
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security