Skip to main content

AWS AMI Block Public Access was disabled for an account

ID:aws_ami_public_block_disabled
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected that the AWS Amazon Machine Image (AMI) Block Public Access feature was disabled for an account. This security control prevents AMIs from being inadvertently made publicly available. Disabling this feature increases the risk of sensitive data exposure and potential unauthorized access to AMIs. Threat actors could exploit this misconfiguration to gain access to proprietary or sensitive information stored in AMIs. The detection distinguishes between authorized and unknown accounts and analyzes each change in permissions for the best results.

Impact

Disabling AMI Block Public Access can result in unintended public exposure of AMIs, potentially disclosing sensitive data, proprietary software, or configurations. This exposure can lead to data exfiltration, intellectual property theft, or provide attackers with valuable information for further exploitation of the AWS environment.

Severity

SeverityCondition
Informational
Disabled AWS AMI Block Public Access detected

Investigation and Remediation

Review AWS CloudTrail logs to identify the user or process responsible. Examine all AMIs in the account for unintended public sharing. Immediately re-enable the AMI Block Public Access feature. Review and revoke any unnecessary public access to AMIs.

Known False Positives

  • Temporary disabling for legitimate public AMI sharing
  • Automated scripts or CI/CD pipelines temporarily disabling the feature for AMI distribution
  • Testing or development environments where public AMI sharing is required
  • Third-party tools or services that manage AMIs across multiple accounts