On the 13th of September 2023, AWS introduced an account-wide setting that hugely impacts users. AWS users can now block the public sharing of Amazon Machine Images in a region. This release makes it much easier to do this at scale and helps with cloud security. In this article, we will explore this AWS release, the importance of protecting AMIs from public access, and how the StackZone console enhances this AWS capability further to simplify your cloud management by easily enhancing security, with automation-powered productivity.
What is an Amazon Machine Image?
An “Amazon Machine Image” (AMI) refers to a pre-configured virtual machine image used to create Amazon Elastic Compute Cloud (Amazon EC2) instances. Amazon EC2 is a web service that provides scalable computing capacity in the cloud. AMIs are essentially templates that include the necessary information to launch instances, such as the operating system, application server, and applications.
Why is it important to block public access to Amazon Machine Images?
AMIs can be either public or private, and whether an AMI should be public or private depends on the specific use case, security requirements, and the intended audience. Here are some reasons why we recommend you to block public access of your AMIs:
To protect your security
It’s important for AMIs to be private because by doing this, you prevent unauthorized access to the highly confidential and sensitive information that AMIs typically contain.
To achieve compliance
There are some software licenses that prohibit making AMIs that include their software public. Be sure to review and comply with the licensing terms of the software you include in your AMIs. Also, certain industries and organizations, such as those in healthcare, finance, or government, have strict compliance requirements that mandate the protection of sensitive data. Keeping AMIs private helps maintain compliance.
To control your costs
From a cloud cost management perspective, it is recommended to privatize your AMIs. Public AMIs can be accessed by anyone, potentially leading to unexpected usage charges if someone outside your organization launches instances from your public AMIs. Keeping them private allows you to control and limit access to your resources.
For protection during testing and development
During the testing and development phases, you may not want to expose your AMIs to the public until they have been thoroughly tested and secured.
How did users previously protect Amazon Machine Images?
Prior to this brand new release, to Block Public Access (BPA) to Amazon Machine Images, you had to manually check all AMI settings or run custom scripts to analyze the status of each AMI. Naturally, this was time-consuming, a highly forgotten process, and prone to mistakes that risked the confidentiality of sensitive data.
How does this new AWS release change the way to block public access (BPA) of AMIs?
AMI BPA is disabled by default so to enable this capability, you need to enable the setting within the AWS account and this will ensure no new AMI is made public. AWS writes: “Customers with existing public AMIs can also enable AMI BPA within their AWS accounts to restrict private AMIs in their account from being publicly shared, without impacting existing public AMIs.”
How does StackZone enhance AMI BPA?
Our mission that is built into the StackZone console is to simplify all aspects of cloud management, which optimizes our clients’ productivity by 60% on average due to the time it saves with visibility, auto-remediations, and intelligent suggestions of improvements. To achieve our mission, we run in alignment with the latest advancements of AWS so our clients always have a user-friendly tool that is up to date with their business needs.
Our custom AWS Config Rule for AMI, monitors every certain period of time, as defined by the user, if the global account configuration related to blocking public access to Amazon Machine Images is in blocked status. If not, it will flag it as a non-compliant rule for every account where it detects it.
If you have enabled the associated remediation for this rule, it will automatically turn on this setting and block new AMI (Amazon Machine Images) from being shared publicly.
In simple terms
With 24/7 monitoring, StackZone provides you with the capability of knowing if AMI BPA is active in every account. If it’s not active, StackZone will automatically activate it to protect AMIs’ privacy.
What are the benefits of this feature?
- Visibility – From the user-friendly interface customers can ensure that no new AMI is made public within their AWS account. By increasing your visibility, you’re preventing human errors that can lead to security vulnerabilities.
- Reduced risk level – We want to make it easy for you to stay on top of the latest emerging threats. There is no second-guessing with StackZone. The Config rules and auto remediations work hard around the clock to ensure everything is functioning optimally in your cloud environment.
- Prevented mistakes – A simple error of a certain AMI being public could have disastrous consequences. While mistakes are only human, StackZone doesn’t leave room for error.
- Improved Identity and Access Management – When your AMIs are private, you have granular control over who can launch instances from them. You can define IAM policies and roles to grant specific permissions to users, groups, or roles, ensuring that only authorized personnel can use these images.
Best practices for Amazon Machine Images
Implement image versioning
- Maintain a clear versioning scheme for your AMIs to track changes and updates.
- Use descriptive names or tags to indicate the purpose and content of each AMI version.
Reactivate the BPA feature
If you intend to make your AMIs public, deactivate the block public access feature. After you’ve finished sharing, ensure you reactivate the block public access feature to avoid any unintentional public exposure of your AMIs.
Restrict permissions
Limit IAM permissions to an administrator user, ensuring that only they have the capability to activate or deactivate block public access for AMIs.
Monitor and clean up unused AMIs
- Regularly audit your AMIs and remove outdated or unused images to save on storage costs.
- Implement lifecycle policies with Amazon Elastic Block Store (EBS) snapshots to automate the cleanup process.
In conclusion, the introduction of the new AWS capability on September 13th, 2023, allowing users to block public access to Amazon Machine Images (AMIs) through EC2, represents a significant milestone in enhancing cloud security and simplifying management at scale.
Prior to this release, safeguarding AMIs required manual checks or custom scripts, which were time-consuming and error-prone. StackZone’s contribution to enhancing AMI BPA helps to maximize productivity, creates simplicity, and reduces errors and costly mistakes. Want to transform your cloud management? Book a demo of StackZone and one of our experts will explain how StackZone can help you based on your industry and specific business requirements.
This article was written by Fernando Hönig, Founder of StackZone