Skip to main content

An AWS AMI was modified to allow public access

ID:aws_ami_public
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0010:T1537

Description

AlphaSOC detected that an AWS Amazon Machine Image (AMI) was modified to allow public access. This configuration change exposes the AMI to potential unauthorized use or access by all AWS accounts. Threat actors often target and exploit publicly accessible cloud resources as part of their attack strategies. This modification could indicate an attempt to exfiltrate sensitive data or prepare for further malicious activities.

Impact

Threat actors can use publicly available AMIs to launch instances that can potentially access sensitive data or be used as a launching pad for attacks. This exposure can lead to data exfiltration and unanticipated costs if malicious actors launch multiple instances using the exposed AMI.

Severity

SeverityCondition
Low
Modified AWS AMI detected

Investigation and Remediation

Review access logs and investigate the change to the AMI to determine who made the change and why. If unauthorized, immediately revert the AMI to private status. Investigate any instances launched from that AMI while it was public.

Known False Positives

  • Deliberate public sharing of non-sensitive AMIs for legitimate business purposes
  • Temporary public access granted for testing or development purposes
  • Third-party tools or services modifying AMI settings as part of their intended functionality