AWS AWSEC2 medium security documentation change
Summary
Expanded Allowed AMI criteria to include image names, marketplace codes, creation/deprecation dates. Added detailed evaluation logic and configuration examples.
Security assessment
Added multiple new security control criteria (ImageNames, MarketplaceProductCodes, CreationDateCondition) that enable granular AMI allow-listing. The evaluation logic clarification helps prevent misconfigurations that could allow unauthorized AMIs. Explicit documentation about restricting deprecated AMIs and AWS Marketplace codes directly impacts security posture.
Diff
diff --git a/AWSEC2/latest/UserGuide/ec2-allowed-amis.md b/AWSEC2/latest/UserGuide/ec2-allowed-amis.md index 13d7bcb3e..3c79cc54e 100644 --- a//AWSEC2/latest/UserGuide/ec2-allowed-amis.md +++ b//AWSEC2/latest/UserGuide/ec2-allowed-amis.md @@ -9 +9 @@ How Allowed AMIs worksBest practices for implementing Allowed AMIsRequired IAM p -To control the discovery and use of Amazon Machine Images (AMIs) by users in your AWS account, you can use the _Allowed AMIs_ feature. This feature allows you to specify criteria that AMIs must meet to be visible and available within your account. When the criteria are enabled, users launching instances will only see and have access to AMIs that comply with the specified criteria. For example, you can specify a list of trusted AMI providers as the criteria, and only AMIs from these providers will be visible and available for use. +To control the discovery and use of Amazon Machine Images (AMIs) by users in your AWS account, you can use the _Allowed AMIs_ feature. You specify criteria that AMIs must meet to be visible and available within your account. When the criteria are enabled, users launching instances will only see and have access to AMIs that comply with the specified criteria. For example, you can specify a list of trusted AMI providers as the criteria, and only AMIs from these providers will be visible and available for use. @@ -11 +11 @@ To control the discovery and use of Amazon Machine Images (AMIs) by users in you -Before enabling the Allowed AMIs settings, you can enable _audit mode_ to preview which AMIs will or won't be visible and available for use. This lets you refine the criteria as needed to ensure that only the intended AMIs are visible and available to users in your account. Additionally, you can run the [describe-instance-image-metadata](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-image-metadata.html) command and filter the response to identify any instances that were launched with AMIs that don't meet the specified criteria. This information can guide your decision to either update your launch configurations to use compliant AMIs (for example, specifying a different AMI in a launch template) or adjust your criteria to allow these AMIs. +Before enabling the Allowed AMIs settings, you can enable _audit mode_ to preview which AMIs will or won't be visible and available for use. This lets you refine the criteria as needed to ensure that only the intended AMIs are visible and available to users in your account. Additionally, use the [describe-instance-image-metadata](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-image-metadata.html) command to find instances that were launched with AMIs that don't meet the specified criteria. This information can guide your decision to either update your launch configurations to use compliant AMIs (for example, specifying a different AMI in a launch template) or adjust your criteria to allow these AMIs. @@ -13 +13 @@ Before enabling the Allowed AMIs settings, you can enable _audit mode_ to previe -You specify the Allowed AMIs settings at the account level, either directly in the account or by using a declarative policy. These settings must be configured in each AWS Region where you want to control the discovery and use of AMIs. Using a declarative policy allows you to apply the settings across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the settings directly within an account. This topic describes how to configure the settings directly within an account. For information about using declarative policies, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the _AWS Organizations User Guide_. +You specify the Allowed AMIs settings at the account level, either directly in the account or by using a declarative policy. These settings must be configured in each AWS Region where you want to control AMI usage. Using a declarative policy allows you to apply the settings across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the settings directly within an account. This topic describes how to configure the settings directly within an account. For information about using declarative