AWS AMI Block Public Access was disabled for an account
Description
AlphaSOC detected that the AWS Amazon Machine Image (AMI) Block Public Access feature was disabled for an account. This security control prevents AMIs from being inadvertently made publicly available. Disabling this feature increases the risk of sensitive data exposure and potential unauthorized access to AMIs. Threat actors could exploit this misconfiguration to gain access to proprietary or sensitive information stored in AMIs. The detection distinguishes between authorized and unknown accounts and analyzes each change in permissions for the best results.
Impact
Disabling AMI Block Public Access can result in unintended public exposure of AMIs, potentially disclosing sensitive data, proprietary software, or configurations. This exposure can lead to data exfiltration, intellectual property theft, or provide attackers with valuable information for further exploitation of the AWS environment.
Severity
Severity | Condition |
---|---|
Informational | Disabled AWS AMI Block Public Access detected |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or process responsible. Examine all AMIs in the account for unintended public sharing. Immediately re-enable the AMI Block Public Access feature. Review and revoke any unnecessary public access to AMIs.
Known False Positives
- Temporary disabling for legitimate public AMI sharing
- Automated scripts or CI/CD pipelines temporarily disabling the feature for AMI distribution
- Testing or development environments where public AMI sharing is required
- Third-party tools or services that manage AMIs across multiple accounts