AWS AMI is shared with multiple accounts

ID

aws_ami_multiple_accounts

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

AWS AMI is shared with multiple accounts. Sharing AMIs you could expose sensitive data.

To fix it you must configure the AMI without more than one user id.

Learn more about this topic at AWS Sharing AMIs.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Allow AMI to be launched by another account
      amazon.aws.ec2_ami:
        image_id: "{{ instance.image_id }}"
        state: present
        launch_permissions:
          user_ids:
            - '123456789012'
            - '234567890123'

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Allow AMI to be launched by another account
      amazon.aws.ec2_ami:
        image_id: "{{ instance.image_id }}"
        state: present
        launch_permissions:
          user_ids:
            - '123456789012'