policies, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the _AWS Organizations User Guide_. @@ -45 +45 @@ The Allowed AMIs feature only controls the discovery and use of public AMIs or A -You control AMI access by specifying _criteria_ in a JSON configuration. These criteria determine which AMIs can be discovered and used in your account. After defining your criteria, you enable them using the API or console. Once enabled, all AMIs are evaluated against the criteria. If an AMI matches at least one of the criteria, it is allowed in your account. +You control AMI access by specifying _criteria_ in a JSON configuration. These criteria determine which AMIs can be discovered and used in your account. After defining your criteria, you enable them using the AWS CLI or Amazon EC2 console. Once enabled, all AMIs are evaluated against the criteria. If an AMI matches at least one of the criteria, it is allowed in your account. @@ -55 +55 @@ You control AMI access by specifying _criteria_ in a JSON configuration. These c - * Limits for the JSON configuration + * Limits for ImageCriteria @@ -64 +64 @@ You control AMI access by specifying _criteria_ in a JSON configuration. These c -Currently, the only supported criteria are AMI providers. Valid values are aliases that are defined by AWS, and AWS account IDs, as follows: +The following criteria can be specified to determine which AMIs are allowed: @@ -66 +66,8 @@ Currently, the only supported criteria are AMI providers. Valid values are alias - * `amazon` – An alias that identifies AMIs created by AWS +`ImageProviders` + + +The AMI providers whose AMIs are allowed. + +Valid values are aliases that are defined by AWS, and AWS account IDs, as follows: + + * `amazon` – An alias that identifies AMIs created by Amazon or verified providers @@ -74 +81,11 @@ Currently, the only supported criteria are AMI providers. Valid values are alias - * `none` – Indicates that only AMIs created by your account can be discovered and used. Public or shared AMIs can't be discovered and used. If you specify `none`, you can't specify an alias or account ID. + * `none` – Indicates that only AMIs created by your account can be discovered and used. Public or shared AMIs can't be discovered and used. When specified, no other criteria can be specified. + + + + +`ImageNames` + + +The names of allowed AMIs, using exact matches or wildcards (`?` or `*`). + +`MarketplaceProductCodes` @@ -76,0 +94 @@ Currently, the only supported criteria are AMI providers. Valid values are alias +The AWS Marketplace product codes for allowed AMIs. @@ -77,0 +96,11 @@ Currently, the only supported criteria are AMI providers. Valid values are alias +`CreationDateCondition` + + +The maximum age for allowed AMIs. + +`DeprecationTimeCondition` + + +The maximum period since deprecation for allowed AMIs. + +For the valid values and constraints for each criterion, see [ImageCriterionRequest](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImageCriterionRequest.html) in the _Amazon EC2 API Reference_. @@ -81 +110 @@ Currently, the only supported criteria are AMI providers. Valid values are alias -The core configuration for Allowed AMIs is the JSON configuration that defines the criteria for allowed AMIs. Here's an example that specifies two aliases and three AWS account IDs: +The core configuration for Allowed AMIs is the JSON configuration that defines the criteria for allowed AMIs. The following is the basic JSON structure. @@ -84,0 +114 @@ The core configuration for Allowed AMIs is the JSON configuration that defines t + "State": enabled | disabled | audit-mode, @@ -87,7 +117,8 @@ The core configuration for Allowed AMIs is the JSON configuration that defines t - "ImageProviders": [ - "amazon", - "aws-marketplace", - "123456789012", - "112233445566", - "009988776655" - ] + "ImageProviders": ["string",...], + "MarketplaceProductCodes": ["string",...], + "ImageNames":["string",...], + "CreationDateCondition" : { + "MaximumDaysSinceCreated": integer + }, + "DeprecationTimeCondition" : { + "MaximumDaysSinceDeprecated": integer @@ -95 +126,2 @@ The core configuration for Allowed AMIs is the JSON configuration that defines t - ] + }, + ... @@ -98,3 +130 @@ The core configuration for Allowed AMIs is the JSON configuration that defines t -### How criteria are evaluated - -The criteria in the JSON configuration are evaluated using an `or` condition. This means that an AMI only needs to match one of the specified providers in any `ImageCriteria` object to be considered allowed. For example, if you specify both `amazon` and an AWS account ID as providers, AMIs from either provider will be allowed. +###### `ImageCriteria` and `ImageCriterion` @@ -102,5 +132 @@ The criteria in the JSON