This article will explain AMIs in detail and will explore what it is, how it works, malicious AMIs and how they can be prevented.
What are AMIs?
An AMI includes the following: There are three (3) types of AMIs:
Public AMIs: These are AMIs made available for free by the developer. Private AMIs: These are private AMIs that can only be used by EC2 users granted access to them by the developer. Paid AMIs: These are private AMIs available for purchase from the developer in the AWS Marketplace.
What are malicious AMIs?
Malicious AMIs are community AMIs embedded with malicious codes, e.g., crypto miners, ransomware and so on. They are distributed via the AWS Marketplace to unsuspecting users who are running EC2 instances based on the community AMI. In 2020, researchers at Mitiga found an active crypto miner on an EC2 instance during the assessment of an organization’s AWS environment. A review of the AMI revealed that the crypto miner was embedded in the AMI used by the organization. The developer who published the malicious AMI on the AWS marketplace designed the crypto miner to carry out a form of financial fraud. Malicious AMIs are not a new phenomenon. In 2018, Summit Route investigated an instance where an Ubuntu AMI had a Monero miner malware embedded in the AMI. The malicious code attempted to exploit vulnerabilities associated with Hadoop, Redis and ActiveMQ on the server. Subsequent to this, a CVE for malicious AMIs was created in 2018. This is CVE-2018-15869 which specifies that when an –owners flag is not specified when describing AMI images via the AWS Command Line Interface (CLI), one can end with a potentially malicious AMI.
How to mitigate the risks of malicious AMIs
There are a number of moves users can make to lower the risk of malicious AMIs.
Sources
CVE-2018-15869, National Vulnerability Database CVE-2018-15869, Common Vulnerabilities and Exposure How We Build Code at Netflix, Netflix Security Advisory, Mitiga How to share and use Public AMIs in a secure manner, AWS