configuration are evaluated using an `or` condition. Th -### Limits for the JSON configuration - - * `ImageCriteria` objects: Maximum of 10 `ImageCriteria` objects can be specified in a single configuration. - - * `ImageProviders` values: Maximum of 200 values across all `ImageCriteria` objects. +`ImageCriteria` is a collection of one or more `ImageCriterion`. Each `ImageCriterion` defines a set of conditions that an AMI must meet to be considered allowed. The following example shows a single `ImageCriterion` with a set of conditions defined by the criteria, `ImageProviders` and `CreationDateCondition`: @@ -108,0 +135,9 @@ The criteria in the JSON configuration are evaluated using an `or` condition. Th + { + "ImageProviders": [ + "123456789012", + "123456789013" + ], + "CreationDateCondition": { + "MaximumDaysSinceCreated": 300 + } + } @@ -109,0 +145 @@ The criteria in the JSON configuration are evaluated using an `or` condition. Th +#### JSON configuration example @@ -111,3 +147 @@ The criteria in the JSON configuration are evaluated using an `or` condition. Th -**Example of limits** - -Consider the following example to illustrate these limits, where different `ImageProviders` lists are used to group the AMI provider accounts: +The following example configures four `ImageCriterion`. An AMI is allowed if it matches any one of these `ImageCriterion`. For information about how the criteria are evaluated, see How criteria are evaluated. @@ -117,0 +152 @@ Consider the following example to illustrate these limits, where different `Imag + // ImageCriterion 1: Allow AWS Marketplace AMIs with product code "abcdefg1234567890" @@ -119 +154,14 @@ Consider the following example to illustrate these limits, where different `Imag - "ImageProviders": ["amazon", "aws-marketplace"] + "MarketplaceProductCodes": [ + "abcdefg1234567890" + ] + }, + // ImageCriterion 2: Allow AMIs from providers whose accounts are + // "123456789012" OR "123456789013" AND AMI age is less than 300 days + { + "ImageProviders": [ + "123456789012", + "123456789013" + ], + "CreationDateCondition": { + "MaximumDaysSinceCreated": 300 + } @@ -120,0 +169,2 @@ Consider the following example to illustrate these limits, where different `Imag + // ImageCriterion 3: Allow AMIs from provider whose account is "123456789014" + // AND with names following the pattern "golden-ami-*" @@ -122 +172,6 @@ Consider the following example to illustrate these limits, where different `Imag - "ImageProviders": ["123456789012", "112233445566", "121232343454"] + "ImageProviders": [ + "123456789014" + ], + "ImageNames": [ + "golden-ami-*" + ] @@ -123,0 +179,2 @@ Consider the following example to illustrate these limits, where different `Imag + // ImageCriterion 4: Allow AMIs from Amazon or verified providers + // AND which aren't deprecated @@ -125 +182,6 @@ Consider the following example to illustrate these limits, where different `Imag - "ImageProviders": ["998877665555", "987654321098"] + "ImageProviders": [ + "amazon" + ], + "DeprecationTimeCondition": { + "MaximumDaysSinceDeprecated": 0 + } @@ -127,2 +188,0 @@ Consider the following example to illustrate these limits, where different `Imag - // Up to 7 more ImageCriteria objects can be added - // Up to 193 more ImageProviders values can be added @@ -131,0 +192,43 @@ Consider the following example to illustrate these limits, where different `Imag +### How criteria are evaluated + +The following table explains how the criteria are evaluated to determine if an AMI is allowed, showing how the `AND` or `OR` operator is applied at each level: + +Evaluation level | Operator | Requirement to be an Allowed AMI +---|---|--- +A list of values for `ImageProviders`, `ImageNames`, and `MarketplaceProductCodes` | `OR` | AMI must match at least one value in each list +Criteria within an `ImageCriterion` | `AND` | AMI must match all criteria +Multiple `ImageCriterion` | `OR` | AMI must match any one of the `ImageCriterion` + +Using the preceding evaluation rules, let's see how to apply them to the JSON configuration example: + + * ImageCriterion 1: Allows AMIs that have the AWS Marketplace product code `abcdefg1234567890` + +`OR` + + * ImageCriterion 2: Allows AMIs that meet both of these criteria: + + * Owned by either account `123456789012` `OR` `123456789013` + + * `AND` + + * Created within the last 300 days + +`OR` + + * ImageCriterion 3: Allows AMIs that meet both of these criteria: + + * Owned by account `123456789014` + + * `AND` + + * Named with the pattern `golden-ami-*` + +`OR` + + * ImageCriterion 4: Allows AMIs that meet both of these criteria: + + * Published by Amazon or verified providers (specified by the `amazon` alias) + + * `AND` + + * Not deprecated (maximum days since deprecation is `0`)